CVE-2021-2471

MEDIUM

Oracle MySQL Connector/J <8.0.26 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2021-2471. PoCs published by SecCoder-Security-Lab, JAckLosingHeart, cckuailong.

AI-analyzed exploit summary This repository contains functional exploit code demonstrating XXE vulnerabilities in H2 (CVE-2021-23463) and MySQL (CVE-2021-2471) JDBC drivers via SQLXML parsing. The PoC triggers XXE by fetching SQLXML data and converting it to a DOMSource, which processes external entities.

Description

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).

Exploits (4)

nomisec WORKING POC 54 stars

by SecCoder-Security-Lab · poc

https://github.com/SecCoder-Security-Lab/jdbc-sqlxml-xxe

View Code ZIP pw:eip

This repository contains functional exploit code demonstrating XXE vulnerabilities in H2 (CVE-2021-23463) and MySQL (CVE-2021-2471) JDBC drivers via SQLXML parsing. The PoC triggers XXE by fetching SQLXML data and converting it to a DOMSource, which processes external entities.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: H2 Database (versions affected by CVE-2021-23463), MySQL Connector/J (versions affected by CVE-2021-2471)

Auth required

Prerequisites: Access to a vulnerable JDBC driver · Ability to execute SQL queries with SQLXML data containing malicious DTD references

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1213 - Data from Information Repositories

devstral-2 · analyzed Feb 18, 2026 Full analysis →

github WORKING POC 5 stars

by JAckLosingHeart · javapoc

https://github.com/JAckLosingHeart/CVE-PoC-Collection/tree/main/mysql-CVE-2021-2471

View Code ZIP pw:eip

This PoC demonstrates an XXE (XML External Entity) vulnerability in MySQL's SQLXML handling. It crafts a malicious XML payload with an external entity reference and triggers the vulnerability via JDBC connection.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: MySQL (specific version not specified in code)

Auth required

Prerequisites: MySQL server with SQLXML support · Valid database credentials · Network access to the target MySQL server

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC 3 stars

by cckuailong · poc

https://github.com/cckuailong/CVE-2021-2471

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2021-2471, an XXE vulnerability in MySQL Connector/J. The exploit demonstrates how a malicious XML payload stored in a database can trigger an external entity resolution, leading to SSRF or information disclosure.

Classification

Working Poc 90%

Attack Type

Xxe

Complexity

Moderate

Reliability

Reliable

Target: MySQL Connector/J (versions prior to 8.0.23)

Auth required

Prerequisites: MySQL database with a table containing a SQLXML column · Ability to insert malicious XML data into the database · Network access to the target system

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1213 - Data from Information Repositories

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 3 stars

by DrunkenShells · poc

https://github.com/DrunkenShells/CVE-2021-2471

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2021-2471, an XXE vulnerability in MySQL Connector/J. The exploit demonstrates how malicious XML input can be processed via the `setString()` function, leading to unauthorized data access or DoS.

Classification

Working Poc 95%

Attack Type

Xxe

Complexity

Moderate

Reliability

Reliable

Target: MySQL Connector/J 8.0.26 and prior

Auth required

Prerequisites: Access to a vulnerable MySQL Connector/J instance · Ability to execute arbitrary Java code or control XML input

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuoct2021.html

Vendor Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuapr2022.html

Scores

CVSS v3 5.9

EPSS 0.6382

EPSS Percentile 98.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

Status published

Products (7)

mysql/mysql-connector-java 8.0.0 - 8.0.27Maven

oracle/communications_cloud_native_core_console 1.9.0

oracle/communications_cloud_native_core_network_slice_selection_function 1.8.0

oracle/communications_cloud_native_core_policy 1.15.0

oracle/communications_cloud_native_core_security_edge_protection_proxy 1.7.0

oracle/mysql_connectors 8.0.0 - 8.0.26

quarkus/quarkus < 2.2.4

Published Oct 20, 2021

Tracked Since Feb 18, 2026