CVE-2023-21971

MEDIUM

Oracle MySQL Connector/J <8.0.32 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-21971. PoCs published by Avento.

AI-analyzed exploit summary This repository provides a detailed analysis and proof-of-concept for CVE-2023-21971, a deserialization vulnerability in MySQL Connector/J. The PoC demonstrates how an attacker can execute arbitrary code by manipulating the 'propertiesTransform' parameter in a JDBC connection string.

Description

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors as well as unauthorized update, insert or delete access to some of MySQL Connectors accessible data and unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H).

Exploits (1)

nomisec WORKING POC 3 stars

by Avento · poc

https://github.com/Avento/CVE-2023-21971_Analysis

View Code ZIP pw:eip

This repository provides a detailed analysis and proof-of-concept for CVE-2023-21971, a deserialization vulnerability in MySQL Connector/J. The PoC demonstrates how an attacker can execute arbitrary code by manipulating the 'propertiesTransform' parameter in a JDBC connection string.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: MySQL Connector/J versions 8.0.32 and prior

No auth needed

Prerequisites: Target application using vulnerable MySQL Connector/J version · Ability to manipulate JDBC connection string

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory

https://security.netapp.com/advisory/ntap-20230427-0007/

Third Party Advisory

https://security.netapp.com/advisory/ntap-20230427-0010/

Patch, Vendor Advisory vendor-advisory

https://www.oracle.com/security-alerts/cpuapr2023.html

Patch, Vendor Advisory vendor-advisory

https://www.oracle.com/security-alerts/cpujul2023.html

Scores

CVSS v3 5.3

EPSS 0.0129

EPSS Percentile 66.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

Status published

Products (8)

netapp/active_iq_unified_manager (3 CPE variants)

netapp/oncommand_insight

netapp/snapcenter

oracle/communications_cloud_native_core_binding_support_function 22.4.0

oracle/communications_cloud_native_core_binding_support_function 23.1.0

oracle/communications_cloud_native_core_policy 22.4.0

oracle/communications_cloud_native_core_policy 23.1.0

oracle/mysql_connectors 8.0.0 - 8.0.32

Published Apr 18, 2023

Tracked Since Feb 18, 2026