CVE-2000-0045 is a vulnerability in early versions of MySQL (specifically 3.22.27, 3.22.29, and 3.23.8) that allows local users to modify passwords for arbitrary MySQL user accounts by exploiting the GRANT privilege. The GRANT statement in MySQL is used to assign privileges to users, including the ability to modify user credentials. In these affected versions, a local attacker with access to the system can leverage the GRANT privilege to change the password of any MySQL user, effectively hijacking their database account. This vulnerability does not require network access (local access only), but it does not require authentication either, meaning any local user can exploit it if they have the ability to execute GRANT commands. The CVSS score of 6.4 (medium severity) reflects the fact that the attack vector is network accessible (AV:N), with low attack complexity (AC:L), no authentication required (Au:N), and impacts confidentiality and integrity (C:P/I:P) but not availability (A:N). There is no patch available for these legacy versions, and no known exploits have been reported in the wild. However, the vulnerability represents a significant risk in environments where these outdated MySQL versions are still in use, as it allows privilege escalation and unauthorized access to database accounts, potentially leading to data breaches or unauthorized data manipulation.

For European organizations, the impact of this vulnerability depends largely on whether legacy MySQL versions are still deployed in their infrastructure. If such outdated versions are in use, an attacker with local access could change database user passwords, leading to unauthorized access to sensitive data, modification of critical information, and potential disruption of business operations. This could result in breaches of GDPR regulations due to unauthorized data access or alteration, leading to legal and financial penalties. The vulnerability could also facilitate lateral movement within internal networks if database credentials are reused or linked to other systems. Given the age of the vulnerability, it is unlikely to affect modern deployments, but legacy systems in industrial, governmental, or research institutions might still be at risk. The lack of a patch means organizations must rely on other mitigation strategies to protect against exploitation.

Since no patch is available for these specific MySQL versions, European organizations should prioritize upgrading to supported, secure versions of MySQL that have addressed this vulnerability. If upgrading is not immediately feasible, organizations should restrict local access to database servers strictly, ensuring that only trusted administrators have shell or command-line access. Implementing strict access controls and monitoring for unusual GRANT command usage can help detect potential exploitation attempts. Additionally, employing host-based intrusion detection systems (HIDS) and auditing MySQL logs for unauthorized privilege changes can provide early warning signs. Network segmentation should be used to isolate database servers from general user environments to reduce the risk of local attackers gaining access. Finally, organizations should review and enforce strong password policies and consider multi-factor authentication for administrative access to reduce the impact of compromised credentials.