After exploiting the vulnerability, the module copies the MySQL server’s master user table, which contains all password hashes. An attacker can crack the password hashes using dictionary attacks ...

Security flaw in MySQL, ... the authentication system of the databases creates a token from the submitted password using a Secure Hash Algorithm and a randomly generated string of text as the key.

In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256.

If MySQL was built on such a system, the code that compares the cryptographic hash of a user-inputted password to the hash stored in the database for a particular account will sometimes allow ...