Information Disclosure Vulnerability in Microsoft SQL Server Management Studio
CVE-2018-8527

5.5MEDIUM

Key Information:

Vendor
Microsoft
Status
Sql Server Management Studio 17.9
Sql Server Management Studio 18.0
Vendor
CVE Published:
10 October 2018

Summary

An information disclosure vulnerability in Microsoft SQL Server Management Studio arises when the software processes a malicious XEL file that references an external entity. This flaw allows attackers to leverage compromised files to expose sensitive information inadvertently, impacting the security posture of users operating SQL Server Management Studio versions 17.9 and 18.0. It emphasizes the need for vigilance around file handling and the importance of patching to protect sensitive data.

Affected Version(s)

SQL Server Management Studio 17.9 SQL Server Management Studio 17.9

SQL Server Management Studio 18.0 (Preview 4)

References

https://portal.msrc.microsoft.com/en-US/security-guidance...
x_refsource_CONFIRM
http://www.securityfocus.com/bid/105474
vdb-entryx_refsource_BID
http://www.securitytracker.com/id/1041826
vdb-entryx_refsource_SECTRACK

EPSS Score

6% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.