Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2023-21704

7.8HIGH

Key Information:

Vendor: Microsoft
Status: Microsoft Sql Server 2017 (gdr); Microsoft Sql Server 2014 Service Pack 3 (gdr); Microsoft Sql Server 2014 Service Pack 3 (cu 4); Microsoft Sql Server 2019 (gdr)
Vendor: CVE Published:; 14 February 2023

Summary

The Microsoft ODBC Driver for SQL Server contains a vulnerability that allows remote code execution under certain conditions. An attacker exploiting this weakness could potentially gain unauthorized access and control over affected systems, leading to data compromise and disruption of services. It is crucial for users and administrators to apply the recommended updates to safeguard their infrastructures against this security threat. For detailed guidance on mitigation and updates, refer to the official vendor advisory.

Affected Version(s)

Microsoft SQL Server 2014 Service Pack 3 (CU 4) 32-bit Systems 12.0.0 < 12.0.6174.8

Microsoft SQL Server 2014 Service Pack 3 (GDR) x64-based Systems 12.0.0 < 12.0.6444.4

Microsoft SQL Server 2016 Service Pack 3 (GDR) x64-based Systems 13.0.0 < 13.0.6430.49

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisory

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 14, 2023
Vulnerability Reserved
Dec 13, 2022