Microsoft SQL Server Remote Code Execution Vulnerability
CVE-2023-21705

8.8HIGH

Key Information:

Vendor: Microsoft
Status: Microsoft Sql Server 2012 Service Pack 4 (qfe); Microsoft Sql Server 2012 For X64-based Systems Service Pack 4 (qfe); Microsoft Sql Server 2017 (gdr); Microsoft Sql Server 2014 Service Pack 3 (gdr)
Vendor: CVE Published:; 14 February 2023

What is CVE-2023-21705?

A vulnerability in Microsoft SQL Server allows remote attackers to execute arbitrary code by sending specially crafted requests. This issue affects several versions of SQL Server, potentially compromising the confidentiality, integrity, and availability of the database system. Affected users should prioritize applying security updates provided by Microsoft to mitigate the risks associated with this vulnerability.

Affected Version(s)

Microsoft SQL Server 2012 for x64-based Systems Service Pack 4 (QFE) x64-based Systems 11.0.0 < 11.0.7512.11

Microsoft SQL Server 2012 Service Pack 4 (QFE) 32-bit Systems 11.0.0 < 11.0.7512.11

Microsoft SQL Server 2014 Service Pack 3 (CU 4) 32-bit Systems 12.0.0 < 12.0.6174.8

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 14, 2023
Vulnerability Reserved
Dec 13, 2022