Microsoft SQL Server Remote Code Execution Vulnerability
CVE-2023-21713

8.8HIGH

Key Information:

Vendor: Microsoft
Status: Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack; Microsoft Sql Server 2014 Service Pack 3 (cu 4); Microsoft Sql Server 2014 Service Pack 3 (gdr); Microsoft Sql Server 2019 (gdr)
Vendor: CVE Published:; 14 February 2023

Summary

A vulnerability has been identified in Microsoft SQL Server that could allow an attacker to execute arbitrary code on the affected server. This flaw potentially enables remote code execution, which can lead to unauthorized access and control over the database environment. It is essential for organizations using affected SQL Server versions to apply security updates and mitigations promptly to protect against this risk.

Affected Version(s)

Microsoft SQL Server 2012 for x64-based Systems Service Pack 4 (QFE) x64-based Systems 11.0.0 < 11.0.7512.11

Microsoft SQL Server 2012 Service Pack 4 (QFE) 32-bit Systems 11.0.0 < 11.0.7512.11

Microsoft SQL Server 2014 Service Pack 3 (CU 4) 32-bit Systems 12.0.0 < 12.0.6174.8

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 14, 2023
Vulnerability Reserved
Dec 13, 2022