Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability
CVE-2024-0056

8.7HIGH

Key Information:

Vendor
Microsoft
Vendor
CVE Published:
9 January 2024

Badges

πŸ“° News Worthy

Summary

A security feature bypass vulnerability exists in Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Providers. This vulnerability allows an attacker to bypass security measures intended to restrict user access and control over SQL database activities. Successful exploitation could lead to unauthorized data access or manipulation, posing significant risks to the integrity and confidentiality of sensitive information. Organizations utilizing these data providers must assess their environment to apply necessary mitigations and protect their database systems.

Affected Version(s)

.NET 6.0 Unknown 6.0.0 < 6.0.26

.NET 7.0 Unknown 7.0.0 < 7.0.15

.NET 8.0 Unknown 1.0.0 < 8.0.1

News Articles

Kaspersky Threats β€” KLA62822

Kaspersky Threats β€” KLA62822 Multiple vulnerabilities in Microsoft Developer Tools

1 year ago

Microsoft fixes 48 bugs in January Patch Tuesday, none of them zero-days

Security pros noted that the first Patch Tuesday of 2024 was the second consecutive release by Microsoft with no zero-days.

1 year ago

References

EPSS Score

0% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • πŸ“°

    First article discovered by SC Magazine

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre DatabaseMicrosoft Feed2 News Article(s)
.