SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability
CVE-2024-35272

8.8HIGH

Key Information:

Vendor: Microsoft
Status: Microsoft Visual Studio 2017 Version 15.9 (includes 15.0 - 15.8); Microsoft Visual Studio 2019 Version 16.11 (includes 16.0 - 16.10); Microsoft Visual Studio 2022 Version 17.6; Microsoft Visual Studio 2022 Version 17.8
Vendor: CVE Published:; 9 July 2024

Summary

The SQL Server Native Client OLE DB Provider contains a vulnerability that allows remote code execution through crafted input. Attackers with the ability to send a specially crafted request to an affected SQL Server could exploit this vulnerability, potentially leading to unauthorized access and control over systems. Proper patching of affected systems is crucial to mitigate risks associated with this vulnerability, as it can expose sensitive data and compromise system integrity. For more details, refer to Microsoft's advisory.

Affected Version(s)

Microsoft SQL Server 2016 Service Pack 3 (GDR) x64-based Systems 13.0.0 < 13.0.6441.1

Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack x64-based Systems 13.0.0 < 13.0.7037.1

Microsoft SQL Server 2017 (CU 31) x64-based Systems 14.0.0 < 14.0.3471.2

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisory

EPSS Score

0% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jul 9, 2024

Collectors

NVD DatabaseMitre DatabaseMicrosoft Feed