SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability
CVE-2024-37331

8.8HIGH

Key Information:

Vendor
Microsoft
Status
Microsoft Sql Server 2017 (gdr)
Microsoft Sql Server 2019 (gdr)
Microsoft Sql Server 2016 Service Pack 3 (gdr)
Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack
Vendor
CVE Published:
9 July 2024

Summary

The SQL Server Native Client OLE DB Provider contains a vulnerability that allows for remote code execution via crafted requests. This issue arises from improper handling of input, potentially enabling an attacker to execute arbitrary code on the server or application. Applications utilizing this provider are at risk, and it is essential for organizations to assess their exposure and implement appropriate security measures to mitigate potential attacks.

Affected Version(s)

Microsoft SQL Server 2016 Service Pack 3 (GDR) x64-based Systems 13.0.0 < 13.0.6441.1

Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack x64-based Systems 13.0.0 < 13.0.7037.1

Microsoft SQL Server 2017 (CU 31) x64-based Systems 14.0.0 < 14.0.3471.2

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...
vendor-advisory

EPSS Score

6% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

.
CVE-2024-37331 : SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability | SecurityVulnerability.io