Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability
CVE-2024-37340

8.8HIGH

Key Information:

Vendor: Microsoft
Status: Microsoft Sql Server 2017 (gdr); Microsoft Sql Server 2019 (gdr); Microsoft Sql Server 2017 (cu 31); Microsoft Sql Server 2022 (gdr)
Vendor: CVE Published:; 10 September 2024

Summary

A vulnerability exists in Microsoft SQL Server related to the Native Scoring feature, which could allow remote code execution. If successfully exploited, an attacker could execute arbitrary code on the affected system. The vulnerability arises from improper handling of certain inputs and may affect users who rely on the SQL Server's scoring capabilities. Users are advised to apply the recommended security updates to mitigate potential risks and strengthen their database security.

Affected Version(s)

Microsoft SQL Server 2017 (CU 31) x64-based Systems 14.0.0 < 14.0.3475.1

Microsoft SQL Server 2017 (GDR) x64-based Systems 14.0.0 < 14.0.2060.1

Microsoft SQL Server 2019 (CU 28) x64-based Systems 15.0.0 < 15.0.4390.2

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisory

EPSS Score

0% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 10, 2024
Vulnerability Reserved
Jun 5, 2024

Collectors

NVD DatabaseMitre DatabaseMicrosoft Feed