SQL Server Native Client Remote Code Execution Vulnerability
CVE-2024-49000

8.8HIGH

Key Information:

Vendor: Microsoft
Status: Microsoft Sql Server 2017 (gdr); Microsoft Sql Server 2019 (gdr); Microsoft Sql Server 2016 Service Pack 3 (gdr); Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack
Vendor: CVE Published:; 12 November 2024

Summary

A vulnerability has been identified in the SQL Server Native Client that allows an attacker to execute arbitrary code on the system where the client is installed. This remote code execution vulnerability can be exploited by sending specially crafted requests to the SQL Server, which may lead to escalation of privileges or unauthorized access to sensitive data. It is critical for users and organizations utilizing affected versions to implement the recommended security updates to mitigate any potential risks associated with this vulnerability.

Affected Version(s)

Microsoft SQL Server 2016 Service Pack 3 (GDR) x64-based Systems 13.0.0 < 13.0.6455.2

Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack x64-based Systems 13.0.0 < 13.0.7050.2

Microsoft SQL Server 2017 (CU 31) x64-based Systems 14.0.0 < 14.0.3485.1

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisory

EPSS Score

0% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Nov 12, 2024

Collectors

NVD DatabaseMitre DatabaseMicrosoft Feed