CVE-2024-38087

MSR

High

SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability

CVSS

8.8

High

EPSS

0.02

p73

Published

2024-01-01

Updated

2024-01-01

Description

SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability

Tags · CWE

Pre-auth

CWE-415

Affected products

Sql_server_2016 < 13.0.6441.1Sql_server_2016 13.0.7000.253–13.0.7037.1Sql_server_2017 < 14.0.2056.2Sql_server_2017 14.0.3456.2–14.0.3471.2Sql_server_2019 < 15.0.2116.2Sql_server_2019 15.0.4375.4–15.0.4382.1Sql_server_2022 < 16.0.1121.4Sql_server_2022 16.0.4125.3–16.0.4131.2

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

2024-01-01

Published

2024-01-01

Updated

CVSS 3.1 breakdown

Attack Vector

AV: N

Network (N)

Attack Complexity

AC: L

Low (L)

Privileges Required

PR: N

None (N)

User Interaction

UI: R

Required (R)

Scope

S: U

Unchanged (U)

Confidentiality Impact

C: H

High (H)

Integrity Impact

I: H

High (H)

Availability Impact

A: H

High (H)

Exploit indicators

EPSS

0.017 · p73

Known exploited (KEV)

Known exploits — Сканер-ВС

No Сканер-ВС checks registered for this vulnerability yet.

Affected products

Microsoft

Windows Sql Server 2019 Sql Server 2022 Sql Server 2017 Sql Server 2016

Product	Vendor	Status
sql_server_2016	*	Tracked
sql_server_2017	*	Tracked
sql_server_2019	*	Tracked
sql_server_2022	*	Tracked
Windows	Microsoft	Tracked
Windows	Microsoft	Tracked
Windows	Microsoft	Tracked
Windows	Microsoft	Tracked
Windows	Microsoft	Tracked
Windows	Microsoft	Tracked
Windows	Microsoft	Tracked
Windows	Microsoft	Tracked
Windows	Microsoft	Tracked
Windows	Microsoft	Tracked
Windows	Microsoft	Tracked
Windows	Microsoft	Tracked
Windows	Microsoft	Tracked
Windows	Microsoft	Tracked
Windows	Microsoft	Tracked
Windows	Microsoft	Tracked

Showing first 20 of 94

Source databases

MSR

CVE