CVE-2022-23276: SQL Server for Linux Containers Elevation of Privilege Vulnerability

Overview

Severity

High (CVSS 7.8)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2022-Feb

Released

2022-02-08

Last Updated

2022-02-09

EPSS Score

0.20% (percentile: 42.1%)

FAQ

If I'm running SQL Server 2019 on premise, am I vulnerable to this CVE? This vulnerability only exists in the containerized version of SQL Server 2019 for Linux. If you are running that version, Microsoft recommends applying the update.

Affected Products (1)

SQL Server

• SQL Server 2019 for Linux Containers

Security Updates (1)

• 5010657

Acknowledgments

<a href="https://twitter.com/alon_z4">Alon Zahavi</a> and <a href="https://twitter.com/c_h4ck_0">Nir Chako</a> with <a href="https://labs.cyberark.com/">CyberArk Labs</a>

Revision History

• 2022-02-08: Information published.
• 2022-02-09: Updated acknowledgment. This is an informational change only.