Is the CVSS vector different as it relates to the Microsoft services that the vulnerability affects? The vulnerability in the Redshift driver referenced in the CVE impacts Microsoft services listed in the affected software table. The environmental score as it relates to affected Microsoft services can be different than the score assigned by the owner of the CVE. The base environmental score that Microsoft has assigned is 8.2. Environmental Vector Element Value Comment Modified Attack Vector Network Modified Attack Complexity Low Modified Privileges Required High Modified User Interaction None Modified Scope Changed The vulnerability in the redshift driver impacts the services listed in the affected software. Modified Confidentiality High Modified Integrity High Modified Availability High Are there any special roles that enable exploitation of this vulnerability? Exploiting this vulnerability requires an attacker to have at least one of the following roles: Synapse Administrator Synapse Contributor Synapse Compute Operator For more details on these roles, please refer to Synapse RBAC Roles. Why is the MITRE Corporation the assigning CNA (CVE Numbering Authority)? CVE-2022-29972 is regarding a vulnerability in the Magnitude Simba Amazon Redshift ODBC Driver. MITRE created this CVE on their behalf. Please see Redshift and Athena Driver Vulnerability for more information.
Tzah Pahima from Orca Security