CVE-2023-21718: Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
Overview
- Severity
- High (CVSS 7.8)
- CVSS Vector
- CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
- Category
- Remote Code Execution
- Exploit Status
- Not Exploited
- Exploitation Likelihood
- Less Likely
- Patch Tuesday
- 2023-Feb
- Released
- 2023-02-14
- Last Updated
- 2023-02-18
- EPSS Score
- 0.59% (percentile: 69.3%)
FAQ
How could an attacker exploit this vulnerability?
An attacker could exploit the vulnerability by tricking an un-authenticated user into attempting to connect to a malicious SQL server database via ODBC. This could result in the database returning malicious data that might cause arbitrary code execution on the client.
Affected Products (17)
ESU
- Microsoft SQL Server 2012 for 32-bit Systems Service Pack 4 (QFE)
- Microsoft SQL Server 2012 for x64-based Systems Service Pack 4 (QFE)
- Microsoft SQL Server 2008 R2 for x64-Based Systems Service Pack 3 (QFE)
- Microsoft SQL Server 2008 for 32-bit Systems Service Pack 4 (QFE)
- Microsoft SQL Server 2008 for x64-Based Systems Service Pack 4 (QFE)
- Microsoft SQL Server 2008 R2 for 32-Bit Systems Service Pack 3 (QFE)
SQL Server
- Microsoft SQL Server 2017 for x64-based Systems (GDR)
- Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (GDR)
- Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (GDR)
- Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (CU 4)
- Microsoft SQL Server 2019 for x64-based Systems (GDR)
- Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (CU 4)
- Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR)
- Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure Connect Feature Pack
- Microsoft SQL Server 2017 for x64-based Systems (CU 31)
- Microsoft SQL Server 2022 for x64-based Systems (GDR)
- Microsoft SQL Server 2019 for x64-based Systems (CU 18)
Security Updates (9)
Acknowledgments
Anonymous
Revision History
- 2023-02-14: Information published.
- 2023-02-18: Updated the severity of the products in the Security Updates table. This is an informational change only.