CVE-2024-49011: SQL Server Native Client Remote Code Execution Vulnerability
Overview
- Severity
- High (CVSS 8.8)
- CVSS Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
- Category
- Remote Code Execution
- Exploit Status
- Not Exploited
- Exploitation Likelihood
- Less Likely
- Patch Tuesday
- 2024-Nov
- Released
- 2024-11-12
- EPSS Score
- 4.03% (percentile: 88.5%)
FAQ
How could an attacker exploit this vulnerability?
An attacker could exploit the vulnerability by tricking an authenticated user (UI:R) into attempting to connect to a malicious SQL server database via a connection driver (for example: OLE DB or OLEDB as applicable). This could result in the database returning malicious data that could cause arbitrary code execution on the client.
Affected Products (6)
SQL Server
- Microsoft SQL Server 2017 for x64-based Systems (GDR)
- Microsoft SQL Server 2019 for x64-based Systems (GDR)
- Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR)
- Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure Connect Feature Pack
- Microsoft SQL Server 2017 for x64-based Systems (CU 31)
- Microsoft SQL Server 2019 for x64-based Systems (CU 29)
Security Updates (6)
Acknowledgments
Anonymous
Revision History
- 2024-11-12: Information published.