Multiple vulnerabilities in Microsoft SQL Server Native Client



Risk High
Patch available YES
Number of vulnerabilities 29
CVE-ID CVE-2024-48994
CVE-2024-49015
CVE-2024-49009
CVE-2024-49010
CVE-2024-48999
CVE-2024-48995
CVE-2024-48996
CVE-2024-49006
CVE-2024-48998
CVE-2024-49007
CVE-2024-49017
CVE-2024-49004
CVE-2024-49001
CVE-2024-49003
CVE-2024-49008
CVE-2024-38255
CVE-2024-48993
CVE-2024-49002
CVE-2024-49016
CVE-2024-49000
CVE-2024-49005
CVE-2024-49013
CVE-2024-49014
CVE-2024-49018
CVE-2024-49011
CVE-2024-43459
CVE-2024-49012
CVE-2024-48997
CVE-2024-43462
CWE-ID CWE-122
CWE-416
CWE-415
CWE-197
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Microsoft SQL Server
Server applications / Database software

Vendor Microsoft

Security Bulletin

This security bulletin contains information about 29 vulnerabilities.

1) Heap-based buffer overflow

EUVDB-ID: #VU100272

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-48994

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-48994


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Heap-based buffer overflow

EUVDB-ID: #VU100301

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-49015

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can trick a victim to connect to a malicious SQL server database, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-49015


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Heap-based buffer overflow

EUVDB-ID: #VU100300

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-49009

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can trick a victim to connect to a malicious SQL server database, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-49009


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Heap-based buffer overflow

EUVDB-ID: #VU100299

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-49010

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can trick a victim to connect to a malicious SQL server database, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-49010


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Heap-based buffer overflow

EUVDB-ID: #VU100298

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-48999

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-48999


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Heap-based buffer overflow

EUVDB-ID: #VU100297

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-48995

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-48995


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Heap-based buffer overflow

EUVDB-ID: #VU100296

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-48996

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-48996


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Heap-based buffer overflow

EUVDB-ID: #VU100295

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-49006

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-49006


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Heap-based buffer overflow

EUVDB-ID: #VU100294

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-48998

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-48998


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Heap-based buffer overflow

EUVDB-ID: #VU100293

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-49007

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-49007


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Heap-based buffer overflow

EUVDB-ID: #VU100292

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-49017

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can trick a victim to connect to a malicious SQL server database, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-49017


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Heap-based buffer overflow

EUVDB-ID: #VU100291

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-49004

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-49004


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Heap-based buffer overflow

EUVDB-ID: #VU100290

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-49001

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-49001


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Use-after-free

EUVDB-ID: #VU100289

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-49003

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in SQL Server Native Client. A remote attacker can execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-49003


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Heap-based buffer overflow

EUVDB-ID: #VU100288

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-49008

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can trick a victim to connect to a malicious SQL server database, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-49008


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Heap-based buffer overflow

EUVDB-ID: #VU100287

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-38255

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-38255


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Heap-based buffer overflow

EUVDB-ID: #VU100286

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-48993

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-48993


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Heap-based buffer overflow

EUVDB-ID: #VU100285

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-49002

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-49002


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Use-after-free

EUVDB-ID: #VU100284

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-49016

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in SQL Server Native Client. A remote attacker can trick a victim to connect to a malicious SQL server database and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-49016


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Heap-based buffer overflow

EUVDB-ID: #VU100283

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-49000

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-49000


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Heap-based buffer overflow

EUVDB-ID: #VU100282

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-49005

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-49005


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Heap-based buffer overflow

EUVDB-ID: #VU100281

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-49013

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can trick a victim to connect to a malicious SQL server database, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-49013


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Double free

EUVDB-ID: #VU100280

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-49014

CWE-ID: CWE-415 - Double Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can trick a victim to connect to a malicious SQL server database, trigger double free error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-49014


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Numeric Truncation Error

EUVDB-ID: #VU100279

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-49018

CWE-ID: CWE-197 - Numeric Truncation Error

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to numeric truncation error in SQL Server Native Client. A remote attacker can trick a victim to connect to a malicious SQL database and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-49018


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Heap-based buffer overflow

EUVDB-ID: #VU100278

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-49011

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can trick a victim to connect to a malicious SQL server database, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-49011


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Use-after-free

EUVDB-ID: #VU100277

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-43459

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in SQL Server Native Client. A remote attacker can execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-43459


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Heap-based buffer overflow

EUVDB-ID: #VU100275

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-49012

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can trick a victim to connect to a malicious SQL server database, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-49012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Heap-based buffer overflow

EUVDB-ID: #VU100274

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-48997

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-48997


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Heap-based buffer overflow

EUVDB-ID: #VU100273

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-43462

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in SQL Server Native Client. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SQL Server: before 13.0.6455.2 13.0.6455.2, 13.0.7050.2 13.0.7050.2, 14.0.2070.1 14.0.2070.1, 14.0.3485.1 14.0.3485.1, 15.0.2130.3 15.0.2130.3, 13.0.6455.2 13.0.6455.2, 13.0.6455.2 13.0.6455.2

CPE2.3
External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-43462


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###