SecuriTricks - CVE-2024-37335

Description

Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability

Product(s) Impacted

Vendor	Product	Versions
Microsoft	Sql 2016 Azure Connect Feature Pack Sql Server 2016 Sql Server 2017 Sql Server 2019 Sql Server 2022	* * * * *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-122

Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	microsoft	sql_2016_azure_connect_feature_pack	/	/	/	/	/	/	/	/
a	microsoft	sql_server_2016	/	/	/	/	/	/	x64	/
a	microsoft	sql_server_2017	/	/	/	/	/	/	x64	/
a	microsoft	sql_server_2017	/	/	/	/	/	/	x64	/
a	microsoft	sql_server_2019	/	/	/	/	/	/	x64	/
a	microsoft	sql_server_2019	/	/	/	/	/	/	x64	/
a	microsoft	sql_server_2022	/	/	/	/	/	/	x64	/
a	microsoft	sql_server_2022	/	/	/	/	/	/	x64	/

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-37335

CVSS Score

8.8 / 10

CVSS Data

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH

View Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Date

Published: Sept. 10, 2024, 5:15 p.m.
Last Modified: Sept. 23, 2024, 4:58 p.m.

Status : Analyzed

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

secure@microsoft.com

CVE-2024-37335