CVE-2024-37320 — Use After Free in Microsoft SQL Server 2016 Service Pack 3

CWE-416 — Use After Free4 documents4 sources

Severity

8.8HIGHNVD

EPSS

3.0%

top 13.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft SQL Server 2016 Service Pack 3 Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack Microsoft SQL Server 2017 +8 more

Timeline

PublishedJul 9

Description

SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages8 packages

▶CVEListV5microsoft/microsoft_sql_server_201714.0.0 — 14.0.2056.2+1

▶CVEListV5microsoft/microsoft_sql_server_201915.0.0 — 15.0.2116.2

▶CVEListV5microsoft/microsoft_sql_server_202216.0.0 — 16.0.1121.4

▶CVEListV5microsoft/microsoft_sql_server_2022_for16.0.0 — 16.0.4131.2

▶CVEListV5microsoft/microsoft_sql_server_2016_service_pack_313.0.0 — 13.0.6441.1

Patches

Patch: msrc.microsoft.com ↗Patch: msrc.microsoft.com ↗

🔴Vulnerability Details

CVEList

SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability↗2024-07-09

▶

GHSA

GHSA-9xfj-m4jq-g85x: SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability↗2024-07-09

▶

📋Vendor Advisories

Microsoft

SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability↗2024-07-09

▶

External resources

NVD MITRE

Affected products11

Microsoft SQL Server 2016fixed in 13.0.6441.1≥ 13.0.7000.253, < 13.0.7037.1

Microsoft SQL Server 2016 Service Pack 3≥ 13.0.0, < 13.0.6441.1

Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack≥ 13.0.0, < 13.0.7037.1

Microsoft SQL Server 2017≥ 14.0.0, < 14.0.2056.2≥ 14.0.0, < 14.0.3471.2

Microsoft SQL Server 2017fixed in 14.0.2056.2≥ 14.0.3456.2, < 14.0.3471.2

Microsoft SQL Server 2019≥ 15.0.0, < 15.0.2116.2

Microsoft SQL Server 2019fixed in 15.0.2116.2≥ 15.0.4375.4, < 15.0.4382.1

Microsoft SQL Server 2019 FOR X64-based Systems≥ 15.0.0, < 15.0.4382.1

Microsoft SQL Server 2022≥ 16.0.0, < 16.0.1121.4

Microsoft SQL Server 2022fixed in 16.0.1121.4≥ 16.0.4125.3, < 16.0.4131.2

Disclosure

PublishedJul 9, 2024