First published: Tue Jul 08 2008(Updated: )
Integer underflow in SQL Server 7.0 SP4, 2000 SP4, 2005 SP1 and SP2, 2000 Desktop Engine (MSDE 2000) SP4, 2005 Express Edition SP1 and SP2, and 2000 Desktop Engine (WMSDE); Microsoft Data Engine (MSDE) 1.0 SP4; and Internal Database (WYukon) SP2 allows remote authenticated users to execute arbitrary code via a (1) SMB or (2) WebDAV pathname for an on-disk file (aka stored backup file) with a crafted record size value, which triggers a heap-based buffer overflow, aka "SQL Server Memory Corruption Vulnerability."
Credit: secure@microsoft.com
Affected Software | Affected Version | How to fix |
---|---|---|
Microsoft SQL Server | =2005-sp1 | |
Microsoft SQL Server | =2005-sp1 | |
Microsoft SQL Server | =2000-sp4 | |
Microsoft SQL Server | =2005-sp1 | |
Microsoft SQL Server | =2005-sp1 | |
Microsoft SQL Server | =7.0-sp4 | |
Microsoft SQL Server | =2005-sp2 | |
Microsoft SQL Server | =2000-sp4 | |
Microsoft SQL Server Data Engine (MSDE) | =1.0-sp4 | |
Microsoft SQL Server | =2005-sp2 | |
Microsoft SQL Server | =2005-sp2 | |
Microsoft SQL Server | =2000-sp4 | |
Microsoft SQL Server | =2005-sp2 | |
Microsoft Windows Media Services | =2000 | |
Microsoft Yukon | =sp2 | |
Microsoft Windows Server 2003 | =sp1 | |
Microsoft Windows Server 2003 | =sp2 | |
Microsoft Yukon | =sp2 | |
Microsoft Windows Server | ||
Microsoft Windows Server | =sp2 | |
Microsoft Windows Server | ||
Microsoft Windows Server |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2008-0107 has a medium severity due to its potential for unauthorized remote code execution.
To remediate CVE-2008-0107, users should apply the latest security patches provided by Microsoft for affected SQL Server versions.
CVE-2008-0107 affects Microsoft SQL Server 7.0 SP4, 2000 SP4, 2005 SP1, and SP2, among other related products.
Yes, CVE-2008-0107 can be exploited by remote authenticated users, allowing them to execute arbitrary code.
CVE-2008-0107 is classified as an integer underflow vulnerability affecting the SQL Server database engine.