First published: Tue Nov 12 2024(Updated: )
SQL Server Native Client Remote Code Execution Vulnerability
Credit: secure@microsoft.com
Affected Software | Affected Version | How to fix |
---|---|---|
Microsoft SQL Server 2017 | ||
Microsoft SQL Server 2016 Azure Connect Feature Pack | ||
Microsoft SQL Server 2019 | ||
Microsoft SQL Server | ||
Microsoft SQL Server LocalDB 2016 | ||
Microsoft VSS Writer for SQL Server 2019 | ||
Microsoft SQL Server LocalDB 2016 | >=13.0.6300.2<13.0.6455.2 | |
Microsoft SQL Server LocalDB 2016 | >=13.0.7000.253<13.0.7050.2 | |
Microsoft SQL Server | >=14.0.1000.169<14.0.2070.1 | |
Microsoft SQL Server | >=14.0.3006.16<14.0.3485.1 | |
Microsoft VSS Writer for SQL Server 2019 | >=15.0.2000.5<15.0.2130.3 | |
Microsoft VSS Writer for SQL Server 2019 | >=15.0.4003.23<15.0.4410.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2024-49001 is categorized as a remote code execution vulnerability, which can allow an attacker to execute arbitrary code on the affected system.
To remediate CVE-2024-49001, apply the latest security patch provided by Microsoft for the affected SQL Server versions.
CVE-2024-49001 affects Microsoft SQL Server 2016, 2017, and 2019, including specific builds and patch levels.
Exploitation of CVE-2024-49001 can lead to unauthorized remote access and control of the SQL Server instance.
While the best solution is to apply the patch, temporarily limiting network access to the SQL Server may reduce exposure until a fix can be implemented.