FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-37966

Out-of-bounds Read (CWE-125)

Published: Sep 10, 2024

010
CVSS 7.1EPSS 0.05%High
CVE info copied to clipboard

Summary

Microsoft SQL Server Native Scoring has an information disclosure vulnerability. This is related to an out-of-bounds read issue, which could potentially lead to unauthorized access to sensitive information.

Impact

This vulnerability allows network-based attacks with low attack complexity. It primarily affects the confidentiality of the system, with a high impact on data confidentiality. There is also a low impact on system availability. The attack requires low privileges and no user interaction. The overall base score for this vulnerability is 7.1 out of 10, indicating it's a high severity issue.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Microsoft released an update to address this vulnerability on September 10, 2024.

Mitigation

1. Apply the security update provided by Microsoft as soon as possible. 2. Implement network segmentation to limit exposure of SQL Server instances. 3. Ensure that SQL Server instances are not directly exposed to untrusted networks. 4. Apply the principle of least privilege for SQL Server access. 5. Monitor SQL Server logs for any suspicious activities. 6. Keep all SQL Server installations up to date with the latest security patches.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (380469)

Sep 10, 2024 at 7:53 AM
CVSS

A CVSS base score of 7.1 has been assigned.

Sep 10, 2024 at 4:55 PM / microsoft
First Article

Feedly found the first article mentioning CVE-2024-37966. See article

Sep 10, 2024 at 5:00 PM / Microsoft Security Advisories - MSRC
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 10, 2024 at 5:01 PM
CVE Assignment

NVD published the first details for CVE-2024-37966

Sep 10, 2024 at 5:15 PM
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Sep 10, 2024 at 5:52 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 18.8%)

Sep 11, 2024 at 10:12 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (207067)

Sep 12, 2024 at 5:15 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (207069)

Sep 12, 2024 at 5:15 PM
Static CVE Timeline Graph

Affected Systems

Microsoft/sql_server
+null more

Patches

Microsoft
+null more

Attack Patterns

CAPEC-540: Overread Buffers
+null more

News

September 2024 – Microsoft Patch Tuesday Highlights
HawkEye / 2mo
Spoofing, Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Security Feature Bypass, and Remote Code Execution (RCE) are among the vulnerabilities that Microsoft has addressed in several software products. Updates for vulnerabilities in Microsoft Office and Components, Windows Hyper-V, Windows DHCP Server, Microsoft Streaming Service, Microsoft Management Console, Windows MSHTML Platform, Microsoft Dynamics 365 (on-premises), and other areas are included in the September edition of Microsoft Patch Tuesday.
Security Updates for Microsoft SQL Server (September 2024) (Remote)
Newest Plugins from Tenable / 2mo
The Microsoft SQL Server installation on the remote host is missing a security update. The Microsoft SQL Server installation on the remote host is missing a security update.
September Patch Tuesday addresses 79 CVEs – Sophos News
OSINT without borders / 2mo
In addition to these patches, the release includes advisory information on three CVEs addressed by patches from Adobe, affecting Reader and ColdFusion; one of the Reader vulnerabilities CVE-2024-41869) is a critical-severity use-after-free with a workable exploit already available in the wild. The bad news, for those still running either of those versions, is that critical-severity remote code execution issue, which carries a 9.8 CVE base score, occurs in… the Windows Servicing Stack.
September Patch Tuesday addresses 79 CVEs
Patch Tuesday – Sophos News / 2mo
In addition to these patches, the release includes advisory information on three CVEs addressed by patches from Adobe, affecting Reader and ColdFusion; one of the Reader vulnerabilities CVE-2024-41869) is a critical-severity use-after-free with a workable exploit already available in the wild. The bad news, for those still running either of those versions, is that critical-severity remote code execution issue, which carries a 9.8 CVE base score, occurs in… the Windows Servicing Stack.
Microsoft Security Bulletin Coverage For September 2024
SonicWall / 2mo
SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of September 2024 and has produced coverage for 9 of the reported vulnerabilities. Microsoft’s September 2024 Patch Tuesday has 79 vulnerabilities, of which 30 are Elevation of Privilege.
See 31 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:Low

Categories

CVSS 7.1(51562)CWE-125(6651)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial