Double Free (CWE-415)
SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability. This vulnerability affects the confidentiality, integrity, and availability of the system, all with high impact. The attack vector is network-based, with low attack complexity and no privileges required, but it does require user interaction.
An attacker could potentially execute arbitrary code remotely on affected systems. This could lead to unauthorized access to sensitive data, modification of system files or data, and potential disruption of services. The attack requires user interaction, which might involve tricking a user into connecting to a malicious server or opening a specially crafted file. Given the high impact on confidentiality, integrity, and availability, a successful exploit could have severe consequences for the affected systems and data.
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
A patch is available. Microsoft released an official fix for this vulnerability on July 9, 2024. The following SQL Server versions are affected and should be updated: 1. SQL Server 2019: Versions 15.0.4375.4 to 15.0.4382.1 (exclusive) and versions up to 15.0.2116.2 (exclusive) 2. SQL Server 2016: Versions 13.0.7000.253 to 13.0.7037.1 (exclusive) and versions up to 13.0.6441.1 (exclusive) 3. SQL Server 2022: Versions 16.0.4125.3 to 16.0.4131.2 (exclusive) and versions up to 16.0.1121.4 (exclusive) 4. SQL Server 2017: Versions up to 14.0.2056.2 (exclusive) and versions 14.0.3456.2 to 14.0.3471.2 (exclusive)
1. Apply the official patch released by Microsoft as soon as possible. 2. Implement network segmentation to limit exposure of vulnerable systems. 3. Educate users about the risks of interacting with untrusted sources or opening suspicious files. 4. Monitor for unusual activity related to SQL Server Native Client OLE DB Provider. 5. Consider implementing additional access controls or authentication mechanisms for critical systems. 6. Keep all SQL Server related components and clients up to date with the latest security updates.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Detection for the vulnerability has been added to Qualys (380160)
A CVSS base score of 8.8 has been assigned.
NVD published the first details for CVE-2024-38087
Feedly found the first article mentioning CVE-2024-38087. See article
Feedly estimated the CVSS score as HIGH
This CVE started to trend in security discussions
EPSS Score was set to: 0.09% (Percentile: 39.4%)
This CVE stopped trending in security discussions