CVE-2024-28938 - OpenCVE

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact total

Vendors	Products
Microsoft	Odbc Driver 17 For Sql Server Odbc Driver 18 For Sql Server Sql Server Visual Studio Visual Studio 2019 Visual Studio 2022

No data.

No data.

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28938

History

Fri, 11 Oct 2024 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2024-04-09T17:01:16.170Z

Updated: 2024-10-09T01:41:51.130Z

Reserved: 2024-03-13T01:26:53.037Z

Link: CVE-2024-28938

Vulnrichment

Updated: 2024-08-02T01:03:51.355Z

NVD

Status : Awaiting Analysis

Published: 2024-04-09T17:15:55.600

Modified: 2024-04-10T13:24:00.070

Link: CVE-2024-28938

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28938", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2024-03-13T01:26:53.037Z", "datePublished": "2024-04-09T17:01:16.170Z", "dateUpdated": "2024-10-09T01:41:51.130Z"}, "containers": {"cna": {"title": "Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability", "datePublic": "2024-04-09T07:00:00+00:00", "affected": [{"vendor": "Microsoft", "product": "Microsoft SQL Server 2022 for (CU 12)", "cpes": ["cpe:2.3:a:microsoft:sql_server:2022:*:*:*:*:*:x64:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "16.0.0", "lessThan": "16.0.4120.1", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft SQL Server 2019 (CU 25)", "cpes": ["cpe:2.3:a:microsoft:sql_server:2019:*:*:*:*:*:x64:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "15.0.0", "lessThan": "15.0.4360.2", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft SQL Server 2019 (GDR)", "cpes": ["cpe:2.3:a:microsoft:sql_server:2019:*:*:*:*:*:x64:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "15.0.0", "lessThan": "15.0.2110.4", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft SQL Server 2022 (GDR)", "cpes": ["cpe:2.3:a:microsoft:sql_server:2022:*:*:*:*:*:x64:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "16.0.0", "lessThan": "16.0.1115.1", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft ODBC Driver 17 for SQL Server on Windows", "cpes": ["cpe:2.3:a:microsoft:odbc_driver_17_for_sql_server:-:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "17.0.0.0", "lessThan": "17.10.6.1", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft ODBC Driver 17 for SQL Server on Linux", "cpes": ["cpe:2.3:a:microsoft:odbc_driver_17_for_sql_server:-:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "17.0.0.0", "lessThan": "17.10.6.1", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft ODBC Driver 17 for SQL Server on MacOS", "cpes": ["cpe:2.3:a:microsoft:odbc_driver_17_for_sql_server:-:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "17.0.0.0", "lessThan": "17.10.6.1", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft ODBC Driver 18 for SQL Server on Windows", "cpes": ["cpe:2.3:a:microsoft:odbc_driver_18_for_sql_server:-:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "18.0.0.0", "lessThan": "18.3.3.1", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft ODBC Driver 18 for SQL Server on Linux", "cpes": ["cpe:2.3:a:microsoft:odbc_driver_18_for_sql_server:-:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "18.0.0.0", "lessThan": "18.3.3.1", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft ODBC Driver 18 for SQL Server on MacOS", "cpes": ["cpe:2.3:a:microsoft:odbc_driver_18_for_sql_server:-:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "18.0.0.0", "lessThan": "18.3.3.1", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)", "cpes": ["cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "16.11.0", "lessThan": "16.11.35", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.9", "cpes": ["cpe:2.3:a:microsoft:visual_studio:2022:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "17.0", "lessThan": "17.9.6", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.4", "cpes": ["cpe:2.3:a:microsoft:visual_studio_2022:17.4:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "17.4.0", "lessThan": "17.4.18", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.6", "cpes": ["cpe:2.3:a:microsoft:visual_studio:2022:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "17.6.0", "lessThan": "17.6.14", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.8", "cpes": ["cpe:2.3:a:microsoft:visual_studio:2022:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "17.8.0", "lessThan": "17.8.9", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-125: Out-of-bounds Read", "lang": "en-US", "type": "CWE", "cweId": "CWE-125"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2024-10-09T01:41:51.130Z"}, "references": [{"name": "Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability", "tags": ["vendor-advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28938"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28938", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-10T17:30:59.430193Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:03:20.638Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:03:51.355Z"}, "title": "CVE Program Container", "references": [{"name": "Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "x_transferred"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28938"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28938", "name": "Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:03:51.355Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28938", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-10T17:30:59.430193Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-03T19:28:28.814Z"}}], "cna": {"title": "Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:microsoft:sql_server:2022:*:*:*:*:*:x64:*"], "vendor": "Microsoft", "product": "Microsoft SQL Server 2022 for (CU 12)", "versions": [{"status": "affected", "version": "16.0.0", "lessThan": "16.0.4120.1", "versionType": "custom"}], "platforms": ["x64-based Systems"]}, {"cpes": ["cpe:2.3:a:microsoft:sql_server:2019:*:*:*:*:*:x64:*"], "vendor": "Microsoft", "product": "Microsoft SQL Server 2019 (CU 25)", "versions": [{"status": "affected", "version": "15.0.0", "lessThan": "15.0.4360.2", "versionType": "custom"}], "platforms": ["x64-based Systems"]}, {"cpes": ["cpe:2.3:a:microsoft:sql_server:2019:*:*:*:*:*:x64:*"], "vendor": "Microsoft", "product": "Microsoft SQL Server 2019 (GDR)", "versions": [{"status": "affected", "version": "15.0.0", "lessThan": "15.0.2110.4", "versionType": "custom"}], "platforms": ["x64-based Systems"]}, {"cpes": ["cpe:2.3:a:microsoft:sql_server:2022:*:*:*:*:*:x64:*"], "vendor": "Microsoft", "product": "Microsoft SQL Server 2022 (GDR)", "versions": [{"status": "affected", "version": "16.0.0", "lessThan": "16.0.1115.1", "versionType": "custom"}], "platforms": ["x64-based Systems"]}, {"cpes": ["cpe:2.3:a:microsoft:odbc_driver_17_for_sql_server:-:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft ODBC Driver 17 for SQL Server on Windows", "versions": [{"status": "affected", "version": "17.0.0.0", "lessThan": "17.10.6.1", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:odbc_driver_17_for_sql_server:-:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft ODBC Driver 17 for SQL Server on Linux", "versions": [{"status": "affected", "version": "17.0.0.0", "lessThan": "17.10.6.1", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:odbc_driver_17_for_sql_server:-:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft ODBC Driver 17 for SQL Server on MacOS", "versions": [{"status": "affected", "version": "17.0.0.0", "lessThan": "17.10.6.1", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:odbc_driver_18_for_sql_server:-:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft ODBC Driver 18 for SQL Server on Windows", "versions": [{"status": "affected", "version": "18.0.0.0", "lessThan": "18.3.3.1", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:odbc_driver_18_for_sql_server:-:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft ODBC Driver 18 for SQL Server on Linux", "versions": [{"status": "affected", "version": "18.0.0.0", "lessThan": "18.3.3.1", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:odbc_driver_18_for_sql_server:-:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft ODBC Driver 18 for SQL Server on MacOS", "versions": [{"status": "affected", "version": "18.0.0.0", "lessThan": "18.3.3.1", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)", "versions": [{"status": "affected", "version": "16.11.0", "lessThan": "16.11.35", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:visual_studio:2022:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.9", "versions": [{"status": "affected", "version": "17.0", "lessThan": "17.9.6", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:visual_studio_2022:17.4:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.4", "versions": [{"status": "affected", "version": "17.4.0", "lessThan": "17.4.18", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:visual_studio:2022:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.6", "versions": [{"status": "affected", "version": "17.6.0", "lessThan": "17.6.14", "versionType": "custom"}], "platforms": ["Unknown"]}, {"cpes": ["cpe:2.3:a:microsoft:visual_studio:2022:*:*:*:*:*:*:*"], "vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.8", "versions": [{"status": "affected", "version": "17.8.0", "lessThan": "17.8.9", "versionType": "custom"}], "platforms": ["Unknown"]}], "datePublic": "2024-04-09T07:00:00+00:00", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28938", "name": "Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en-US", "value": "Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability"}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2024-10-09T01:41:51.130Z"}}}, "cveMetadata": {"cveId": "CVE-2024-28938", "state": "PUBLISHED", "dateUpdated": "2024-10-09T01:41:51.130Z", "dateReserved": "2024-03-13T01:26:53.037Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2024-04-09T17:01:16.170Z", "assignerShortName": "microsoft"}, "dataVersion": "5.1"}