Multiple vulnerabilities in Microsoft ODBC Driver for SQL Server
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 13 |
| CVE-ID | CVE-2024-28934 CVE-2024-28933 CVE-2024-28930 CVE-2024-28932 CVE-2024-28943 CVE-2024-28937 CVE-2024-28929 CVE-2024-28931 CVE-2024-28936 CVE-2024-28935 CVE-2024-29043 CVE-2024-28941 CVE-2024-28938 |
| CWE-ID | CWE-121 CWE-191 CWE-122 CWE-190 CWE-416 CWE-125 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Visual Studio Universal components / Libraries / Software for developers Microsoft ODBC Driver for SQL Server on Linux Universal components / Libraries / Software for developers Microsoft ODBC Driver for SQL Server on macOS Universal components / Libraries / Software for developers Microsoft ODBC Driver for SQL Server on Windows Universal components / Libraries / Software for developers Microsoft SQL Server Server applications / Database software |
| Vendor | Microsoft |
Security Bulletin
This security bulletin contains information about 13 vulnerabilities.
1) Stack-based buffer overflow
EUVDB-ID: #VU88278
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-28934
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Microsoft ODBC Driver for SQL Server. A remote unauthenticated attacker can trick a victim to connect to a malicious SQL server, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVisual Studio: 16.0 - 2022 version 17.9
Microsoft SQL Server: 2019 GDR - 2022 CU12
Microsoft ODBC Driver for SQL Server on Linux: 17 - 18.0
Microsoft ODBC Driver for SQL Server on macOS: 17 - 18.0
Microsoft ODBC Driver for SQL Server on Windows: 17.0 - 18.0
CPE2.3- cpe:2.3:a:microsoft:visual_studio:16.0:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:16.10:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:16.2:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:16.3:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:16.4:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:16.5:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:16.6:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:16.7:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:16.8:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:16.9:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:microsoft_sql_server:2019:CU25:*:*:*:*:*:*
- cpe:2.3:a:microsoft:odbc_driver_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:odbc_driver_macos:*:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:odbc_driver_windows:17.0:*:*:*:*:*:*:*
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-28934
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Integer underflow
EUVDB-ID: #VU88315
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-28933
CWE-ID:
CWE-191 - Integer underflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer underflow in Microsoft ODBC Driver for SQL Server. A remote attacker can trick a victim to connect to a malicious SQL server, trigger integer underflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVisual Studio: 16.0 - 2022 version 17.9
Microsoft SQL Server: 2019 GDR - 2022 CU12
Microsoft ODBC Driver for SQL Server on Linux: 17 - 18.0
Microsoft ODBC Driver for SQL Server on macOS: 17 - 18.0
Microsoft ODBC Driver for SQL Server on Windows: 17.0 - 18.0
CPE2.3- cpe:2.3:a:microsoft:visual_studio:2019:version_16.11:*:*:*:*:*:*
- cpe:2.3:a:microsoft:microsoft_sql_server:2022:CU12:*:*:*:*:*:*
- cpe:2.3:a:microsoft:odbc_driver_linux:18.0:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:odbc_driver_macos:18.0:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:odbc_driver_windows:18.0:*:*:*:*:*:*:*
http://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28933
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Integer underflow
EUVDB-ID: #VU88314
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-28930
CWE-ID:
CWE-191 - Integer underflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer underflow in Microsoft ODBC Driver for SQL Server. A remote attacker can trick a victim to connect to a malicious SQL server, trigger integer underflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVisual Studio: 16.0 - 2022 version 17.9
Microsoft SQL Server: 2019 GDR - 2022 CU12
Microsoft ODBC Driver for SQL Server on Linux: 17 - 18.0
Microsoft ODBC Driver for SQL Server on macOS: 17 - 18.0
Microsoft ODBC Driver for SQL Server on Windows: 17.0 - 18.0
CPE2.3 External linkshttp://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28930
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Heap-based buffer overflow
EUVDB-ID: #VU88312
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-28932
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Microsoft ODBC Driver for SQL Server. A remote attacker can trick a victim to connect to a malicious SQL server, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVisual Studio: 16.0 - 2022 version 17.9
Microsoft SQL Server: 2019 GDR - 2022 CU12
Microsoft ODBC Driver for SQL Server on Linux: 17 - 18.0
Microsoft ODBC Driver for SQL Server on macOS: 17 - 18.0
Microsoft ODBC Driver for SQL Server on Windows: 17.0 - 18.0
CPE2.3 External linkshttp://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28932
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Heap-based buffer overflow
EUVDB-ID: #VU88308
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-28943
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Microsoft ODBC Driver for SQL Server. A remote attacker can trick a victim to connect to a malicious SQL server, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMicrosoft SQL Server: 2019 GDR - 2022 CU12
Microsoft ODBC Driver for SQL Server on Linux: 17 - 18.0
Microsoft ODBC Driver for SQL Server on macOS: 17 - 18.0
Microsoft ODBC Driver for SQL Server on Windows: 17.0 - 18.0
CPE2.3http://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28943
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Heap-based buffer overflow
EUVDB-ID: #VU88306
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-28937
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Microsoft ODBC Driver for SQL Server. A remote attacker can trick a victim to connect to a malicious SQL server, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMicrosoft SQL Server: 2019 GDR - 2022 CU12
Visual Studio: 16.0 - 2022 version 17.9
Microsoft ODBC Driver for SQL Server on Linux: 17 - 18.0
Microsoft ODBC Driver for SQL Server on macOS: 17 - 18.0
Microsoft ODBC Driver for SQL Server on Windows: 17.0 - 18.0
CPE2.3 External linkshttp://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28937
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Integer overflow
EUVDB-ID: #VU88288
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-28929
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in Microsoft ODBC Driver for SQL Server. A remote attacker can trick a victim to connect to a malicious SQL server, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVisual Studio: 16.0 - 2022 version 17.9
Microsoft SQL Server: 2019 GDR - 2022 CU12
Microsoft ODBC Driver for SQL Server on Linux: 17 - 18.0
Microsoft ODBC Driver for SQL Server on macOS: 17 - 18.0
Microsoft ODBC Driver for SQL Server on Windows: 17.0 - 18.0
CPE2.3 External linkshttp://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28929
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Integer overflow
EUVDB-ID: #VU88287
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-28931
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in Microsoft ODBC Driver for SQL Server. A remote attacker can trick a victim to connect to a malicious SQL server, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVisual Studio: 16.0 - 2022 version 17.9
Microsoft SQL Server: 2019 GDR - 2022 CU12
Microsoft ODBC Driver for SQL Server on Linux: 17 - 18.0
Microsoft ODBC Driver for SQL Server on macOS: 17 - 18.0
Microsoft ODBC Driver for SQL Server on Windows: 17.0 - 18.0
CPE2.3http://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28931
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Integer overflow
EUVDB-ID: #VU88284
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-28936
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in Microsoft ODBC Driver for SQL Server. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVisual Studio: 16.0 - 2022 version 17.9
Microsoft SQL Server: 2019 GDR - 2022 CU12
Microsoft ODBC Driver for SQL Server on Linux: 17 - 18.0
Microsoft ODBC Driver for SQL Server on macOS: 17 - 18.0
Microsoft ODBC Driver for SQL Server on Windows: 17.0 - 18.0
CPE2.3http://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28936
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Heap-based buffer overflow
EUVDB-ID: #VU88282
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-28935
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Microsoft ODBC Driver for SQL Server. A remote attacker can trick a victim to connect to a malicious SQL server, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVisual Studio: 16.0 - 2022 version 17.9
Microsoft SQL Server: 2019 GDR - 2022 CU12
Microsoft ODBC Driver for SQL Server on Linux: 17 - 18.0
Microsoft ODBC Driver for SQL Server on macOS: 17 - 18.0
Microsoft ODBC Driver for SQL Server on Windows: 17.0 - 18.0
CPE2.3http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-28935
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Use-after-free
EUVDB-ID: #VU88281
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-29043
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in Microsoft ODBC Driver for SQL Server. A remote attacker can trick a victim to connect to a malicious SQL server and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMicrosoft SQL Server: 2019 GDR - 2022 CU12
Microsoft ODBC Driver for SQL Server on Linux: 17 - 18.0
Microsoft ODBC Driver for SQL Server on macOS: 17 - 18.0
Microsoft ODBC Driver for SQL Server on Windows: 17.0 - 18.0
CPE2.3http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-29043
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Heap-based buffer overflow
EUVDB-ID: #VU88280
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-28941
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Microsoft ODBC Driver for SQL Server. A remote attacker can trick a victim to connect to a malicious SQL server, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMicrosoft SQL Server: 2019 GDR - 2022 CU12
Microsoft ODBC Driver for SQL Server on Linux: 17 - 18.0
Microsoft ODBC Driver for SQL Server on macOS: 17 - 18.0
Microsoft ODBC Driver for SQL Server on Windows: 17.0 - 18.0
CPE2.3http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-28941
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Out-of-bounds read
EUVDB-ID: #VU88279
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-28938
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to a boundary condition in Microsoft ODBC Driver for SQL Server. A remote attacker can trick a victim to connect to a malicious SQL server, trigger an out-of-bounds read error and read contents of memory on the system, leading to arbitrary code execution.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVisual Studio: 16.0 - 2022 version 17.9
Microsoft SQL Server: 2019 GDR - 2022 CU12
Microsoft ODBC Driver for SQL Server on Linux: 17 - 18.0
Microsoft ODBC Driver for SQL Server on macOS: 17 - 18.0
Microsoft ODBC Driver for SQL Server on Windows: 17.0 - 18.0
CPE2.3http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-28938
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
