CVE-2024-0056

Published: Jan 9, 2024Modified: Nov 21, 2024

8.7

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Exploitability: 2.2 / Impact: 5.8

Source: secure@microsoft.com (Secondary)

Description

Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability

Affected (23)

Products: Microsoft: Microsoft.data.sqlclient, Sql Server, System.data.sqlclient, Visual Studio 2022, .net Framework, .net

6 products

Microsoft.data.sqlclient

System.data.sqlclient

Visual Studio 2022

Configuration A

11 vulnerable

Vulnerable Software	Affected Versions
Microsoft Microsoft.data.sqlclient	From 2.1 to 2.1.7
Microsoft Microsoft.data.sqlclient	From 3.1 to 3.1.5
Microsoft Microsoft.data.sqlclient	From 4.0 to 4.0.5
Microsoft Microsoft.data.sqlclient	From 5.1 to 5.1.3
Microsoft Sql Server	Version 2022
Microsoft Sql Server	Version 2022 cumulative_update_10
Microsoft System.data.sqlclient	Before 4.8.6
Microsoft Visual Studio 2022	From 17.2 to 17.2.23
Microsoft Visual Studio 2022	From 17.4 to 17.4.15
Microsoft Visual Studio 2022	From 17.6 to 17.6.11
Microsoft Visual Studio 2022	From 17.8 to 17.8.4

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Microsoft .net Framework	From 4.8 to 4.8.04690.01

Configuration D

3 vulnerable · 3 platform

Vulnerable Software	Affected Versions
Microsoft .net Framework	Version 4.6.2
Microsoft .net Framework	Version 4.7.1
Microsoft .net Framework	Version 4.7

Running on/with	Platform Versions
Microsoft Windows Server 2008	Version r2 sp1
Microsoft Windows Server 2012	All versions
Microsoft Windows Server 2012	Version r2

Configuration E

1 vulnerable · 2 platform

Vulnerable Software	Affected Versions
Microsoft .net Framework	Version 4.8.1

Running on/with	Platform Versions
Microsoft Windows 11 23h2	All versions
Microsoft Windows 11 23h2	All versions

Configuration F

1 vulnerable · 12 platform

Vulnerable Software	Affected Versions
Microsoft .net Framework	From 4.8 to 4.8.04690.02

Running on/with	Platform Versions
Microsoft Windows 10 21h2	All versions
Microsoft Windows 10 21h2	All versions
Microsoft Windows 10 21h2	All versions
Microsoft Windows 10 22h2	All versions
Microsoft Windows 10 22h2	All versions
Microsoft Windows 10 22h2	All versions
Microsoft Windows 11 21h2	All versions
Microsoft Windows 11 21h2	All versions
Microsoft Windows 11 22h2	All versions
Microsoft Windows 11 22h2	All versions
Microsoft Windows Server 2022	All versions
Microsoft Windows Server 2022 23h2	All versions

Configuration G

2 vulnerable · 7 platform

Vulnerable Software	Affected Versions
Microsoft .net Framework	Version 3.5
Microsoft .net Framework	Version 4.7.2

Running on/with	Platform Versions
Microsoft Windows 10 1607	All versions
Microsoft Windows 10 1607	All versions
Microsoft Windows 10 1809	All versions
Microsoft Windows 10 1809	All versions
Microsoft Windows 10 1809	All versions
Microsoft Windows Server 2016	All versions
Microsoft Windows Server 2019	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Microsoft .net Framework	Version 2.0 sp2

Running on/with	Platform Versions
Microsoft Windows Server 2008	All versions

Configuration I

3 vulnerable

Vulnerable Software	Affected Versions
Microsoft .net	From 6.0.0 to 6.0.26
Microsoft .net	From 7.0.0 to 7.0.15
Microsoft .net	Version 8.0.0

Related CWEs

Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

References (2)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-0056

Source: secure@microsoft.com

PatchVendor Advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-0056

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.