This issue was discovered by Suman Jana and Milana Kovacev from IT security company SentinelOne. This issue affects SQL Server 2012 SP1, 2012 SP2, 2014, and 2016 versions. This issue was fixed in SQL Server 2017. SQL Server is a relational database management system that has a large market share among enterprise data centers. This issue allows attackers to execute arbitrary code in the context of the SQL Server user via a specially crafted request. This vulnerability can be exploited by malicious users to execute arbitrary code in the context of the SQL Server user. What’s worse, if the SQL Server is configured to run with Windows Authentication, an attacker does not even need to log in to the SQL server to exploit this vulnerability. An attacker only needs to send an HTTP request with a specially crafted parameter to the SQL server and this vulnerability can be exploited by the attacker without any user interaction.
This vulnerability can be exploited by malicious users to execute arbitrary code in the context of the SQL Server user via a specially crafted request. What’s worse, if the SQL Server is configured to run with Windows Authentication, an attacker does not even need to log in to the SQL server to exploit this vulnerability. An attacker only needs to send an HTTP request with a specially crafted parameter to the SQL server and this vulnerability can be exploited by the attacker without any user interaction
Technical details
This issue was fixed in SQL Server 2017. SQL Server is a relational database management system that has a large market share among enterprise data centers. This issue allows attackers to execute arbitrary code in the context of the SQL Server user via a specially crafted request. This vulnerability can be exploited by malicious users to execute arbitrary code in the context of the SQL Server user
Vulnerability overview
SQL Server is a relational database management system that has a large market share among enterprise data centers. SQL Server is prone to this issue as it does not have any input validation when handling client requests. This allows attackers to execute arbitrary code in the context of the SQL Server user via a specially crafted request, without need for any external network access.
SQL Server - An Overview
SQL Server is a relational database management system that has a large market share among enterprise data centers. SQL Server can be configured to run in many different modes, depending on the needs of the user. The default mode for SQL Server is stand-alone mode, which can be used without any configuration and with minimal use of resources. However, like all relational databases, it can also implement various clustering options for high availability and scalability.
Timeline
Published on: 09/13/2022 19:15:00 UTC
Last modified on: 09/16/2022 16:34:00 UTC