Microsoft.Data.SqlClient and System.Data.SqlClient vulnerable to SQL Data Provider Security Feature Bypass · CVE-2024-0056 · GitHub Advisory Database · GitHub

Microsoft.Data.SqlClient and System.Data.SqlClient vulnerable to SQL Data Provider Security Feature Bypass

High severity GitHub Reviewed Published Jan 9, 2024 to the GitHub Advisory Database • Updated May 31, 2024

Package

Microsoft.Data.SqlClient (NuGet)

Affected versions

< 2.1.7

>= 3.0.0, < 3.1.5

>= 4.0.0, < 4.0.5

>= 5.0.0, < 5.1.3

Patched versions

2.1.7

3.1.5

4.0.5

5.1.3

System.Data.SqlClient (NuGet)

< 4.8.6

4.8.6

Description

Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability

References

Published by the National Vulnerability Database

Jan 9, 2024

Published to the GitHub Advisory Database Jan 9, 2024

Reviewed Jan 16, 2024

Last updated May 31, 2024

Severity

High

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N