SQL Server Microsoft SQL Server Database Server

Do you want an email whenever new security vulnerabilities are reported in Microsoft SQL Server?

Recent Microsoft SQL Server Security Advisories

Advisory Title Published
CVE-2024-26164 Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability March 12, 2024
CVE-2024-26166 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability March 12, 2024
CVE-2024-21441 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability March 12, 2024
CVE-2024-26161 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability March 12, 2024
CVE-2024-21450 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability March 12, 2024
CVE-2024-21444 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability March 12, 2024
CVE-2024-21358 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability February 13, 2024
CVE-2024-21375 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability February 13, 2024
CVE-2024-21369 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability February 13, 2024
CVE-2024-21350 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability February 13, 2024

By the Year

In 2024 there have been 1 vulnerability in Microsoft SQL Server with an average score of 8.7 out of ten. Last year SQL Server had 18 security vulnerabilities published. Right now, SQL Server is on track to have less security vulnerabilities in 2024 than it did last year. However, the average CVE base score of the vulnerabilities in 2024 is greater by 0.95.

Year Vulnerabilities Average Score
2024 1 8.70
2023 18 7.75
2022 1 7.50
2021 1 8.80
2020 1 8.80
2019 2 7.65
2018 1 9.80

It may take a day or so for new SQL Server vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Microsoft SQL Server Security Vulnerabilities

Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability

CVE-2024-0056 8.7 - High - January 09, 2024

Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

CVE-2023-36785 7.8 - High - October 10, 2023

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

CVE-2023-36730 7.8 - High - October 10, 2023

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

Microsoft SQL Server Denial of Service Vulnerability

CVE-2023-36728 5.5 - Medium - October 10, 2023

Microsoft SQL Server Denial of Service Vulnerability

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

CVE-2023-36420 7.8 - High - October 10, 2023

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

Microsoft SQL OLE DB Remote Code Execution Vulnerability

CVE-2023-36417 7.8 - High - October 10, 2023

Microsoft SQL OLE DB Remote Code Execution Vulnerability

Microsoft SQL OLE DB Remote Code Execution Vulnerability

CVE-2023-38169 - August 08, 2023

Microsoft SQL OLE DB Remote Code Execution Vulnerability

Microsoft SQL OLE DB Remote Code Execution Vulnerability

CVE-2023-32028 7.8 - High - June 16, 2023

Microsoft SQL OLE DB Remote Code Execution Vulnerability

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

CVE-2023-32027 7.8 - High - June 16, 2023

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

CVE-2023-32026 7.8 - High - June 16, 2023

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

CVE-2023-32025 7.8 - High - June 16, 2023

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

CVE-2023-29356 7.8 - High - June 16, 2023

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

Microsoft ODBC and OLE DB Remote Code Execution Vulnerability

CVE-2023-29349 7.8 - High - June 16, 2023

Microsoft ODBC and OLE DB Remote Code Execution Vulnerability

Microsoft SQL Server Remote Code Execution Vulnerability

CVE-2023-23384 7.3 - High - April 11, 2023

Microsoft SQL Server Remote Code Execution Vulnerability

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

CVE-2023-21718 7.8 - High - February 14, 2023

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

Microsoft SQL Server Remote Code Execution Vulnerability

CVE-2023-21713 8.8 - High - February 14, 2023

Microsoft SQL Server Remote Code Execution Vulnerability

Microsoft SQL Server Remote Code Execution Vulnerability

CVE-2023-21705 8.8 - High - February 14, 2023

Microsoft SQL Server Remote Code Execution Vulnerability

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

CVE-2023-21704 7.8 - High - February 14, 2023

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

Microsoft SQL Server Remote Code Execution Vulnerability

CVE-2023-21528 7.8 - High - February 14, 2023

Microsoft SQL Server Remote Code Execution Vulnerability

Microsoft SQL Server Remote Code Execution Vulnerability

CVE-2022-29143 7.5 - High - June 15, 2022

Microsoft SQL Server Remote Code Execution Vulnerability

Microsoft SQL Elevation of Privilege Vulnerability

CVE-2021-1636 8.8 - High - January 12, 2021

Microsoft SQL Elevation of Privilege Vulnerability

SQL Injection

A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests

CVE-2020-0618 8.8 - High - February 11, 2020

A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'.

Marshaling, Unmarshaling

A remote code execution vulnerability exists in Microsoft SQL Server when it incorrectly handles processing of internal functions

CVE-2019-1068 8.8 - High - July 15, 2019

A remote code execution vulnerability exists in Microsoft SQL Server when it incorrectly handles processing of internal functions, aka 'Microsoft SQL Server Remote Code Execution Vulnerability'.

An information disclosure vulnerability exists in Microsoft SQL Server Analysis Services when it improperly enforces metadata permissions

CVE-2019-0819 6.5 - Medium - May 16, 2019

An information disclosure vulnerability exists in Microsoft SQL Server Analysis Services when it improperly enforces metadata permissions, aka 'Microsoft SQL Server Analysis Services Information Disclosure Vulnerability'.

A buffer overflow vulnerability exists in the Microsoft SQL Server

CVE-2018-8273 9.8 - Critical - August 15, 2018

A buffer overflow vulnerability exists in the Microsoft SQL Server that could allow remote code execution on an affected system, aka "Microsoft SQL Server Remote Code Execution Vulnerability." This affects Microsoft SQL Server.

Memory Corruption

Microsoft SQL Server Analysis Services in Microsoft SQL Server 2012, Microsoft SQL Server 2014, and Microsoft SQL Server 2016

CVE-2017-8516 7.5 - High - August 08, 2017

Microsoft SQL Server Analysis Services in Microsoft SQL Server 2012, Microsoft SQL Server 2014, and Microsoft SQL Server 2016 allows an information disclosure vulnerability when it improperly enforces permissions, aka "Microsoft SQL Server Analysis Services Information Disclosure Vulnerability".

Information Disclosure

Integer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0

CVE-2009-3126 - October 14, 2009

Integer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via a crafted PNG image file, aka "GDI+ PNG Integer Overflow Vulnerability."

Numeric Errors

GDI+ in Microsoft Office XP SP3 does not properly handle malformed objects in Office Art Property Tables, which allows remote attackers to execute arbitrary code via a crafted Office document

CVE-2009-2528 - October 14, 2009

GDI+ in Microsoft Office XP SP3 does not properly handle malformed objects in Office Art Property Tables, which allows remote attackers to execute arbitrary code via a crafted Office document that triggers memory corruption, aka "Memory Corruption Vulnerability."

Code Injection

Multiple integer overflows in unspecified APIs in GDI+ in Microsoft .NET Framework 1.1 SP1, .NET Framework 2.0 SP1 and SP2, Windows XP SP2 and SP3, Windows Server 2003 SP2, Vista Gold and SP1, Server 2008 Gold, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0

CVE-2009-2504 - October 14, 2009

Multiple integer overflows in unspecified APIs in GDI+ in Microsoft .NET Framework 1.1 SP1, .NET Framework 2.0 SP1 and SP2, Windows XP SP2 and SP3, Windows Server 2003 SP2, Vista Gold and SP1, Server 2008 Gold, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0 allow remote attackers to execute arbitrary code via (1) a crafted XAML browser application (XBAP), (2) a crafted ASP.NET application, or (3) a crafted .NET Framework application, aka "GDI+ .NET API Vulnerability."

Numeric Errors

GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Windows Server 2003 SP2, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0 does not properly allocate an unspecified buffer, which allows remote attackers to execute arbitrary code via a crafted TIFF image file

CVE-2009-2503 - October 14, 2009

GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Windows Server 2003 SP2, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0 does not properly allocate an unspecified buffer, which allows remote attackers to execute arbitrary code via a crafted TIFF image file that triggers memory corruption, aka "GDI+ TIFF Memory Corruption Vulnerability."

Code Injection

Buffer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0

CVE-2009-2502 - October 14, 2009

Buffer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via a crafted TIFF image file, aka "GDI+ TIFF Buffer Overflow Vulnerability."

Buffer Overflow

Heap-based buffer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0

CVE-2009-2501 - October 14, 2009

Heap-based buffer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via a crafted PNG image file, aka "GDI+ PNG Heap Overflow Vulnerability."

Buffer Overflow

Integer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0

CVE-2009-2500 - October 14, 2009

Integer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via a crafted WMF image file, aka "GDI+ WMF Integer Overflow Vulnerability."

Numeric Errors

gdiplus.dll in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, Office XP SP3, Office 2003 SP2 and SP3, 2007 Microsoft Office System Gold and SP1, Visio 2002 SP2, PowerPoint Viewer 2003, Works 8, Digital Image Suite 2006, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2, Report Viewer 2005 SP1 and 2008, and Forefront Client Security 1.0

CVE-2008-3013 - September 11, 2008

gdiplus.dll in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, Office XP SP3, Office 2003 SP2 and SP3, 2007 Microsoft Office System Gold and SP1, Visio 2002 SP2, PowerPoint Viewer 2003, Works 8, Digital Image Suite 2006, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2, Report Viewer 2005 SP1 and 2008, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via a malformed GIF image file containing many extension markers for graphic control extensions and subsequent unknown labels, aka "GDI+ GIF Parsing Vulnerability."

Resource Management Errors

Microsoft SQL Server 6.0 through 2000, with SQL Authentication enabled, uses weak password encryption (XOR), which

CVE-2002-1872 7.5 - High - December 31, 2002

Microsoft SQL Server 6.0 through 2000, with SQL Authentication enabled, uses weak password encryption (XOR), which allows remote attackers to sniff and decrypt the password.

Inadequate Encryption Strength

XMLHTTP control in Microsoft XML Core Services 2.6 and later does not properly handle IE Security Zone settings, which

CVE-2002-0057 - March 08, 2002

XMLHTTP control in Microsoft XML Core Services 2.6 and later does not properly handle IE Security Zone settings, which allows remote attackers to read arbitrary files by specifying a local file as an XML Data Source.

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Microsoft Windows XP or by Microsoft? Click the Watch button to subscribe.

Microsoft
Vendor

Microsoft SQL Server
Database Server

subscribe