SQL Server Native Client: Remote Code Execution Vulnerability
CVE-2024-49018 Published on November 12, 2024
SQL Server Native Client Remote Code Execution Vulnerability
SQL Server Native Client Remote Code Execution Vulnerability
Weakness Type
Numeric Truncation Error
Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion. When a primitive is cast to a smaller primitive, the high order bits of the large value are lost in the conversion, potentially resulting in an unexpected value that is not equal to the original value. This value may be required as an index into a buffer, a loop iterator, or simply necessary state data. In any case, the value cannot be trusted and the system will be in an undefined state. While this method may be employed viably to isolate the low bits of a value, this usage is rare, and truncation usually implies that an implementation error has occurred.
Products Associated with CVE-2024-49018
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-49018 are published in these products:
Affected Versions
Microsoft SQL Server 2017 (GDR):- Version 14.0.0 and below 14.0.2070.1 is affected.
- Version 15.0.0 and below 15.0.2130.3 is affected.
- Version 13.0.0 and below 13.0.6455.2 is affected.
- Version 13.0.0 and below 13.0.7050.2 is affected.
- Version 14.0.0 and below 14.0.3485.1 is affected.
- Version 15.0.0 and below 15.0.4410.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.