CVE-2022-41064

FAQ

If I am using System.Data.SqlClient or Microsoft.Data.SqlClient, what do I need to do to be protected from this vulnerability?

Customers using either the System.Data.SqlClient or Microsoft.Data.SqlClient NuGet Packages need to do the following to be protected:

• If you are using System.Data.SqlClient on .NET Framework you must install the November update for .NET Framework
• If you are using System.Data.SqlClient on .NET Core, .NET 5 or .NET 6 you must update the nuget package to an updated version as listed in the affected packages.
• If you are using Microsoft.Data.SqlClient, anywhere (.NET Core, .NET 5/6, .NET Framework) and you are using a version that is vulnerable you must update as listed in the affected packages.

Please see Microsoft Security Advisory CVE 2022-41064 | .NET Information Disclosure Vulnerability for more information.

According to the CVSS score, the attack vector is adjacent (AV:A). What does this mean for this vulnerability?

Exploiting this vulnerability requires an attacker to be within the SQL Connection Pool.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to exhaust all the threads in the thread pool.

According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

In this case, a successful attack could cause the attacker access queries from other users in the SQL Connection Pool.