Miggo Logo
Miggo Vulnerability Database
CVE-2024-0056

CVE-2024-0056:
Microsoft.Data.SqlClient and System.Data.SqlClient vulnerable to SQL Data Provider Security Feature Bypass

8.7

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-0056
GHSA ID
GHSA-98g6-xh36-x2p7
EPSS Score
0.56442%
CWE
CWE-319
Published
1/9/2024
Updated
5/31/2024
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
Microsoft.Data.SqlClientnuget< 2.1.72.1.7
System.Data.SqlClientnuget< 4.8.64.8.6
Microsoft.Data.SqlClientnuget>= 3.0.0, < 3.1.53.1.5
Microsoft.Data.SqlClientnuget>= 4.0.0, < 4.0.54.0.5
Microsoft.Data.SqlClientnuget>= 5.0.0, < 5.1.35.1.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided advisories describe a security feature bypass related to improper certificate validation during encrypted connections, but they do not explicitly name specific vulnerable functions or provide code/commit diffs. While the vulnerability likely exists in TLS handshake and certificate validation logic (potentially in connection initialization methods like SqlConnection.Open), the lack of technical implementation details in public disclosures makes it impossible to identify exact function names with high confidence. The CWE-319 classification suggests sensitive data exposure via unvalidated encrypted channels, but this manifests at the protocol implementation level rather than specific identifiable functions without deeper code analysis.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Mi*roso*t.**t*.Sql*li*nt *n* Syst*m.**t*.Sql*li*nt SQL **t* Provi**r S**urity ***tur* *yp*ss Vuln*r**ility

Reasoning

T** provi*** **visori*s **s*ri** * s**urity ***tur* *yp*ss r*l*t** to improp*r **rti*i**t* `v*li**tion` *urin* *n*rypt** *onn**tions, *ut t**y *o not *xpli*itly n*m* sp**i*i* vuln*r**l* `*un*tions` or provi** *o**/*ommit *i**s. W*il* t** vuln*r**ilit