Bug 2255384 (CVE-2024-0056) - CVE-2024-0056 dotnet: Information Disclosure: MD.SqlClient(MDS) & System.data.SQLClient (SDS)
Summary: CVE-2024-0056 dotnet: Information Disclosure: MD.SqlClient(MDS) & System.data...
Keywords:
Status: NEW
Alias: CVE-2024-0056
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2257551 2257552 2257553 2255392
Blocks: 2255383
TreeView+ depends on / blocked
 
Reported: 2023-12-20 14:03 UTC by Patrick Del Bello
Modified: 2024-02-05 16:57 UTC (History)
7 users (show)

Fixed In Version: .NET SDK 6.0.126 and .NET Runtime 6.0.26 and .NET SDK 7.0.115 and .NET Runtime 7.0.15
Doc Type: ---
Doc Text:
A vulnerability was found in the .NET Framework. This vulnerability exists in the Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data provider where an attackercan perform an AiTM (adversary-in-the-middle) attack between the SQL client and the SQL server. This may allow the attacker to steal authentication credentials intended for the database server, even if the connection is established over an encrypted channel like TLS.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:0150 0 None None None 2024-01-10 15:37:58 UTC
Red Hat Product Errata RHSA-2024:0151 0 None None None 2024-01-10 15:37:21 UTC
Red Hat Product Errata RHSA-2024:0152 0 None None None 2024-01-10 15:37:39 UTC
Red Hat Product Errata RHSA-2024:0156 0 None None None 2024-01-10 18:15:15 UTC
Red Hat Product Errata RHSA-2024:0157 0 None None None 2024-01-10 18:31:57 UTC
Red Hat Product Errata RHSA-2024:0158 0 None None None 2024-01-10 18:31:45 UTC
Red Hat Product Errata RHSA-2024:0255 0 None None None 2024-01-15 15:58:01 UTC

Description Patrick Del Bello 2023-12-20 14:03:28 UTC 
Information Disclosure: MD.SqlClient(MDS) & System.data.SQLClient (SDS) - client library supports establishing non-ssl TCP connection
Comment 3 Sandipan Roy 2024-01-10 03:48:20 UTC 
Created dotnet6.0 tracking bugs for this issue:

Affects: fedora-all [bug 2257551]


Created dotnet7.0 tracking bugs for this issue:

Affects: fedora-all [bug 2257552]


Created dotnet8.0 tracking bugs for this issue:

Affects: fedora-all [bug 2257553]
Comment 4 errata-xmlrpc 2024-01-10 15:37:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:0151 https://access.redhat.com/errata/RHSA-2024:0151
Comment 5 errata-xmlrpc 2024-01-10 15:37:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:0152 https://access.redhat.com/errata/RHSA-2024:0152
Comment 6 errata-xmlrpc 2024-01-10 15:37:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0150 https://access.redhat.com/errata/RHSA-2024:0150
Comment 7 errata-xmlrpc 2024-01-10 18:15:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:0156 https://access.redhat.com/errata/RHSA-2024:0156
Comment 8 errata-xmlrpc 2024-01-10 18:31:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0158 https://access.redhat.com/errata/RHSA-2024:0158
Comment 9 errata-xmlrpc 2024-01-10 18:31:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0157 https://access.redhat.com/errata/RHSA-2024:0157
Comment 10 errata-xmlrpc 2024-01-15 15:57:59 UTC 
This issue has been addressed in the following products:

  .NET Core on Red Hat Enterprise Linux

Via RHSA-2024:0255 https://access.redhat.com/errata/RHSA-2024:0255
Note You need to log in before you can comment on or make changes to this bug.