CVE-2023-32028: 
vulnerability analysis and mitigation

Microsoft SQL OLE DB Remote Code Execution Vulnerability, identified as CVE-2023-32028, affects Microsoft OLE DB Driver for SQL Server versions 18.0.2 through 18.6.0006.0 and versions 19.0.0 through 19.3.0001.0, as well as SQL Server 2019 and 2022 x64 editions. The vulnerability was initially disclosed on May 1, 2023 (CVE Details).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Microsoft has classified this as a heap-based buffer overflow vulnerability (CWE-122) (NVD).

This vulnerability could allow an attacker to execute remote code execution attacks when a client connects to a malicious server. The high CVSS score indicates potential severe impacts on confidentiality, integrity, and availability of affected systems (Tech Community).

Microsoft has released security updates to address this vulnerability. The fixes are available in Microsoft OLE DB Driver 18.6.6 and 19.3.1 for SQL Server. These driver updates are also included in SQL Server 2019 CU21 and SQL Server 2022 CU5. Organizations using standalone applications with these drivers should update to the latest versions (Tech Community).