CVE-2024-37342: 
vulnerability analysis and mitigation

Microsoft SQL Server Native Scoring Information Disclosure Vulnerability (CVE-2024-37342) is a security flaw affecting various versions of Microsoft SQL Server. The vulnerability was disclosed on September 10, 2024, and affects multiple versions including SQL Server 2016, 2017, 2019, and 2022, as well as SQL 2016 Azure Connect Feature Pack (NVD).

The vulnerability has received varying severity assessments, with Microsoft assigning it a CVSS v3.1 Base Score of 7.1 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L, while NIST's assessment indicates a CVSS v3.1 Base Score of 4.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-125 (Out-of-bounds Read) by Microsoft (NVD).

This information disclosure vulnerability could potentially lead to unauthorized access to sensitive information in Microsoft SQL Server. The varying CVSS scores indicate different assessments of the potential impact, with Microsoft's evaluation suggesting a higher potential for data exposure (NVD).

Microsoft has released security updates to address this vulnerability. The fixes are available through the latest cumulative updates for affected SQL Server versions, including SQL Server 2022 CU14 and corresponding updates for other versions (Microsoft Support).