Overview
MS SQL Server contains an extended stored procedure with inappropriate permission settings.
Description
Microsoft SQL Server 7.0 and Microsoft SQL Server 2000 contain an extended stored procedure, xp_execresultset, that permits an unprivileged user of a database to gain administrative access to the database. For more information, please see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-043.asp and |
Impact
An intruder can gain administrative access to a vulnerable SQL Server database. |
Solution
Apply a patch as described in http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-043.asp. |
Vendor Information
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
References
Acknowledgements
Thanks to David Litchfield of NGS Software for reporting this vulnerability.
This document was written by Shawn V Hernan.
Other Information
CVE IDs: | CVE-2002-0721 |
Severity Metric: | 12.66 |
Date Public: | 2002-08-16 |
Date First Published: | 2002-08-16 |
Date Last Updated: | 2002-08-16 22:14 UTC |
Document Revision: | 4 |