CVE-2022-41064

Name of the Vulnerable Software and Affected Versions .NET Framework versions prior to the November 2022 update System.Data.SqlClient versions prior to 4.8.5 Microsoft.Data.SqlClient versions prior to 2.1.2

Description A vulnerability in .NET Framework allows attackers to obtain sensitive information and affect the system. The issue is related to the System.Data.SqlClient and Microsoft.Data.SqlClient NuGet Packages, where a timeout occurring under high load can cause incorrect data to be returned as the result of an asynchronously executed query. If you are not talking to Microsoft SQL Server from your application, you are not affected by this vulnerability.

Recommendations For .NET Framework, install the November 2022 update. For System.Data.SqlClient on .NET Core, .NET 5, or .NET 6, update the NuGet package to version 4.8.5 or later. For Microsoft.Data.SqlClient, update the NuGet package to version 2.1.2 or later. To fix direct dependencies, edit the project file or use the NuGet command line to update the dependency. To fix transitive dependencies, discover them by examining the project.assets.json file, and then add a direct dependency to the updated package to your csproj file to override the transitive dependency. Rebuild your application, test, and redeploy after updating the dependencies.