{"@odata.context":"https://api.msrc.microsoft.com/sug/v2.0/en-US/$metadata#vulnerability/$entity","id":"00000000-0000-0000-0000-0000bf55f5a1","releaseDate":"2021-05-11T07:00:00Z","cveNumber":"CVE-2021-28455","cveTitle":"Microsoft Jet Red Database Engine and Access Connectivity Engine Remote Code Execution Vulnerability","releaseNumber":"2021-May","vulnType":"Security Vulnerability","latestRevisionDate":"2021-06-08T07:00:00Z","cweList":[],"mitreText":"CVE-2021-28455","mitreUrl":"https://www.cve.org/CVERecord?id=CVE-2021-28455","publiclyDisclosed":"No","exploited":"No","latestSoftwareReleaseId":2,"latestSoftwareRelease":"Exploitation Less Likely","olderSoftwareReleaseId":2,"olderSoftwareRelease":"Exploitation Less Likely","denialOfService":"N/A","tag":"Jet Red and Access Connectivity","issuingCna":"Microsoft","severityId":100000001,"severity":"Important","impactId":100000005,"impact":"Remote Code Execution","langCode":"en-US","baseScore":"8.8","temporalScore":"7.7","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","isMariner":false,"articles":[{"articleType":"FAQ","description":"
Is the Preview Pane an attack vector for this vulnerability?
\nNo, the Preview Pane is not an attack vector.
\n","ordinal":10000},{"articleType":"FAQ","description":"How do the security updates address this vulnerability?
\nThe security updates address the vulnerability by providing the ability to configure the Jet Red Database Engine or Access Connectivity Engine to block access to remote databases. You might need to do this when you allow unprivileged users to run custom SQL queries in JET or ACE. See KB5002984: Configuring Jet Red Database Engine and Access Connectivity Engine to block access to remote databases for more information.
\nIf I do not disable these SQL queries, is there any other way I can be protected from this vulnerability?
\nNo. Allowing \u2018External database queries\u2019 can expose you to security risks if you accept adhoc SQL queries or have a SQL injection flaw in your system which could allow an unknown user to specify \u2018external databases\u2019 \u2013 this could open you to a possible security exploit. If you understand the risks and are confident you do not have a SQL adhoc/injection flaw you could consider not disabling this feature.
\nIf after disabling the registry values as listed in KB5002984 you choose to re-enable them, it might make your device vulnerable to attack by a malicious user or malicious software. We do not recommend that you re-enable these registry values but are providing this information so that you can choose to implement this at your own discretion. Use this at your own risk.
\n","ordinal":10000}],"revisions":[{"cveNumber":"CVE-2021-28455","version":1.0000000000,"revisionDate":"2021-05-11T07:00:00Z","initialDate":"0001-01-01T00:00:00Z","description":"Information published.
\n","unformattedDescription":"Information published.","notificationNeeded":false,"notificationSent":false,"sourceId":"af78e6a6-9586-eb11-a838-000d3a6d3364"},{"cveNumber":"CVE-2021-28455","version":2.0000000000,"revisionDate":"2021-06-08T07:00:00Z","initialDate":"0001-01-01T00:00:00Z","description":"CVE updated to document that this vulnerability also affects Microsoft Access 2013 and Microsoft Access 2016. Customers using those products should apply the security updates released on June 8, 2021.
\n","unformattedDescription":"CVE updated to document that this vulnerability also affects Microsoft Access 2013 and Microsoft Access 2016. Customers using those products should apply the security updates released on June 8, 2021.","notificationNeeded":false,"notificationSent":false,"sourceId":"a6114882-c3c3-eb11-a83f-000d3a6d3364"}]}