FAQ
Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector.
MSRC compact vulnerability detail
CVE-2021-28455 · Microsoft Jet Red Database Engine and Access Connectivity Engine Remote Code Execution Vulnerability
No description was published by MSRC.
Signals
Jet Red and Access Connectivity
Remote Code Execution
Exploited: No
Publicly disclosed: No
Exploitability: Exploitation Less Likely
CWE
No CWE data published.
Patch Diff
Loading module diff metadata...
Resolved binary override
Use this when the MSRC module name cannot be mapped automatically or the resolved binary looks wrong.
Description
No description was published by MSRC.
FAQ / Articles
FAQ
How do the security updates address this vulnerability? The security updates address the vulnerability by providing the ability to configure the Jet Red Database Engine or Access Connectivity Engine to block access to remote databases. You might need to do this when you allow unprivileged users to run custom SQL queries in JET or ACE. See KB5002984: Configuring Jet Red Database Engine and Access Connectivity Engine to block access to remote databases for more information. If I do not disable these SQL queries, is there any other way I can be protected from this vulnerability? No. Allowing ‘External database queries’ can expose you to security risks if you accept adhoc SQL queries or have a SQL injection flaw in your system which could allow an unknown user to specify ‘external databases’ – this could open you to a possible security exploit. If you understand the risks and are confident you do not have a SQL adhoc/injection flaw you could consider not disabling this feature. If after disabling the registry values as listed in KB5002984 you choose to re-enable them, it might make your device vulnerable to attack by a malicious user or malicious software. We do not recommend that you...