## Microsoft JDBC Driver 11.2.3 Contains High-Severity Vulnerability (CVSS 8.1), Scanner Flags Unreachable Code Path
A critical security vulnerability with a CVSS score of 8.1 has been identified in the Microsoft JDBC Driver for SQL Server, version 11.2.3.jre17. The vulnerability scanner report indicates the flaw is present in the library file `mssql-jdbc-11.2.3.jre17.jar`, but the specific code path is currently marked as 'unreachable'. This creates a high-severity latent risk within a core Microsoft data connectivity component used by countless Java applications to interact with SQL Server databases.

The vulnerable library is a direct dependency specified in a project's `/pom.xml` file and is physically located in the standard Maven repository path. While the scanner notes that the user is on the 'least vulnerable package' after checking all newer version trees, the presence of a high-severity flaw in a widely deployed Microsoft driver raises immediate security scrutiny. The report explicitly warns that there might be a newer version that addresses the vulnerability, but does not recommend it, suggesting potential compatibility or stability trade-offs that complicate the patching decision.

This situation places development and security teams in a bind. They must weigh the risk of a known high-severity vulnerability against the potential instability of an upgrade, all while the exact exploitability remains ambiguous due to the 'unreachable' classification. The finding pressures organizations relying on this driver to conduct deeper manual security assessments to determine if the unreachable path can be triggered in their specific application context, or to accept the risk while monitoring for a more stable fix from Microsoft.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: vulnerability, mssql, jdbc, security, dependency
- **Credibility**: unverified
- **Published**: 2026-03-26 18:27:37
- **ID**: 35927
- **URL**: https://whisperx.ai/en/intel/35927