FIX: A specially crafted query run by a low privileged user may expose the masked data in SQL Server 2016 and 2017

Applies to: SQL Server 2016 DeveloperSQL Server 2016 EnterpriseSQL Server 2016 Enterprise Core More

Symptoms


Assume that you use Dynamic Data Masking (DDM) on a column in a table in Microsoft SQL Server 2016 or 2017 to mask sensitive data. When a low privileged user runs a specially crafted query, then the masked data may be exposed.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. 

Resolution


This issue is fixed in the following cumulative updates for SQL Server:

About cumulative updates for SQL Server:

Each new cumulative update for SQL Server contains all the hotfixes and all the security fixes that were included with the previous cumulative update. Check out the latest cumulative updates for SQL Server:

References


Learn about the terminology that Microsoft uses to describe software updates.