db_name() and db_id() functions fail to trigger permissions check in SQL Server
When you execute the db_name() or db_id() function in an instance of SQL Server, permissions are not checked as expected. Therefore, the data that's returned may contain information that you don't have permissions for.
This issue is fixed in the following cumulative update for SQL Server:
About cumulative updates for SQL Server
Each new cumulative update for SQL Server contains all the hotfixes and all the security fixes that were included with the previous cumulative update. Check out the latest cumulative updates for SQL Server:
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For information about the permissions that are required for these functions, see the DB_NAME (Transact-SQL) and DB_ID (Transact-SQL) topics on MSDN.
Learn about the terminology that Microsoft uses to describe software updates.
Article ID: 3194961 - Last Review: 10/18/2016 05:58:00 - Revision: 2.0
Microsoft SQL Server 2014 Developer, Microsoft SQL Server 2014 Enterprise, Microsoft SQL Server 2014 Enterprise Core, Microsoft SQL Server 2014 Standard
- kbqfe kbfix kbexpertiseinter kbsurveynew KB3194961