Security vulnerabilities in Redgate products

This page details previously-announced security vulnerabilities in Redgate's products. Our Product Security Policy details how we announce vulnerabilities.

2025

• Redgate Monitor prior to 14.0.50 contains a vulnerability that allows non-administrator users to view and access all alerts, ignoring the established access controls. Details

2024

• Redgate Monitor prior to version 14.0.8 is susceptable to CVE-2024-35255, allowing an attacker with local access to the system hosting the Redgate Monitor Base Monitor to read any file on the file system with SYSTEM access permissions. Details

2023

• SQL Monitor versions 12.0.0 to 13.0.21 (inclusive) contain a vulnerability that can result in a Denial of Service attack against its Web Service when hosted using SQL Monitor's built-in web server (CVE-2023-38180). Details

• SQL Monitor prior to version 12.1.54 contains vulnerabilities allowing low-privileged users to perform actions their permissions should not allow, and when using Active Directory (LDAP) authentication, allows low-privileged users to elevate their permissions to a SQL Monitor administrator role (CVE-2022-47542). Details

2021

• CVE-2021-44228 (log4j's "log4shell" vulnerability) did not affect any of Redgate's products. Details

• SQL Monitor versions 9.0.4 to 11.0.18 (inclusive) contain an issue when using Active Directory authorization, whereby some non-administrator users could potentially view servers they were not entitled to according to SQL Monitor's access control settings. Details

2020

• SQL Monitor versions 7.1.4 to 10.1.5 (inclusive) do not correctly check TLS certificate validity for webhook, email, or Slack alerts when it is disabled for a particular scope, or where VMWare servers are monitored. Details
• SQL Monitor versions 9.0.13 to 9.2.14 (inclusive) have a security vulnerability where a user who is an administrator of the SQL Monitor installation is able to perform a SQL injection attack. Details

2019

• SQL Monitor prior to 9.2.5 allowed users with administrative privleges to retrieve configured SMTP server credentials. Details

2018

• SQL Monitor prior to 8.0.19 was vulnerable to a cross-site scripting attack. Details
• SmartAssembly prior to 6.12.5 was vulnerable to untrusted code execution. Details
• .NET Reflector prior to 10.0.7.774 was vulnerable to untrusted code execution. Details

2015

• SQL Monitor prior to 4.2, or SQL Monitor 3 prior to 3.10, were vulnerable to an authentication bypass and SQL command execution. Details

2013

• SQL Backup versions 7.4 and 7.5 insecurely stored credentials for the SQL Backup Agent service. Details