CDS T-SQL Endpoint Vulnerability

I received a notification today that the preview TDS endpoint had been disabled on my environment because of a security vulnerability.

Update 2020-10-22 – the TDS endpoint has now been re-enabled 😊

Vulnerability Report from Microsoft

Sure enough, even though the Power Platform Admin Center shows the endpoint as enabled, when I try to connect to it I get an error indicating it’s disabled.

It appears that Microsoft have identified a method to bypass the row-level security. A user that can read one record of an entity can effectively raise their permissions to read all those records.

Hopefully this will be resolved soon. I’d also be interested to hear if the same exploit affects the filtered views for on-premise systems.

In the meantime you can still run your SQL queries using SQL 4 CDS, leaving the option to use the T-SQL endpoint disabled. Queries run via SQL 4 CDS are not affected by this vulnerability.

Join the conversation

5 Comments

  1. This is so frustrating. I got the same email and saw several PBI reports that were depending on it broke as well. I’m guessing you haven’t heard anything else?

    1. No more updates yet, and it’s still disabled even though it’s showing as enabled in the admin center. I guess we’ve just got to wait and see at the moment, the perils of using a preview feature!

  2. As far as I can tell, by now (Oct 28, 2020), this has been fixed and the TDS endpoints are active again .

Leave a comment

Your e-mail address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.