cvelistv5 - cve-2023-36019

CVE-2023-36019 (GCVE-0-2023-36019)

Vulnerability from cvelistv5

Published

2023-12-12 18:10

Modified

2025-01-01 02:18

Severity ?

9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-73 - External Control of File Name or Path

Summary

Microsoft Power Platform Connector Spoofing Vulnerability

References

URL

Tags

	secure@microsoft.com	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36019	Patch, Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36019	Patch, Vendor Advisory

Impacted products

Vendor

Product

Version

Microsoft

Microsoft Power Platform

Version: 1.0.0 < 3.23113

Microsoft

Azure Logic Apps

Version: 3.0 < 3.23113

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T16:37:41.267Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "Microsoft Power Platform Connector Spoofing Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36019"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "Unknown"
          ],
          "product": "Microsoft Power Platform",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "3.23113",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "Unknown"
          ],
          "product": "Azure Logic Apps",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "3.23113",
              "status": "affected",
              "version": "3.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:power_platform:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "3.23113",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:azure_logic_apps:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "3.23113",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2023-12-12T08:00:00+00:00",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Microsoft Power Platform Connector Spoofing Vulnerability"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "CWE-73: External Control of File Name or Path",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-01T02:18:32.466Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Power Platform Connector Spoofing Vulnerability",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36019"
        }
      ],
      "title": "Microsoft Power Platform Connector Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2023-36019",
    "datePublished": "2023-12-12T18:10:44.773Z",
    "dateReserved": "2023-06-20T20:44:39.823Z",
    "dateUpdated": "2025-01-01T02:18:32.466Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-36019\",\"sourceIdentifier\":\"secure@microsoft.com\",\"published\":\"2023-12-12T18:15:22.157\",\"lastModified\":\"2024-11-21T08:09:11.147\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Microsoft Power Platform Connector Spoofing Vulnerability\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de suplantaci\u00f3n de identidad del conector Microsoft Power Platform\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secure@microsoft.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":9.6,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"secure@microsoft.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-73\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:azure_logic_apps:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.23113\",\"matchCriteriaId\":\"3986CDFF-03DF-41B7-8655-59C0EF1CED24\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:power_platform:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.23113\",\"matchCriteriaId\":\"EF17B41C-0BC4-4E09-8A6A-FCC25AD1235F\"}]}]}],\"references\":[{\"url\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36019\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36019\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}"
  }
}

WID-SEC-W-2023-3140

Vulnerability from csaf_certbund

Published

2023-12-12 23:00

Modified

2023-12-12 23:00

Summary

Microsoft Azure Produkte: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Azure ist eine Cloud Computing-Plattform von Microsoft.

Angriff

Ein lokaler oder entfernter, anonymer Angreifer kann mehrere Schwachstellen in verschiedenen Microsoft Azure Produkten ausnutzen, um Dateien zu manipulieren, Informationen offenzulegen und um einen Cross-Site Scripting Angriff durchzuführen.

Betroffene Betriebssysteme

- Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Azure ist eine Cloud Computing-Plattform von Microsoft.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein lokaler oder entfernter, anonymer Angreifer kann mehrere Schwachstellen in verschiedenen Microsoft Azure Produkten ausnutzen, um Dateien zu manipulieren, Informationen offenzulegen und um einen Cross-Site Scripting Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-3140 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-3140.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-3140 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-3140"
      },
      {
        "category": "external",
        "summary": "Microsoft Leitfaden f\u00fcr Sicherheitsupdates vom 2023-12-12",
        "url": "https://msrc.microsoft.com/update-guide"
      }
    ],
    "source_lang": "en-US",
    "title": "Microsoft Azure Produkte: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2023-12-12T23:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:02:47.441+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-3140",
      "initial_release_date": "2023-12-12T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-12-12T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Microsoft Azure Connected Machine Agent",
                "product": {
                  "name": "Microsoft Azure Connected Machine Agent",
                  "product_id": "T031624",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:azure:connected_machine_agent"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Microsoft Azure Logic Apps",
                "product": {
                  "name": "Microsoft Azure Logic Apps",
                  "product_id": "T031625",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:azure:logic_apps"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Microsoft Azure Machine Learning SDK",
                "product": {
                  "name": "Microsoft Azure Machine Learning SDK",
                  "product_id": "T031626",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:azure:machine_learning_sdk"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Microsoft Azure Power Platform",
                "product": {
                  "name": "Microsoft Azure Power Platform",
                  "product_id": "T031640",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:azure:power_platform"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Azure"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-35624",
      "notes": [
        {
          "category": "description",
          "text": "In Microsoft Azure Connected Machine Agent unter Windows besteht eine Schwachstelle. Wenn symbolische Links innerhalb eines Verzeichnisses erstellt werden, das der Agent verwendet, und danach ein Administrator die \"Erweiterungen f\u00fcr virtuelle Maschinen\" installiert, kann der Benutzer, der den symbolischen Link erstellt hat, die Dateien hinter diesem symbolischen Link l\u00f6schen, selbst wenn er nicht die Berechtigung hat, die Dateien selbst direkt zu l\u00f6schen. Ein lokaler Angreifer mit ausreichenden Rechten zum Erstellen von Symlinks kann dies ausnutzen, um beliebige Dateien als SYSTEM-Benutzer zu l\u00f6schen. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "T031624"
        ]
      },
      "release_date": "2023-12-12T23:00:00.000+00:00",
      "title": "CVE-2023-35624"
    },
    {
      "cve": "CVE-2023-35625",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle im Microsoft Azure Machine Learning SDK. Unter bestimmten Bedingungen k\u00f6nnen Fehlermeldungen benutzerspezifische Machine Learning (ML) Trainingsdaten enthalten. Ein Angreifer, der diese Fehlermeldungen ausl\u00f6sen kann, kann dies zur Offenlegung von Informationen ausnutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T031626"
        ]
      },
      "release_date": "2023-12-12T23:00:00.000+00:00",
      "title": "CVE-2023-35625"
    },
    {
      "cve": "CVE-2023-36019",
      "notes": [
        {
          "category": "description",
          "text": "In Microsoft Azure Logic Apps und der Power Platform existiert eine Cross-Site Scripting Schwachstelle. HTML und Script-Eingaben werden in \"Admin Center\" und \"Service Health\" nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein entfernter, anonymer Angreifer kann durch Ausnutzung dieser Schwachstelle beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T031640",
          "T031626"
        ]
      },
      "release_date": "2023-12-12T23:00:00.000+00:00",
      "title": "CVE-2023-36019"
    }
  ]
}

wid-sec-w-2023-3140

Vulnerability from csaf_certbund

Published

2023-12-12 23:00

Modified

2023-12-12 23:00

Summary

Microsoft Azure Produkte: Mehrere Schwachstellen

Notes

Produktbeschreibung

Azure ist eine Cloud Computing-Plattform von Microsoft.

Angriff

Betroffene Betriebssysteme

- Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Azure ist eine Cloud Computing-Plattform von Microsoft.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein lokaler oder entfernter, anonymer Angreifer kann mehrere Schwachstellen in verschiedenen Microsoft Azure Produkten ausnutzen, um Dateien zu manipulieren, Informationen offenzulegen und um einen Cross-Site Scripting Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-3140 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-3140.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-3140 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-3140"
      },
      {
        "category": "external",
        "summary": "Microsoft Leitfaden f\u00fcr Sicherheitsupdates vom 2023-12-12",
        "url": "https://msrc.microsoft.com/update-guide"
      }
    ],
    "source_lang": "en-US",
    "title": "Microsoft Azure Produkte: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2023-12-12T23:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:02:47.441+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-3140",
      "initial_release_date": "2023-12-12T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-12-12T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Microsoft Azure Connected Machine Agent",
                "product": {
                  "name": "Microsoft Azure Connected Machine Agent",
                  "product_id": "T031624",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:azure:connected_machine_agent"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Microsoft Azure Logic Apps",
                "product": {
                  "name": "Microsoft Azure Logic Apps",
                  "product_id": "T031625",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:azure:logic_apps"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Microsoft Azure Machine Learning SDK",
                "product": {
                  "name": "Microsoft Azure Machine Learning SDK",
                  "product_id": "T031626",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:azure:machine_learning_sdk"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Microsoft Azure Power Platform",
                "product": {
                  "name": "Microsoft Azure Power Platform",
                  "product_id": "T031640",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:azure:power_platform"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Azure"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-35624",
      "notes": [
        {
          "category": "description",
          "text": "In Microsoft Azure Connected Machine Agent unter Windows besteht eine Schwachstelle. Wenn symbolische Links innerhalb eines Verzeichnisses erstellt werden, das der Agent verwendet, und danach ein Administrator die \"Erweiterungen f\u00fcr virtuelle Maschinen\" installiert, kann der Benutzer, der den symbolischen Link erstellt hat, die Dateien hinter diesem symbolischen Link l\u00f6schen, selbst wenn er nicht die Berechtigung hat, die Dateien selbst direkt zu l\u00f6schen. Ein lokaler Angreifer mit ausreichenden Rechten zum Erstellen von Symlinks kann dies ausnutzen, um beliebige Dateien als SYSTEM-Benutzer zu l\u00f6schen. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "T031624"
        ]
      },
      "release_date": "2023-12-12T23:00:00.000+00:00",
      "title": "CVE-2023-35624"
    },
    {
      "cve": "CVE-2023-35625",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle im Microsoft Azure Machine Learning SDK. Unter bestimmten Bedingungen k\u00f6nnen Fehlermeldungen benutzerspezifische Machine Learning (ML) Trainingsdaten enthalten. Ein Angreifer, der diese Fehlermeldungen ausl\u00f6sen kann, kann dies zur Offenlegung von Informationen ausnutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T031626"
        ]
      },
      "release_date": "2023-12-12T23:00:00.000+00:00",
      "title": "CVE-2023-35625"
    },
    {
      "cve": "CVE-2023-36019",
      "notes": [
        {
          "category": "description",
          "text": "In Microsoft Azure Logic Apps und der Power Platform existiert eine Cross-Site Scripting Schwachstelle. HTML und Script-Eingaben werden in \"Admin Center\" und \"Service Health\" nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein entfernter, anonymer Angreifer kann durch Ausnutzung dieser Schwachstelle beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T031640",
          "T031626"
        ]
      },
      "release_date": "2023-12-12T23:00:00.000+00:00",
      "title": "CVE-2023-36019"
    }
  ]
}

CERTFR-2023-AVI-1024

Vulnerability from certfr_avis

De multiples vulnérabilités ont été corrigées dans Microsoft Azure. Elles permettent à un attaquant de provoquer une usurpation d'identité, une élévation de privilèges et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Microsoft	Azure	Azure Connected Machine Agent
Microsoft	Azure	Azure Logic Apps
Microsoft	Azure	Azure Machine Learning SDK

References

Title

Publication Time

Tags

Bulletin de sécurité Microsoft du 12 décembre 2023	None	vendor-advisory
Bulletin de sécurité Microsoft CVE-2023-35625 du 12 décembre 2023	-	other
Bulletin de sécurité Microsoft CVE-2023-36019 du 12 décembre 2023	-	other
Bulletin de sécurité Microsoft CVE-2023-35624 du 12 décembre 2023	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Azure Connected Machine Agent",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Logic Apps",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Machine Learning SDK",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-35625",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-35625"
    },
    {
      "name": "CVE-2023-35624",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-35624"
    },
    {
      "name": "CVE-2023-36019",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36019"
    }
  ],
  "initial_release_date": "2023-12-13T00:00:00",
  "last_revision_date": "2023-12-13T00:00:00",
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2023-35625 du 12 d\u00e9cembre 2023",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35625"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2023-36019 du 12 d\u00e9cembre 2023",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36019"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2023-35624 du 12 d\u00e9cembre 2023",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35624"
    }
  ],
  "reference": "CERTFR-2023-AVI-1024",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-12-13T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Usurpation d\u0027identit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eMicrosoft Azure\u003c/span\u003e. Elles permettent \u00e0 un attaquant\nde provoquer une usurpation d\u0027identit\u00e9, une \u00e9l\u00e9vation de privil\u00e8ges et\nune atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Microsoft Azure",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft du 12 d\u00e9cembre 2023",
      "url": "https://msrc.microsoft.com/update-guide/"
    }
  ]
}

CERTFR-2023-AVI-1025

Vulnerability from certfr_avis

De multiples vulnérabilités ont été corrigées dans les produits Microsoft. Elles permettent à un attaquant de provoquer une usurpation d'identité et un déni de service.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Microsoft	N/A	Microsoft Power Platform
Microsoft	N/A	Dynamics 365 pour Finance and Operations Platform Update 60
Microsoft	N/A	Microsoft Dynamics 365 (on-premises) version 9.1
Microsoft	N/A	Microsoft Dynamics 365 (on-premises) version 9.0
Microsoft	N/A	Dynamics 365 pour Finance and Operations Version 10.0.38 Platform Update 62
Microsoft	N/A	Dynamics 365 pour Finance and Operations Version 10.0.37 Platform Update 61
Microsoft	N/A	Microsoft Malware Protection Platform

References

Title

Publication Time

Tags

Bulletin de sécurité Microsoft du 12 décembre 2023	None	vendor-advisory
Bulletin de sécurité Microsoft CVE-2023-36019 du 12 décembre 2023	-	other
Bulletin de sécurité Microsoft CVE-2023-36010 du 12 décembre 2023	-	other
Bulletin de sécurité Microsoft CVE-2023-36020 du 12 décembre 2023	-	other
Bulletin de sécurité Microsoft CVE-2023-35621 du 12 décembre 2023	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Microsoft Power Platform",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Dynamics 365 pour Finance and Operations Platform Update 60",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Dynamics 365 (on-premises) version 9.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Dynamics 365 (on-premises) version 9.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Dynamics 365 pour Finance and Operations Version 10.0.38 Platform Update 62",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Dynamics 365 pour Finance and Operations Version 10.0.37 Platform Update 61",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Malware Protection Platform",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-35621",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-35621"
    },
    {
      "name": "CVE-2023-36019",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36019"
    },
    {
      "name": "CVE-2023-36020",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36020"
    },
    {
      "name": "CVE-2023-36010",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36010"
    }
  ],
  "initial_release_date": "2023-12-13T00:00:00",
  "last_revision_date": "2023-12-13T00:00:00",
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2023-36019 du 12 d\u00e9cembre 2023",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36019"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2023-36010 du 12 d\u00e9cembre 2023",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36010"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2023-36020 du 12 d\u00e9cembre 2023",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36020"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2023-35621 du 12 d\u00e9cembre 2023",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35621"
    }
  ],
  "reference": "CERTFR-2023-AVI-1025",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-12-13T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Usurpation d\u0027identit\u00e9"
    },
    {
      "description": "D\u00e9ni de service"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eles produits Microsoft\u003c/span\u003e. Elles permettent \u00e0 un\nattaquant de provoquer une usurpation d\u0027identit\u00e9 et un d\u00e9ni de service.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft du 12 d\u00e9cembre 2023",
      "url": "https://msrc.microsoft.com/update-guide/"
    }
  ]
}

msrc_cve-2023-36019

Vulnerability from csaf_microsoft

Published

2023-12-12 08:00

Modified

2024-02-16 08:00

Summary

Microsoft Power Platform Connector Spoofing Vulnerability

Notes

Additional Resources

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer

The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Customer Action

Required. The vulnerability documented by this CVE requires customer action to resolve.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Kaixuan Luo with Summer Intern @ Samsung Research America, PhD Student @ The Chinese University of Hong Kong"
        ]
      },
      {
        "names": [
          "Adonis Fung with Samsung Research America"
        ]
      },
      {
        "names": [
          "\u003ca href=\"https://twitter.com/sanebow\"\u003eXianbo Wang (@sanebow)\u003c/a\u003e with The Chinese University of Hong Kong"
        ]
      },
      {
        "names": [
          "Wing Cheong Lau with The Chinese University of Hong Kong"
        ]
      }
    ],
    "aggregate_severity": {
      "namespace": "https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system",
      "text": "Critical"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      },
      {
        "category": "general",
        "text": "Required. The vulnerability documented by this CVE requires customer action to resolve.",
        "title": "Customer Action"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2023-36019 Microsoft Power Platform Connector Spoofing Vulnerability - HTML",
        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36019"
      },
      {
        "category": "self",
        "summary": "CVE-2023-36019 Microsoft Power Platform Connector Spoofing Vulnerability - CSAF",
        "url": "https://msrc.microsoft.com/csaf/2023/msrc_cve-2023-36019.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Exploitability Index",
        "url": "https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Microsoft Power Platform Connector Spoofing Vulnerability",
    "tracking": {
      "current_release_date": "2024-02-16T08:00:00.000Z",
      "generator": {
        "date": "2025-01-01T02:18:26.173Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2023-36019",
      "initial_release_date": "2023-12-12T08:00:00.000Z",
      "revision_history": [
        {
          "date": "2023-12-12T08:00:00.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2024-02-13T08:00:00.000Z",
          "legacy_version": "1.1",
          "number": "2",
          "summary": "Updated the mitigation to inform customers with existing OAuth 2.0 connectors that these connectors must be updated to use a per-connector redirect URI by March 29, 2024. After March 29, 2024, users will no longer be able to create connections to or use existing OAuth 2.0 custom connectors that have not been updated. For more information see https://learn.microsoft.com/en-us/connectors/custom-connectors/#21-oauth-20. This is an informational change only."
        },
        {
          "date": "2024-02-16T08:00:00.000Z",
          "legacy_version": "1.2",
          "number": "3",
          "summary": "Added clarifying information to the mitigation. This is an informational change only."
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_version_range",
            "name": "\u003c3.23113",
            "product": {
              "name": "Microsoft Power Platform \u003c3.23113",
              "product_id": "1"
            }
          },
          {
            "category": "product_version",
            "name": "3.23113",
            "product": {
              "name": "Microsoft Power Platform 3.23113",
              "product_id": "12263"
            }
          }
        ],
        "category": "product_name",
        "name": "Microsoft Power Platform"
      },
      {
        "branches": [
          {
            "category": "product_version_range",
            "name": "\u003c3.23113",
            "product": {
              "name": "Azure Logic Apps \u003c3.23113",
              "product_id": "2"
            }
          },
          {
            "category": "product_version",
            "name": "3.23113",
            "product": {
              "name": "Azure Logic Apps 3.23113",
              "product_id": "12228"
            }
          }
        ],
        "category": "product_name",
        "name": "Azure Logic Apps"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-36019",
      "cwe": {
        "id": "CWE-73",
        "name": "External Control of File Name or Path"
      },
      "notes": [
        {
          "category": "general",
          "text": "Microsoft",
          "title": "Assigning CNA"
        },
        {
          "category": "faq",
          "text": "The user would have to click on a specially crafted URL to be compromised by the attacker.",
          "title": "According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?"
        },
        {
          "category": "faq",
          "text": "The vulnerability is in the web server, but the malicious scripts execute in the victim\u2019s browser on their machine.",
          "title": "According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?"
        },
        {
          "category": "faq",
          "text": "Microsoft notified affected customers about this change in behavior via Microsoft 365 Admin Center (MC690931) or Service Health in the Azure Portal (3_SH-LTG) starting on November 17th, 2023. You will need to validate your custom connectors and follow the guidance to make the switch to the per-connector URI.",
          "title": "How do I know if my connector does not have a per-connector redirect URI?"
        },
        {
          "category": "faq",
          "text": "Notifications were sent to customers via the Microsoft 365 Admin Center using a Data Privacy tag. This means that only users with a global administrator role or a Message center privacy reader role can view the notification. These roles are appointed by your organization. You can learn more about these roles and how to assign them at https://azure.microsoft.com/en-us/blog/understanding-service-health-communications-for-azure-vulnerabilities/. If you are a Logic Apps customer, a notification was sent via Service Health in the Azure Portal under tracking ID 3_SH-LTG.",
          "title": "How do I know if a notification was sent to my organization?"
        },
        {
          "category": "faq",
          "text": "An attacker could manipulate a malicious link, application, or file to disguise it as a legitimate link or file to trick the victim.",
          "title": "What is the nature of the spoofing?"
        }
      ],
      "product_status": {
        "fixed": [
          "12228",
          "12263"
        ],
        "known_affected": [
          "1",
          "2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2023-36019 Microsoft Power Platform Connector Spoofing Vulnerability - HTML",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36019"
        },
        {
          "category": "self",
          "summary": "CVE-2023-36019 Microsoft Power Platform Connector Spoofing Vulnerability - CSAF",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36019"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-12-12T08:00:00.000Z",
          "details": "3.23113:Security Update:https://learn.microsoft.com/en-us/connectors/custom-connectors/#21-oauth-20",
          "product_ids": [
            "1",
            "2"
          ],
          "url": "https://learn.microsoft.com/en-us/connectors/custom-connectors/#21-oauth-20"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalsScore": 0.0,
            "exploitCodeMaturity": "UNPROVEN",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "remediationLevel": "OFFICIAL_FIX",
            "reportConfidence": "CONFIRMED",
            "scope": "CHANGED",
            "temporalScore": 8.3,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "1",
            "2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Spoofing"
        },
        {
          "category": "exploit_status",
          "details": "Exploited:No;Latest Software Release:Exploitation Less Likely"
        }
      ],
      "title": "Microsoft Power Platform Connector Spoofing Vulnerability"
    }
  ]
}

ghsa-xg84-73vx-pq6f

Vulnerability from github

Published

2023-12-12 18:31

Modified

2023-12-12 18:31

Severity ?

9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Details

Microsoft Power Platform Connector Spoofing Vulnerability

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-36019"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-12T18:15:22Z",
    "severity": "CRITICAL"
  },
  "details": "Microsoft Power Platform Connector Spoofing Vulnerability",
  "id": "GHSA-xg84-73vx-pq6f",
  "modified": "2023-12-12T18:31:35Z",
  "published": "2023-12-12T18:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36019"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36019"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

fkie_cve-2023-36019

Vulnerability from fkie_nvd

Published

2023-12-12 18:15

Modified

2024-11-21 08:09

Severity ?

9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

Summary

Microsoft Power Platform Connector Spoofing Vulnerability

References

	URL	Tags
	secure@microsoft.com	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36019	Patch, Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36019	Patch, Vendor Advisory

Impacted products

	Vendor	Product	Version
	microsoft	azure_logic_apps	*
	microsoft	power_platform	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:microsoft:azure_logic_apps:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3986CDFF-03DF-41B7-8655-59C0EF1CED24",
              "versionEndExcluding": "3.23113",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:power_platform:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EF17B41C-0BC4-4E09-8A6A-FCC25AD1235F",
              "versionEndExcluding": "3.23113",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Microsoft Power Platform Connector Spoofing Vulnerability"
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de suplantaci\u00f3n de identidad del conector Microsoft Power Platform"
    }
  ],
  "id": "CVE-2023-36019",
  "lastModified": "2024-11-21T08:09:11.147",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.6,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 6.0,
        "source": "secure@microsoft.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-12-12T18:15:22.157",
  "references": [
    {
      "source": "secure@microsoft.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36019"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36019"
    }
  ],
  "sourceIdentifier": "secure@microsoft.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-73"
        }
      ],
      "source": "secure@microsoft.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

gsd-2023-36019

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Microsoft Power Platform Connector Spoofing Vulnerability

Aliases

CVE-2023-36019

Aliases

CVE-2023-36019

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-36019",
    "id": "GSD-2023-36019"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-36019"
      ],
      "details": "Microsoft Power Platform Connector Spoofing Vulnerability",
      "id": "GSD-2023-36019",
      "modified": "2023-12-13T01:20:34.486203Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secure@microsoft.com",
        "ID": "CVE-2023-36019",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Microsoft Power Platform",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "1.0.0",
                          "version_value": "3.23113"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Azure Logic Apps",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "3.0",
                          "version_value": "3.23113"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Microsoft"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Microsoft Power Platform Connector Spoofing Vulnerability"
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Spoofing"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36019",
            "refsource": "MISC",
            "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36019"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:microsoft:azure_logic_apps:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "3986CDFF-03DF-41B7-8655-59C0EF1CED24",
                    "versionEndExcluding": "3.23113",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:microsoft:power_platform:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "EF17B41C-0BC4-4E09-8A6A-FCC25AD1235F",
                    "versionEndExcluding": "3.23113",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Microsoft Power Platform Connector Spoofing Vulnerability"
          },
          {
            "lang": "es",
            "value": "Vulnerabilidad de suplantaci\u00f3n de identidad del conector Microsoft Power Platform"
          }
        ],
        "id": "CVE-2023-36019",
        "lastModified": "2023-12-18T15:09:16.643",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 4.0,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 6.0,
              "source": "secure@microsoft.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2023-12-12T18:15:22.157",
        "references": [
          {
            "source": "secure@microsoft.com",
            "tags": [
              "Patch",
              "Vendor Advisory"
            ],
            "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36019"
          }
        ],
        "sourceIdentifier": "secure@microsoft.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "NVD-CWE-noinfo"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-36019 (GCVE-0-2023-36019)

Vulnerability from cvelistv5

Vulnerability from csaf_certbund

Vulnerability from csaf_certbund

Vulnerability from certfr_avis

Solution

Vulnerability from certfr_avis

Solution

Vulnerability from csaf_microsoft

Vulnerability from github

Vulnerability from fkie_nvd

Vulnerability from gsd

Tags

Sightings

Nomenclature