CVE-2023-36019

External Control of File Name or Path (CWE-73)

Published: Dec 12, 2023

010
CVSS 7.4EPSS 0.09%High
CVE info copied to clipboard

Microsoft Power Platform Connector Spoofing Vulnerability

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2023-36019

Dec 12, 2023 at 10:15 AM
First Article

Feedly found the first article mentioning CVE-2023-36019. See article

Dec 12, 2023 at 6:21 PM / Microsoft Security Advisories - MSRC
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Dec 12, 2023 at 6:22 PM
Exploitation in the Wild

Attacks in the wild have been reported by Zero Day Initiative - Blog. See article

Dec 12, 2023 at 6:28 PM / Zero Day Initiative - Blog
Trending

This CVE started to trend in security discussions

Dec 13, 2023 at 6:51 AM
EPSS

EPSS Score was set to: 0.09% (Percentile: 38.3%)

Dec 14, 2023 at 4:27 PM
Threat Intelligence Report

The vulnerability CVE-2023-36019 is a critical vulnerability in the Microsoft Power Platform Connector. It is currently being exploited in the wild by unknown actors. There are no proof-of-concept exploits available, and no mitigations, detections, or patches have been provided yet. The vulnerability may have downstream impacts on other third-party vendors or technology. See article

Dec 20, 2023 at 6:46 AM
CVSS

A CVSS base score of 7.4 has been assigned.

May 29, 2024 at 2:21 AM / nvd
Static CVE Timeline Graph

Affected Systems

Microsoft/power_platform
+null more

Patches

Microsoft
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-13: Subverting Environment Variable Values
+null more

References

Microsoft Power Platform Connector Spoofing Vulnerability
Microsoft will start updating the custom connectors to use the per connector redirect URLs on February 19, 2024. If you are a Logic Apps customer, a notification was sent via Service Health in the Azure Portal under tracking ID 3_SH-LTG.
CVE-2023-36019 Microsoft Power Platform Connector Spoofing Vulnerability
Information published.

News

Microsoft Patches Two Zero Day Holes for February
According to Microsoft, this problem, which has already been seen exploited in the wild, could allow an attacker to bypass usual security checks and warnings to send a malicious file directly to a target. The first of the zero-day issues is a security bypass flaw in how Windows interacts with Internet shortcut files ( CVE-2024-21412 ).
Microsoft Patches Two Zero Day Holes for February
According to Microsoft, this problem, which has already been seen exploited in the wild, could allow an attacker to bypass usual security checks and warnings to send a malicious file directly to a target. The first of the zero-day issues is a security bypass flaw in how Windows interacts with Internet shortcut files ( CVE-2024-21412 ).
Microsoft fixes two zero-days with Patch Tuesday release - The Madras Tribune
Including the recent reports that the Windows SmartScreen vulnerability ( CVE-2024-21351 ) is under active exploitation, we have added “Patch Now” schedules to Microsoft Office, Windows and Exchange Server. Each month, the team at Readiness provides detailed, actionable testing guidance based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.
Microsoft fixes two zero-days with Patch Tuesday release
Including the recent reports that the Windows SmartScreen vulnerability ( CVE-2024-21351 ) is under active exploitation, we have added “Patch Now” schedules to Microsoft Office, Windows and Exchange Server. Each month, the team at Readiness provides detailed, actionable testing guidance based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.
Microsoft Patches Two Zero Day Holes for February
According to Microsoft, this problem, which has already been seen exploited in the wild, could allow an attacker to bypass usual security checks and warnings to send a malicious file directly to a target. The first of the zero-day issues is a security bypass flaw in how Windows interacts with Internet shortcut files ( CVE-2024-21412 ).
See 160 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Changed
Confidentiality:None
Integrity:High
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI