CVE-2024-38182
Published: Jul 31, 2024

010
CVSS 9EPSS 0.09%Critical
CVE info copied to clipboard

Summary

Weak authentication in Microsoft Dynamics 365 allows an unauthenticated attacker to elevate privileges over a network.

Impact

This vulnerability has a high impact on confidentiality, integrity, and availability. An unauthenticated attacker can exploit this vulnerability over a network to elevate privileges. The scope of the attack is changed, meaning it can affect resources beyond the vulnerable component.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Microsoft has released an official fix for this vulnerability.

Mitigation

Apply the official patch provided by Microsoft as soon as possible. Prioritize this update due to the high severity of the vulnerability. Monitor network traffic for suspicious activities. Implement strong network segmentation and access controls to limit potential unauthorized access.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-38182. See article

Jul 31, 2024 at 11:05 PM / CVE
CVSS

A CVSS base score of 9 has been assigned.

Jul 31, 2024 at 11:05 PM / microsoft
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jul 31, 2024 at 11:06 PM
CVE Assignment

NVD published the first details for CVE-2024-38182

Jul 31, 2024 at 11:15 PM
EPSS

EPSS Score was set to: 0.09% (Percentile: 39.5%)

Aug 1, 2024 at 9:46 AM
Static CVE Timeline Graph

Affected Systems

Microsoft/dynamics_365
+null more

Patches

Microsoft
+null more

News

Update Tue Aug 20 14:33:25 UTC 2024
Update Tue Aug 20 14:33:25 UTC 2024
US-CERT Vulnerability Summary for the Week of July 29, 2024
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available. Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High : vulnerabilities with a CVSS base score of 7.0–10.0 Medium : vulnerabilities with a CVSS base score of 4.0–6.9 Low : vulnerabilities with a CVSS base score of 0.0–3.9 Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links.
Vulnerability Summary for the Week of July 29, 2024
High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info Apache Software Foundation--Apache SeaTunnel Web Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge any token to log in any user. Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token. This issue affects Apache SeaTunnel: 1.0.0. Users are recommended to upgrade to version 1.0.1, which fixes the issue. 2024-07-30 9.1 CVE-2023-48396 security@apache.org security@apache.org n/a--n/a An issue was discovered in Italtel i-MCS NFV 12.1.0-20211215. There is Incorrect Access Control. 2024-07-29 9.1 CVE-2024-28805 cve@mitre.org n/a--n/a Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue. 2024-07-30 9.8 CVE-2024-36572 cve@mitre.org cve@mitre.org n/a--n/a SQL Injection vulnerability in Lost and Found Information System 1.0 allows a remote attacker to escalate privileges via the id parameter to php-lfis/admin/categories/manage_category.php.
cveNotify : 🚨 CVE-2024-38182Weak authentication in Microsoft Dynamics 365 allows an unauthenticated attacker to elevate privileges over a network.🎖@cveNotify
cveNotify : 🚨 CVE-2024-38182Weak authentication in Microsoft Dynamics 365 allows an unauthenticated attacker to elevate privileges over a network.🎖@cveNotify
CVE-2024-38182
Critical Severity Description Weak authentication in Microsoft Dynamics 365 allows an unauthenticated attacker to elevate privileges over a network. Read more at https://www.tenable.com/cve/CVE-2024-38182
See 17 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:High
Privileges Required:None
User Interaction:None
Scope:Changed
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI