Microsoft CVE Summary

This report contains detail for the following vulnerabilities:

Tag CVE ID CVE Title
Azure CVE-2023-23408 Azure Apache Ambari Spoofing Vulnerability
Client Server Run-time Subsystem (CSRSS) CVE-2023-23409 Client Server Run-Time Subsystem (CSRSS) Information Disclosure Vulnerability
Client Server Run-time Subsystem (CSRSS) CVE-2023-23394 Client Server Run-Time Subsystem (CSRSS) Information Disclosure Vulnerability
Internet Control Message Protocol (ICMP) CVE-2023-23415 Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability
Mariner CVE-2023-0567 Unknown
Mariner CVE-2023-20052 Unknown
Mariner CVE-2023-20032 Unknown
Microsoft Bluetooth Driver CVE-2023-23388 Windows Bluetooth Driver Elevation of Privilege Vulnerability
Microsoft Dynamics CVE-2023-24920 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
Microsoft Dynamics CVE-2023-24879 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
Microsoft Dynamics CVE-2023-24919 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
Microsoft Dynamics CVE-2023-24891 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
Microsoft Dynamics CVE-2023-24922 Microsoft Dynamics 365 Information Disclosure Vulnerability
Microsoft Dynamics CVE-2023-24921 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
Microsoft Edge (Chromium-based) CVE-2023-1236 Chromium: CVE-2023-1236 Inappropriate implementation in Internals
Microsoft Edge (Chromium-based) CVE-2023-1235 Chromium: CVE-2023-1235 Type Confusion in DevTools
Microsoft Edge (Chromium-based) CVE-2023-1213 Chromium: CVE-2023-1213 Use after free in Swiftshader
Microsoft Edge (Chromium-based) CVE-2023-24892 Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability
Microsoft Edge (Chromium-based) CVE-2023-1234 Chromium: CVE-2023-1234 Inappropriate implementation in Intents
Microsoft Edge (Chromium-based) CVE-2023-1223 Chromium: CVE-2023-1223 Insufficient policy enforcement in Autofill
Microsoft Edge (Chromium-based) CVE-2023-1222 Chromium: CVE-2023-1222 Heap buffer overflow in Web Audio API
Microsoft Edge (Chromium-based) CVE-2023-1221 Chromium: CVE-2023-1221 Insufficient policy enforcement in Extensions API
Microsoft Edge (Chromium-based) CVE-2023-1229 Chromium: CVE-2023-1229 Inappropriate implementation in Permission prompts
Microsoft Edge (Chromium-based) CVE-2023-1228 Chromium: CVE-2023-1228 Insufficient policy enforcement in Intents
Microsoft Edge (Chromium-based) CVE-2023-1224 Chromium: CVE-2023-1224 Insufficient policy enforcement in Web Payments API
Microsoft Edge (Chromium-based) CVE-2023-1220 Chromium: CVE-2023-1220 Heap buffer overflow in UMA
Microsoft Edge (Chromium-based) CVE-2023-1216 Chromium: CVE-2023-1216 Use after free in DevTools
Microsoft Edge (Chromium-based) CVE-2023-1215 Chromium: CVE-2023-1215 Type Confusion in CSS
Microsoft Edge (Chromium-based) CVE-2023-1214 Chromium: CVE-2023-1214 Type Confusion in V8
Microsoft Edge (Chromium-based) CVE-2023-1219 Chromium: CVE-2023-1219 Heap buffer overflow in Metrics
Microsoft Edge (Chromium-based) CVE-2023-1218 Chromium: CVE-2023-1218 Use after free in WebRTC
Microsoft Edge (Chromium-based) CVE-2023-1217 Chromium: CVE-2023-1217 Stack buffer overflow in Crash reporting
Microsoft Edge (Chromium-based) CVE-2023-1230 Chromium: CVE-2023-1230 Inappropriate implementation in WebApp Installs
Microsoft Edge (Chromium-based) CVE-2023-1232 Chromium: CVE-2023-1232 Insufficient policy enforcement in Resource Timing
Microsoft Edge (Chromium-based) CVE-2023-1233 Chromium: CVE-2023-1233 Insufficient policy enforcement in Resource Timing
Microsoft Edge (Chromium-based) CVE-2023-1231 Chromium: CVE-2023-1231 Inappropriate implementation in Autofill
Microsoft Graphics Component CVE-2023-24910 Windows Graphics Component Elevation of Privilege Vulnerability
Microsoft Office Excel CVE-2023-23398 Microsoft Excel Spoofing Vulnerability
Microsoft Office Excel CVE-2023-23396 Microsoft Excel Denial of Service Vulnerability
Microsoft Office Excel CVE-2023-23399 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office Outlook CVE-2023-23397 Microsoft Outlook Elevation of Privilege Vulnerability
Microsoft Office SharePoint CVE-2023-23395 Microsoft SharePoint Server Spoofing Vulnerability
Microsoft OneDrive CVE-2023-24890 Microsoft OneDrive for iOS Security Feature Bypass Vulnerability
Microsoft OneDrive CVE-2023-24930 Microsoft OneDrive for MacOS Elevation of Privilege Vulnerability
Microsoft OneDrive CVE-2023-24882 Microsoft OneDrive for Android Information Disclosure Vulnerability
Microsoft OneDrive CVE-2023-24923 Microsoft OneDrive for Android Information Disclosure Vulnerability
Microsoft PostScript Printer Driver CVE-2023-24907 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
Microsoft PostScript Printer Driver CVE-2023-24857 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
Microsoft PostScript Printer Driver CVE-2023-24868 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
Microsoft PostScript Printer Driver CVE-2023-24872 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
Microsoft PostScript Printer Driver CVE-2023-24876 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
Microsoft PostScript Printer Driver CVE-2023-24913 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
Microsoft PostScript Printer Driver CVE-2023-24864 Microsoft PostScript and PCL6 Class Printer Driver Elevation of Privilege Vulnerability
Microsoft PostScript Printer Driver CVE-2023-24866 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
Microsoft PostScript Printer Driver CVE-2023-24906 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
Microsoft PostScript Printer Driver CVE-2023-24867 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
Microsoft PostScript Printer Driver CVE-2023-24863 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
Microsoft PostScript Printer Driver CVE-2023-24858 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
Microsoft PostScript Printer Driver CVE-2023-24911 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
Microsoft PostScript Printer Driver CVE-2023-24870 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
Microsoft PostScript Printer Driver CVE-2023-24909 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
Microsoft PostScript Printer Driver CVE-2023-23406 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
Microsoft PostScript Printer Driver CVE-2023-23413 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
Microsoft PostScript Printer Driver CVE-2023-24856 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
Microsoft Printer Drivers CVE-2023-24865 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
Microsoft Printer Drivers CVE-2023-23403 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
Microsoft Windows Codecs Library CVE-2023-23401 Windows Media Remote Code Execution Vulnerability
Microsoft Windows Codecs Library CVE-2023-23402 Windows Media Remote Code Execution Vulnerability
Office for Android CVE-2023-23391 Office for Android Spoofing Vulnerability
Remote Access Service Point-to-Point Tunneling Protocol CVE-2023-23404 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
Role: DNS Server CVE-2023-23400 Windows DNS Server Remote Code Execution Vulnerability
Role: Windows Hyper-V CVE-2023-23411 Windows Hyper-V Denial of Service Vulnerability
Service Fabric CVE-2023-23383 Service Fabric Explorer Spoofing Vulnerability
Visual Studio CVE-2023-23618 GitHub: CVE-2023-23618 Git for Windows Remote Code Execution Vulnerability
Visual Studio CVE-2023-22743 GitHub: CVE-2023-22743 Git for Windows Installer Elevation of Privilege Vulnerability
Visual Studio CVE-2023-23946 GitHub: CVE-2023-23946 mingit Remote Code Execution Vulnerability
Visual Studio CVE-2023-22490 GitHub: CVE-2023-22490 mingit Information Disclosure Vulnerability
Windows Accounts Control CVE-2023-23412 Windows Accounts Picture Elevation of Privilege Vulnerability
Windows Bluetooth Service CVE-2023-24871 Windows Bluetooth Service Remote Code Execution Vulnerability
Windows Central Resource Manager CVE-2023-23393 Windows BrokerInfrastructure Service Elevation of Privilege Vulnerability
Windows Cryptographic Services CVE-2023-23416 Windows Cryptographic Services Remote Code Execution Vulnerability
Windows Defender CVE-2023-23389 Microsoft Defender Elevation of Privilege Vulnerability
Windows HTTP Protocol Stack CVE-2023-23392 HTTP Protocol Stack Remote Code Execution Vulnerability
Windows HTTP.sys CVE-2023-23410 Windows HTTP.sys Elevation of Privilege Vulnerability
Windows Internet Key Exchange (IKE) Protocol CVE-2023-24859 Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability
Windows Kernel CVE-2023-23420 Windows Kernel Elevation of Privilege Vulnerability
Windows Kernel CVE-2023-23422 Windows Kernel Elevation of Privilege Vulnerability
Windows Kernel CVE-2023-23421 Windows Kernel Elevation of Privilege Vulnerability
Windows Kernel CVE-2023-23423 Windows Kernel Elevation of Privilege Vulnerability
Windows Partition Management Driver CVE-2023-23417 Windows Partition Management Driver Elevation of Privilege Vulnerability
Windows Point-to-Point Protocol over Ethernet (PPPoE) CVE-2023-23407 Windows Point-to-Point Protocol over Ethernet (PPPoE) Remote Code Execution Vulnerability
Windows Point-to-Point Protocol over Ethernet (PPPoE) CVE-2023-23385 Windows Point-to-Point Protocol over Ethernet (PPPoE) Elevation of Privilege Vulnerability
Windows Point-to-Point Protocol over Ethernet (PPPoE) CVE-2023-23414 Windows Point-to-Point Protocol over Ethernet (PPPoE) Remote Code Execution Vulnerability
Windows Remote Procedure Call CVE-2023-21708 Remote Procedure Call Runtime Remote Code Execution Vulnerability
Windows Remote Procedure Call Runtime CVE-2023-23405 Remote Procedure Call Runtime Remote Code Execution Vulnerability
Windows Remote Procedure Call Runtime CVE-2023-24869 Remote Procedure Call Runtime Remote Code Execution Vulnerability
Windows Remote Procedure Call Runtime CVE-2023-24908 Remote Procedure Call Runtime Remote Code Execution Vulnerability
Windows Resilient File System (ReFS) CVE-2023-23419 Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
Windows Resilient File System (ReFS) CVE-2023-23418 Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
Windows Secure Channel CVE-2023-24862 Windows Secure Channel Denial of Service Vulnerability
Windows SmartScreen CVE-2023-24880 Windows SmartScreen Security Feature Bypass Vulnerability
Windows TPM CVE-2023-1017 CERT/CC: CVE-2023-1017 TPM2.0 Module Library Elevation of Privilege Vulnerability
Windows TPM CVE-2023-1018 CERT/CC: CVE-2023-1018 TPM2.0 Module Library Elevation of Privilege Vulnerability
Windows Win32K CVE-2023-24861 Windows Graphics Component Elevation of Privilege Vulnerability

CVE-2023-1213 - Chromium: CVE-2023-1213 Use after free in Swiftshader

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-1213
MITRE
NVD
CVE Title: Chromium: CVE-2023-1213 Use after free in Swiftshader
CVSS:
None
FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released
Stable 111.0.1661.41 111.0.5563.65 3/13/2023
Extended Stable 110.0.1587.69 110.0.5481.192 3/13/2023

Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-13T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Found

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-1213
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-1213 None

CVE-2023-1214 - Chromium: CVE-2023-1214 Type Confusion in V8

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-1214
MITRE
NVD
CVE Title: Chromium: CVE-2023-1214 Type Confusion in V8
CVSS:
None
FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released
Stable 111.0.1661.41 111.0.5563.65 3/13/2023
Extended Stable 110.0.1587.69 110.0.5481.192 3/13/2023

Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-13T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Found

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-1214
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Edge (Chromium-based) Extended Stable Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-1214 None

CVE-2023-1215 - Chromium: CVE-2023-1215 Type Confusion in CSS

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-1215
MITRE
NVD
CVE Title: Chromium: CVE-2023-1215 Type Confusion in CSS
CVSS:
None
FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released
Stable 111.0.1661.41 111.0.5563.65 3/13/2023
Extended Stable 110.0.1587.69 110.0.5481.192 3/13/2023

Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-13T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Found

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-1215
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Edge (Chromium-based) Extended Stable Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-1215 None

CVE-2023-1216 - Chromium: CVE-2023-1216 Use after free in DevTools

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-1216
MITRE
NVD
CVE Title: Chromium: CVE-2023-1216 Use after free in DevTools
CVSS:
None
FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released
Stable 111.0.1661.41 111.0.5563.65 3/13/2023
Extended Stable 110.0.1587.69 110.0.5481.192 3/13/2023

Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-13T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Found

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-1216
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Edge (Chromium-based) Extended Stable Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-1216 None

CVE-2023-1217 - Chromium: CVE-2023-1217 Stack buffer overflow in Crash reporting

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-1217
MITRE
NVD
CVE Title: Chromium: CVE-2023-1217 Stack buffer overflow in Crash reporting
CVSS:
None
FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released
Stable 111.0.1661.41 111.0.5563.65 3/13/2023
Extended Stable 110.0.1587.69 110.0.5481.192 3/13/2023

Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-13T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Found

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-1217
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Edge (Chromium-based) Extended Stable Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-1217 None

CVE-2023-1218 - Chromium: CVE-2023-1218 Use after free in WebRTC

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-1218
MITRE
NVD
CVE Title: Chromium: CVE-2023-1218 Use after free in WebRTC
CVSS:
None
FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released
Stable 111.0.1661.41 111.0.5563.65 3/13/2023
Extended Stable 110.0.1587.69 110.0.5481.192 3/13/2023

Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-13T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Found

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-1218
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Edge (Chromium-based) Extended Stable Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-1218 None

CVE-2023-1219 - Chromium: CVE-2023-1219 Heap buffer overflow in Metrics

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-1219
MITRE
NVD
CVE Title: Chromium: CVE-2023-1219 Heap buffer overflow in Metrics
CVSS:
None
FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released
Stable 111.0.1661.41 111.0.5563.65 3/13/2023
Extended Stable 110.0.1587.69 110.0.5481.192 3/13/2023

Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-13T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Found

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-1219
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-1219 None

CVE-2023-1220 - Chromium: CVE-2023-1220 Heap buffer overflow in UMA

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-1220
MITRE
NVD
CVE Title: Chromium: CVE-2023-1220 Heap buffer overflow in UMA
CVSS:
None
FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released
Stable 111.0.1661.41 111.0.5563.65 3/13/2023
Extended Stable 110.0.1587.69 110.0.5481.192 3/13/2023

Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-13T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Found

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-1220
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Edge (Chromium-based) Extended Stable Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-1220 None

CVE-2023-1221 - Chromium: CVE-2023-1221 Insufficient policy enforcement in Extensions API

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-1221
MITRE
NVD
CVE Title: Chromium: CVE-2023-1221 Insufficient policy enforcement in Extensions API
CVSS:
None
FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released
Stable 111.0.1661.41 111.0.5563.65 3/13/2023
Extended Stable 110.0.1587.69 110.0.5481.192 3/13/2023

Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-13T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Found

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-1221
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-1221 None

CVE-2023-1222 - Chromium: CVE-2023-1222 Heap buffer overflow in Web Audio API

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-1222
MITRE
NVD
CVE Title: Chromium: CVE-2023-1222 Heap buffer overflow in Web Audio API
CVSS:
None
FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released
Stable 111.0.1661.41 111.0.5563.65 3/13/2023
Extended Stable 110.0.1587.69 110.0.5481.192 3/13/2023

Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-13T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Found

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-1222
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-1222 None

CVE-2023-1223 - Chromium: CVE-2023-1223 Insufficient policy enforcement in Autofill

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-1223
MITRE
NVD
CVE Title: Chromium: CVE-2023-1223 Insufficient policy enforcement in Autofill
CVSS:
None
FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released
Stable 111.0.1661.41 111.0.5563.65 3/13/2023
Extended Stable 110.0.1587.69 110.0.5481.192 3/13/2023

Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-13T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Found

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-1223
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-1223 None

CVE-2023-1224 - Chromium: CVE-2023-1224 Insufficient policy enforcement in Web Payments API

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-1224
MITRE
NVD
CVE Title: Chromium: CVE-2023-1224 Insufficient policy enforcement in Web Payments API
CVSS:
None
FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released
Stable 111.0.1661.41 111.0.5563.65 3/13/2023
Extended Stable 110.0.1587.69 110.0.5481.192 3/13/2023

Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-13T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Found

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-1224
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-1224 None

CVE-2023-1228 - Chromium: CVE-2023-1228 Insufficient policy enforcement in Intents

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-1228
MITRE
NVD
CVE Title: Chromium: CVE-2023-1228 Insufficient policy enforcement in Intents
CVSS:
None
FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released
Stable 111.0.1661.41 111.0.5563.65 3/13/2023
Extended Stable 110.0.1587.69 110.0.5481.192 3/13/2023

Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-13T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Found

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-1228
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Edge (Chromium-based) Extended Stable Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-1228 None

CVE-2023-1229 - Chromium: CVE-2023-1229 Inappropriate implementation in Permission prompts

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-1229
MITRE
NVD
CVE Title: Chromium: CVE-2023-1229 Inappropriate implementation in Permission prompts
CVSS:
None
FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released
Stable 111.0.1661.41 111.0.5563.65 3/13/2023
Extended Stable 110.0.1587.69 110.0.5481.192 3/13/2023

Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-13T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Found

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-1229
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-1229 None

CVE-2023-1230 - Chromium: CVE-2023-1230 Inappropriate implementation in WebApp Installs

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-1230
MITRE
NVD
CVE Title: Chromium: CVE-2023-1230 Inappropriate implementation in WebApp Installs
CVSS:
None
FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released
Stable 111.0.1661.41 111.0.5563.65 3/13/2023
Extended Stable 110.0.1587.69 110.0.5481.192 3/13/2023

Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-13T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Found

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-1230
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-1230 None

CVE-2023-1231 - Chromium: CVE-2023-1231 Inappropriate implementation in Autofill

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-1231
MITRE
NVD
CVE Title: Chromium: CVE-2023-1231 Inappropriate implementation in Autofill
CVSS:
None
FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released
Stable 111.0.1661.41 111.0.5563.65 3/13/2023
Extended Stable 110.0.1587.69 110.0.5481.192 3/13/2023

Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-13T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Found

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-1231
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-1231 None

CVE-2023-1232 - Chromium: CVE-2023-1232 Insufficient policy enforcement in Resource Timing

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-1232
MITRE
NVD
CVE Title: Chromium: CVE-2023-1232 Insufficient policy enforcement in Resource Timing
CVSS:
None
FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released
Stable 111.0.1661.41 111.0.5563.65 3/13/2023
Extended Stable 110.0.1587.69 110.0.5481.192 3/13/2023

Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-13T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Found

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-1232
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Edge (Chromium-based) Extended Stable Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-1232 None

CVE-2023-1233 - Chromium: CVE-2023-1233 Insufficient policy enforcement in Resource Timing

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-1233
MITRE
NVD
CVE Title: Chromium: CVE-2023-1233 Insufficient policy enforcement in Resource Timing
CVSS:
None
FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released
Stable 111.0.1661.41 111.0.5563.65 3/13/2023
Extended Stable 110.0.1587.69 110.0.5481.192 3/13/2023

Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-13T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Found

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-1233
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-1233 None

CVE-2023-1234 - Chromium: CVE-2023-1234 Inappropriate implementation in Intents

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-1234
MITRE
NVD
CVE Title: Chromium: CVE-2023-1234 Inappropriate implementation in Intents
CVSS:
None
FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released
Stable 111.0.1661.41 111.0.5563.65 3/13/2023
Extended Stable 110.0.1587.69 110.0.5481.192 3/13/2023

Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-13T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Found

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-1234
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-1234 None

CVE-2023-1235 - Chromium: CVE-2023-1235 Type Confusion in DevTools

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-1235
MITRE
NVD
CVE Title: Chromium: CVE-2023-1235 Type Confusion in DevTools
CVSS:
None
FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released
Stable 111.0.1661.41 111.0.5563.65 3/13/2023
Extended Stable 110.0.1587.69 110.0.5481.192 3/13/2023

Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-13T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Found

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-1235
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-1235 None

CVE-2023-1236 - Chromium: CVE-2023-1236 Inappropriate implementation in Internals

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-1236
MITRE
NVD
CVE Title: Chromium: CVE-2023-1236 Inappropriate implementation in Internals
CVSS:
None
FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released
Stable 111.0.1661.41 111.0.5563.65 3/13/2023
Extended Stable 110.0.1587.69 110.0.5481.192 3/13/2023

Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-13T07:00:00    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Found

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-1236
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-1236 None

CVE-2023-23383 - Service Fabric Explorer Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-23383
MITRE
NVD
CVE Title: Service Fabric Explorer Spoofing Vulnerability
CVSS:

CVSS:3.1 8.2/7.1
Base score metrics
Attack VectorNetwork
Attack ComplexityHigh
Privileges RequiredNone
User InteractionRequired
ScopeChanged
ConfidentialityLow
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

The vulnerability is in the web client, but the malicious scripts executed in the victim’s browser translate into actions executed in the (remote) cluster.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

A victim user would have to click the stored XSS payload injected by the attacker to be compromised.


How can I update my Service Fabric Cluster to the latest version?

If you have automatic updates, no action is needed. However, for those who choose to manually update, please refer to Manage Service Fabric cluster upgrades for instructions on how to update your Service Fabric Cluster.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

The vulnerability is in the web client, but the malicious scripts executed in the victim’s browser translate into actions executed in the (remote) cluster.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-14T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-23383
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Azure Service Fabric 9.1 for Ubuntu Release Notes (Security Update) Important Spoofing None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:H/E:U/RL:O/RC:C
Maybe
Azure Service Fabric 9.1 for Windows Release Notes (Security Update) Important Spoofing None Base: 8.2
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2023-23383 Lidor B. with Orca Security


CVE-2023-23385 - Windows Point-to-Point Protocol over Ethernet (PPPoE) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-23385
MITRE
NVD
CVE Title: Windows Point-to-Point Protocol over Ethernet (PPPoE) Elevation of Privilege Vulnerability
CVSS:

CVSS:3.1 7.0/6.1
Base score metrics
Attack VectorLocal
Attack ComplexityHigh
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-23385
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 5023713 (Security Update) Important Elevation of Privilege 5022858 Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 5023713 (Security Update) Important Elevation of Privilege 5022921 Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
Important Elevation of Privilege 5022838 Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
Important Elevation of Privilege 5022838 Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Elevation of Privilege 5022840
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Elevation of Privilege 5022840
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Elevation of Privilege 5022840
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for 32-bit Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege 5022834
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for ARM64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege 5022834
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for x64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege 5022834
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege
5022834
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege
5022834
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege
5022834
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege
5022834
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege
5022834
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege
5022834
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 21H2 for ARM64-based Systems 5023698 (Security Update)
5023698 (Security Update)
Important Elevation of Privilege 5022836 Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 21H2 for x64-based Systems 5023698 (Security Update)
5023698 (Security Update)
Important Elevation of Privilege 5022836 Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 22H2 for ARM64-based Systems 5023706 (Security Update)
5023706 (Security Update)
Important Elevation of Privilege 5022845
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 22H2 for x64-based Systems 5023706 (Security Update)
5023706 (Security Update)
Important Elevation of Privilege 5022845
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
Important Elevation of Privilege 5022890
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
Important Elevation of Privilege 5022890
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
Important Elevation of Privilege 5022890
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
Important Elevation of Privilege 5022890
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 5023769 (Monthly Rollup)
5023759 (Security Only)
5023769 (Monthly Rollup)
5023759 (Security Only)
Important Elevation of Privilege 5022874
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 5023769 (Monthly Rollup)
5023759 (Security Only)
5023769 (Monthly Rollup)
5023759 (Security Only)
Important Elevation of Privilege 5022874
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Yes
Windows Server 2012 5023756 (Monthly Rollup)
5023752 (Security Only)
5023756 (Monthly Rollup)
5023752 (Security Only)
Important Elevation of Privilege 5022903
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5023756 (Monthly Rollup)
5023752 (Security Only)
5023756 (Monthly Rollup)
5023752 (Security Only)
Important Elevation of Privilege 5022903
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5023765 (Monthly Rollup)
5023764 (Security Only)
5023765 (Monthly Rollup)
5023764 (Security Only)
Important Elevation of Privilege 5022899
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Yes
Windows Server 2012 R2 (Server Core installation) 5023765 (Monthly Rollup)
5023764 (Security Only)
5023765 (Monthly Rollup)
5023764 (Security Only)
Important Elevation of Privilege 5022899
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Yes
Windows Server 2016 5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
Important Elevation of Privilege 5022838 Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
Important Elevation of Privilege 5022838 Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Elevation of Privilege 5022840
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Elevation of Privilege 5022840
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5023705 (Security Update)
5023786 (AzureHotpatch)
5023705 (Security Update)
5023786 (AzureHotpatch)
Important Elevation of Privilege 5022842

5022921
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
No
Windows Server 2022 (Server Core installation) 5023705 (Security Update)
5023786 (AzureHotpatch)
5023705 (Security Update)
5023786 (AzureHotpatch)
Important Elevation of Privilege 5022842

5022921
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-23385 Yuki Chen with Cyber KunLun


CVE-2023-23388 - Windows Bluetooth Driver Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-23388
MITRE
NVD
CVE Title: Windows Bluetooth Driver Elevation of Privilege Vulnerability
CVSS:

CVSS:3.1 8.8/7.7
Base score metrics
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeChanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

How could an attacker exploit this vulnerability?

An authorized attacker could exploit the Windows Bluetooth driver vulnerability by programmatically running certain functions that could lead to elevation of privilege on the Bluetooth component.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

In this case, a successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-23388
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
Important Elevation of Privilege 5022838 Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
Important Elevation of Privilege 5022838 Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Elevation of Privilege 5022840
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Elevation of Privilege 5022840
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Elevation of Privilege 5022840
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for 32-bit Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege 5022834
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for ARM64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege 5022834
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for x64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege 5022834
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege
5022834
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege
5022834
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege
5022834
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege
5022834
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege
5022834
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege
5022834
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 21H2 for ARM64-based Systems 5023698 (Security Update)
5023698 (Security Update)
Important Elevation of Privilege 5022836 Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 21H2 for x64-based Systems 5023698 (Security Update)
5023698 (Security Update)
Important Elevation of Privilege 5022836 Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 22H2 for ARM64-based Systems 5023706 (Security Update)
5023706 (Security Update)
Important Elevation of Privilege 5022845
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 22H2 for x64-based Systems 5023706 (Security Update)
5023706 (Security Update)
Important Elevation of Privilege 5022845
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
Important Elevation of Privilege 5022838 Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
Important Elevation of Privilege 5022838 Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Elevation of Privilege 5022840
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Elevation of Privilege 5022840
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5023705 (Security Update)
5023786 (AzureHotpatch)
5023705 (Security Update)
5023786 (AzureHotpatch)
Important Elevation of Privilege 5022842

5022921
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
No
Windows Server 2022 (Server Core installation) 5023705 (Security Update)
5023786 (AzureHotpatch)
5023705 (Security Update)
5023786 (AzureHotpatch)
Important Elevation of Privilege 5022842

5022921
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-23388 goodbyeselene


CVE-2023-23389 - Microsoft Defender Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-23389
MITRE
NVD
CVE Title: Microsoft Defender Elevation of Privilege Vulnerability
CVSS:

CVSS:3.1 6.3/5.5
Base score metrics
Attack VectorLocal
Attack ComplexityHigh
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityNone
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.


References Identification
Last version of the Microsoft Malware Protection Engine affected by this vulnerability 1.1.xxxx.3
First version of the Microsoft Malware Protection Engine with this vulnerability addressed Version 1.1.xxxxx.2

See Manage Updates Baselines Microsoft Defender Antivirus for more information.

Microsoft Defender is disabled in my environment, why are vulnerability scanners showing that I am vulnerable to this issue?

Vulnerability scanners are looking for specific binaries and version numbers on devices. Microsoft Defender files are still on disk even when disabled. Systems that have disabled Microsoft Defender are not in an exploitable state.

Why is no action required to install this update?

In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner.

For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically. Product documentation also recommends that products are configured for automatic updating.

Best practices recommend that customers regularly verify whether software distribution, such as the automatic deployment of Microsoft Malware Protection Engine updates and malware definitions, is working as expected in their environment.

How often are the Microsoft Malware Protection Engine and malware definitions updated?

Microsoft typically releases an update for the Microsoft Malware Protection Engine once a month or as needed to protect against new threats. Microsoft also typically updates the malware definitions three times daily and can increase the frequency when needed.

Depending on which Microsoft antimalware software is used and how it is configured, the software may search for engine and definition updates every day when connected to the Internet, up to multiple times daily. Customers can also choose to manually check for updates at any time.

What is the Microsoft Malware Protection Engine?

The Microsoft Malware Protection Engine, mpengine.dll, provides the scanning, detection, and cleaning capabilities for Microsoft antivirus and antispyware software.

Windows Defender uses the Microsoft Malware Protection Engine. On which products is Defender installed and active by default?

Defender runs on all supported version of Windows.

Are there other products that use the Microsoft Malware Protection Engine?

Yes, Microsoft System Center Endpoint Protection, Microsoft System Center 2012 R2 Endpoint Protection, Microsoft System Center 2012 Endpoint Protection and Microsoft Security Essentials.

Does this update contain any additional security-related changes to functionality?

Yes.  In addition to the changes that are listed for this vulnerability, this update includes defense-in-depth updates to help improve security-related features.

Suggested Actions

Verify that the update is installed

Customers should verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded and installed for their Microsoft antimalware products.

  1. Open the Windows Security program. For example, type Security in the Search bar, and select the Windows Security program.
  2. In the navigation pane, select Virus & threat protection.
  3. Under Virus & threat protection updates in the main window, select Check for updates
  4. Select Check for updates again.
  5. In the navigation pane, select Settings, and then select About.
  6. Examine the Engine Version number. The update was successfully installed if the Malware Protection Engine version number or the signature package version number matches or exceeds the version number that you are trying to verify as installed.

According to the CVSS metrics, successful exploitation of this vulnerability could lead to no loss of confidentiality (C:N) but have major impact on integrity (I:H) and on availability (A:H). What does that mean for this vulnerability?

This vulnerability does not allow disclosure of any confidential information, but could allow an attacker to delete data that could include data that results in the service being unavailable.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-23389
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Malware Protection Engine Release Notes (Security Update) Important Elevation of Privilege None Base: 6.3
Temporal: 5.5
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-23389 Abdelhamid Naceri


CVE-2023-23391 - Office for Android Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-23391
MITRE
NVD
CVE Title: Office for Android Spoofing Vulnerability
CVSS:

CVSS:3.1 5.5/4.8
Base score metrics
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeUnchanged
ConfidentialityNone
IntegrityHigh
AvailabilityNone
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

According to the CVSS metric, the attack vector is local (AV:L) and user interaction is required (UI:R), what does that mean for this vulnerability?

The attack itself is carried out locally. For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to click on a local file path link or download and run a malicious application or file.


What is the nature of the spoofing?

An attacker could manipulate a malicious link, application, or file to disguise it as a legitimate link or file to trick the victim.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-14T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-23391
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Office for Android Release Notes (Security Update) Important Spoofing None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2023-23391 Dimitrios Valsamaras with Microsoft


CVE-2023-23392 - HTTP Protocol Stack Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-23392
MITRE
NVD
CVE Title: HTTP Protocol Stack Remote Code Execution Vulnerability
CVSS:

CVSS:3.1 9.8/8.5
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

How could an attacker exploit this vulnerability?

In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets.


Mitigations:

Workarounds:
None
Revision:
1.0    2023-03-14T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-23392
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Windows 11 version 21H2 for ARM64-based Systems 5023698 (Security Update)
5023698 (Security Update)
Critical Remote Code Execution 5022836 Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 21H2 for x64-based Systems 5023698 (Security Update)
5023698 (Security Update)
Critical Remote Code Execution 5022836 Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 22H2 for ARM64-based Systems 5023706 (Security Update)
5023706 (Security Update)
Critical Remote Code Execution 5022845
Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 22H2 for x64-based Systems 5023706 (Security Update)
5023706 (Security Update)
Critical Remote Code Execution 5022845
Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5023705 (Security Update)
5023786 (AzureHotpatch)
5023705 (Security Update)
5023786 (AzureHotpatch)
Critical Remote Code Execution 5022842

5022921
Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
No
Windows Server 2022 (Server Core installation) 5023705 (Security Update)
5023786 (AzureHotpatch)
5023705 (Security Update)
5023786 (AzureHotpatch)
Critical Remote Code Execution 5022842

5022921
Base: 9.8
Temporal: 8.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-23392



CVE-2023-23393 - Windows BrokerInfrastructure Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-23393
MITRE
NVD
CVE Title: Windows BrokerInfrastructure Service Elevation of Privilege Vulnerability
CVSS:

CVSS:3.1 7.0/6.1
Base score metrics
Attack VectorLocal
Attack ComplexityHigh
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.


What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-14T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-23393
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Elevation of Privilege 5022840
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Elevation of Privilege 5022840
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Elevation of Privilege 5022840
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for 32-bit Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege 5022834
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for ARM64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege 5022834
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for x64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege 5022834
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege
5022834
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege
5022834
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege
5022834
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege
5022834
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege
5022834
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Elevation of Privilege
5022834
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 21H2 for ARM64-based Systems 5023698 (Security Update)
5023698 (Security Update)
Important Elevation of Privilege 5022836 Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 21H2 for x64-based Systems 5023698 (Security Update)
5023698 (Security Update)
Important Elevation of Privilege 5022836 Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 22H2 for ARM64-based Systems 5023706 (Security Update)
5023706 (Security Update)
Important Elevation of Privilege 5022845
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 22H2 for x64-based Systems 5023706 (Security Update)
5023706 (Security Update)
Important Elevation of Privilege 5022845
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Elevation of Privilege 5022840
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Elevation of Privilege 5022840
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5023705 (Security Update)
5023786 (AzureHotpatch)
5023705 (Security Update)
5023786 (AzureHotpatch)
Important Elevation of Privilege 5022842

5022921
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
No
Windows Server 2022 (Server Core installation) 5023705 (Security Update)
5023786 (AzureHotpatch)
5023705 (Security Update)
5023786 (AzureHotpatch)
Important Elevation of Privilege 5022842

5022921
Base: 7.0
Temporal: 6.1
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-23393 None

CVE-2023-23394 - Client Server Run-Time Subsystem (CSRSS) Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-23394
MITRE
NVD
CVE Title: Client Server Run-Time Subsystem (CSRSS) Information Disclosure Vulnerability
CVSS:

CVSS:3.1 5.5/4.8
Base score metrics
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityNone
AvailabilityNone
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could view heap memory from a privileged process running on the server.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-23394
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 5023713 (Security Update) Important Information Disclosure 5022858 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 5023713 (Security Update) Important Information Disclosure 5022921 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
Important Information Disclosure 5022838 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
Important Information Disclosure 5022838 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Information Disclosure 5022840
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Information Disclosure 5022840
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Information Disclosure 5022840
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for 32-bit Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Information Disclosure 5022834
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for ARM64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Information Disclosure 5022834
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for x64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Information Disclosure 5022834
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Information Disclosure
5022834
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Information Disclosure
5022834
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Information Disclosure
5022834
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Information Disclosure
5022834
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Information Disclosure
5022834
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Information Disclosure
5022834
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 21H2 for ARM64-based Systems 5023698 (Security Update)
5023698 (Security Update)
Important Information Disclosure 5022836 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 21H2 for x64-based Systems 5023698 (Security Update)
5023698 (Security Update)
Important Information Disclosure 5022836 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 22H2 for ARM64-based Systems 5023706 (Security Update)
5023706 (Security Update)
Important Information Disclosure 5022845
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 22H2 for x64-based Systems 5023706 (Security Update)
5023706 (Security Update)
Important Information Disclosure 5022845
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
Important Information Disclosure 5022890
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
Important Information Disclosure 5022890
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
Important Information Disclosure 5022890
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
5023755 (Monthly Rollup)
5023754 (Security Only)
Important Information Disclosure 5022890
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 5023769 (Monthly Rollup)
5023759 (Security Only)
5023769 (Monthly Rollup)
5023759 (Security Only)
Important Information Disclosure 5022874
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 5023769 (Monthly Rollup)
5023759 (Security Only)
5023769 (Monthly Rollup)
5023759 (Security Only)
Important Information Disclosure 5022874
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Yes
Windows Server 2012 5023756 (Monthly Rollup)
5023752 (Security Only)
5023756 (Monthly Rollup)
5023752 (Security Only)
Important Information Disclosure 5022903
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5023756 (Monthly Rollup)
5023752 (Security Only)
5023756 (Monthly Rollup)
5023752 (Security Only)
Important Information Disclosure 5022903
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5023765 (Monthly Rollup)
5023764 (Security Only)
5023765 (Monthly Rollup)
5023764 (Security Only)
Important Information Disclosure 5022899
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Yes
Windows Server 2012 R2 (Server Core installation) 5023765 (Monthly Rollup)
5023764 (Security Only)
5023765 (Monthly Rollup)
5023764 (Security Only)
Important Information Disclosure 5022899
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Yes
Windows Server 2016 5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
Important Information Disclosure 5022838 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
Important Information Disclosure 5022838 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Information Disclosure 5022840
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Information Disclosure 5022840
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5023705 (Security Update)
5023786 (AzureHotpatch)
5023705 (Security Update)
5023786 (AzureHotpatch)
Important Information Disclosure 5022842

5022921
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
No
Windows Server 2022 (Server Core installation) 5023705 (Security Update)
5023786 (AzureHotpatch)
5023705 (Security Update)
5023786 (AzureHotpatch)
Important Information Disclosure 5022842

5022921
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-23394 lm0963, l1nk3d, and renyimen with TianGong Team of Legendsec at Qi'anxin Group


CVE-2023-23395 - Microsoft SharePoint Server Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-23395
MITRE
NVD
CVE Title: Microsoft SharePoint Server Spoofing Vulnerability
CVSS:

CVSS:3.1 3.1/2.7
Base score metrics
Attack VectorNetwork
Attack ComplexityHigh
Privileges RequiredNone
User InteractionRequired
ScopeUnchanged
ConfidentialityNone
IntegrityLow
AvailabilityNone
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component.


According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability?

The user would need to access the URL of the malicious website, which could spoof the content of a legitimate website, and then click a popup displayed on that site.


I am running SharePoint Enterprise Server 2013 Service Pack 1. Do I need to install all the updates that are listed for SharePoint Enterprise Server 2013 Service Pack 1?

No. Customers running SharePoint Enterprise Server 2013 Service Pack 1 should install either of the following:

  • Cumulative update (ubersrv13). Note that this update also includes the *srvloc2013 update
  • Both of the security updates (sts2013 AND *loc2013), which are the same updates as for Foundation Server 2013

Please note that this is a clarification of the existing servicing model for SharePoint Server 2013 and applies for all previous updates.


I am running SharePoint Foundation 2013 Service Pack 1. Do I need to install all the updates that are listed for SharePoint Foundation 2013 Service Pack 1 ?

Yes, customers running SharePoint Foundation 2013 Service Pack 1 should install both of the security updates. The updates can be installed in any order.


According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability?

The attacker is only able to modify the content of the vulnerable link to redirect the victim to a malicious site.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-14T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-23395
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft SharePoint Enterprise Server 2013 Service Pack 1 5002366 (Cumulative Update)
5002367 (Security Update)
5002168 (Security Update)
5002367 (Security Update)
5002168 (Security Update)
Important Spoofing
5002347
5002147
Base: 3.1
Temporal: 2.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Enterprise Server 2016 5002368 (Security Update) Important Spoofing 5002350 Base: 3.1
Temporal: 2.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Foundation 2013 Service Pack 1 5002367 (Security Update)
5002168 (Security Update)
5002367 (Security Update)
5002168 (Security Update)
Important Spoofing 5002347
5002147
Base: 3.1
Temporal: 2.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002358 (Security Update) Important Spoofing 5002342 Base: 3.1
Temporal: 2.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server Subscription Edition 5002355 (Security Update) Important Spoofing 5002353
Base: 3.1
Temporal: 2.7
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2023-23395

CVE-2023-23396 - Microsoft Excel Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-23396
MITRE
NVD
CVE Title: Microsoft Excel Denial of Service Vulnerability
CVSS:

CVSS:3.1 6.5/5.7
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeUnchanged
ConfidentialityNone
IntegrityNone
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


How could an attacker exploit this vulnerability?

The attacker could exploit this vulnerability by convincing a victim to open a specially crafted XLSX file which when opened would cause a denial-of-service condition for other processes running on that machine.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-14T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-23396
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Office Online Server 5002356 (Security Update) Important Denial of Service 5002309 Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office Web Apps Server 2013 Service Pack 1 5002362 (Security Update) Important Denial of Service 5002313 Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2023-23396 Luca Barile


CVE-2023-23397 - Microsoft Outlook Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-23397
MITRE
NVD
CVE Title: Microsoft Outlook Elevation of Privilege Vulnerability
CVSS:

CVSS:3.1 9.8/9.1
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityFunctional
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), integrity (I:H) and availability (A:H). What does that mean for this vulnerability?

An attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user.


Is the Preview Pane an attack vector for this vulnerability?

The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the email server. This could lead to exploitation BEFORE the email is viewed in the Preview Pane.


How could an attacker exploit this vulnerability?

External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers' control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim.


Where can I find more information about NTLM relay attacks?

Download Mitigating Pass the Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2. This document discusses Pass-the-Hash (PtH) attacks against the Windows operating systems and provides holistic planning strategies that, when combined with the Windows security features, will provide a more effective defense against pass-the-hash attacks.


Mitigations:

Workarounds:
None
Revision:
1.0    2023-03-14T07:00:00    

Information published.


Critical Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Detected No Yes

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-23397
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Critical Elevation of Privilege Base: 9.8
Temporal: 9.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Critical Elevation of Privilege Base: 9.8
Temporal: 9.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
No
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Critical Elevation of Privilege Base: 9.8
Temporal: 9.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Critical Elevation of Privilege Base: 9.8
Temporal: 9.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Critical Elevation of Privilege Base: 9.8
Temporal: 9.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Critical Elevation of Privilege Base: 9.8
Temporal: 9.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
No
Microsoft Outlook 2013 RT Service Pack 1 5002265 (Security Update)
5002265 (Security Update)
Critical Elevation of Privilege 5001990 Base: 9.8
Temporal: 9.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Maybe
Microsoft Outlook 2013 Service Pack 1 (32-bit editions) 5002265 (Security Update) Critical Elevation of Privilege 5001990 Base: 9.8
Temporal: 9.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Maybe
Microsoft Outlook 2013 Service Pack 1 (64-bit editions) 5002265 (Security Update)
5002265 (Security Update)
Critical Elevation of Privilege 5001990 Base: 9.8
Temporal: 9.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Maybe
Microsoft Outlook 2016 (32-bit edition) 5002254 (Security Update) Critical Elevation of Privilege 5002051 Base: 9.8
Temporal: 9.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Maybe
Microsoft Outlook 2016 (64-bit edition) 5002254 (Security Update) Critical Elevation of Privilege 5002051 Base: 9.8
Temporal: 9.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2023-23397 CERT-UA, Microsoft Incident, Microsoft Threat Intelligence (MSTI)


CVE-2023-23398 - Microsoft Excel Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-23398
MITRE
NVD
CVE Title: Microsoft Excel Spoofing Vulnerability
CVSS:

CVSS:3.1 7.1/6.2
Base score metrics
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityNone
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Excel and click the security warning prompt to "Enable Content".

  • In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.
  • In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.

An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.


According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H) and major loss of integrity (I:H) but have no effect on availability (A:N). What does that mean for this vulnerability?

An attacker who successfully exploited this vulnerability could trick a user into enabling content that they are unable to inspect. However, this vulnerability would not allow an attacker to deny any function.


According to the CVSS metric, the attack vector is local (AV:L) but no privileges are required (PR:N) and user interaction is required (UI:R). How could an attacker exploit this spoofing vulnerability?

The attack itself is carried out locally by a user with authentication to the targeted system. An attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-14T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-23398
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Important Spoofing Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Important Spoofing Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
No
Microsoft Excel 2013 RT Service Pack 1 5002348 (Security Update) Important Spoofing 5002320 Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2013 Service Pack 1 (32-bit editions) 5002348 (Security Update)
5002348 (Security Update)
Important Spoofing 5002320 Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2013 Service Pack 1 (64-bit editions) 5002348 (Security Update)
5002348 (Security Update)
Important Spoofing 5002320 Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (32-bit edition) 5002351 (Security Update) Important Spoofing 5002322 Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002351 (Security Update) Important Spoofing 5002322 Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Important Spoofing Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Important Spoofing Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Important Spoofing Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Important Spoofing Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-23398 Anonymous


CVE-2023-23399 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-23399
MITRE
NVD
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
CVSS:

CVSS:3.1 7.8/6.8
Base score metrics
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.

For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-23399
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Important Remote Code Execution Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Important Remote Code Execution Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Excel 2013 RT Service Pack 1 5002348 (Security Update) Important Remote Code Execution 5002320 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2013 Service Pack 1 (32-bit editions) 5002348 (Security Update)
5002348 (Security Update)
Important Remote Code Execution 5002320 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2013 Service Pack 1 (64-bit editions) 5002348 (Security Update)
5002348 (Security Update)
Important Remote Code Execution 5002320 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (32-bit edition) 5002351 (Security Update) Important Remote Code Execution 5002322 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Excel 2016 (64-bit edition) 5002351 (Security Update) Important Remote Code Execution 5002322 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2013 RT Service Pack 1 5002198 (Security Update)
5002198 (Security Update)
Important Remote Code Execution 5002148 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2013 Service Pack 1 (32-bit editions) 5002198 (Security Update) Important Remote Code Execution 5002148 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2013 Service Pack 1 (64-bit editions) 5002198 (Security Update)
5002198 (Security Update)
Important Remote Code Execution 5002148 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (32-bit edition) 5002197 (Security Update) Important Remote Code Execution 5002143 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 5002197 (Security Update) Important Remote Code Execution 5002143 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Important Remote Code Execution Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Important Remote Code Execution Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office 2019 for Mac Release Notes (Security Update)
Release Notes (Security Update)
Important Remote Code Execution Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Important Remote Code Execution Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Click to Run (Security Update)
Important Remote Code Execution Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update)
Release Notes (Security Update)
Important Remote Code Execution Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office Online Server 5002356 (Security Update) Important Remote Code Execution 5002309 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe
Microsoft Office Web Apps Server 2013 Service Pack 1 5002362 (Security Update) Important Remote Code Execution 5002313 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2023-23399 Rocco Calvi (@TecR0c) with TecSecurity


CVE-2023-23403 - Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-23403
MITRE
NVD
CVE Title: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
CVSS:

CVSS:3.1 8.8/7.7
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

How could an attacker exploit this vulnerability?

An authenticated attacker with normal privileges could send a modified XPS file to a shared printer, which can result in a remote code execution.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-14T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-23403
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 5023713 (Security Update) Important Remote Code Execution 5022858 Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 5023713 (Security Update) Important Remote Code Execution 5022921 Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
Important Remote Code Execution 5022838 Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
Important Remote Code Execution 5022838 Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Remote Code Execution 5022840
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Remote Code Execution 5022840
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Remote Code Execution 5022840
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for 32-bit Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Remote Code Execution 5022834
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for ARM64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Remote Code Execution 5022834
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for x64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Remote Code Execution 5022834
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Remote Code Execution
5022834
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Remote Code Execution
5022834
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Remote Code Execution
5022834
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Remote Code Execution
5022834
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Remote Code Execution
5022834
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Remote Code Execution
5022834
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 21H2 for ARM64-based Systems 5023698 (Security Update)
5023698 (Security Update)
Important Remote Code Execution 5022836 Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 version 21H2 for x64-based Systems 5023698 (Security Update)
5023698 (Security Update)
Important Remote Code Execution 5022836 Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 22H2 for ARM64-based Systems 5023706 (Security Update)
5023706 (Security Update)
Important Remote Code Execution 5022845
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 Version 22H2 for x64-based Systems 5023706 (Security Update)
5023706 (Security Update)
Important Remote Code Execution 5022845
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5023756 (Monthly Rollup)
5023752 (Security Only)
5023756 (Monthly Rollup)
5023752 (Security Only)
Important Remote Code Execution 5022903
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5023756 (Monthly Rollup)
5023752 (Security Only)
5023756 (Monthly Rollup)
5023752 (Security Only)
Important Remote Code Execution 5022903
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5023765 (Monthly Rollup)
5023764 (Security Only)
5023765 (Monthly Rollup)
5023764 (Security Only)
Important Remote Code Execution 5022899
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Yes
Windows Server 2012 R2 (Server Core installation) 5023765 (Monthly Rollup)
5023764 (Security Only)
5023765 (Monthly Rollup)
5023764 (Security Only)
Important Remote Code Execution 5022899
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Yes
Windows Server 2016 5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
Important Remote Code Execution 5022838 Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
Important Remote Code Execution 5022838 Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Remote Code Execution 5022840
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Remote Code Execution 5022840
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5023705 (Security Update)
5023786 (AzureHotpatch)
5023705 (Security Update)
5023786 (AzureHotpatch)
Important Remote Code Execution 5022842

5022921
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
No
Windows Server 2022 (Server Core installation) 5023705 (Security Update)
5023786 (AzureHotpatch)
5023705 (Security Update)
5023786 (AzureHotpatch)
Important Remote Code Execution 5022842

5022921
Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-23403 kap0k


kap0k


kap0k


Zhiniang Peng (@edwardzpeng) & kap0k


kap0k


kap0k


kap0k


CVE-2023-24856 - Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-24856
MITRE
NVD
CVE Title: Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
CVSS:

CVSS:3.1 6.5/5.7
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityNone
AvailabilityNone
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-14T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-24856
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 5023713 (Security Update) Important Information Disclosure 5022858 Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 5023713 (Security Update) Important Information Disclosure 5022921 Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
Important Information Disclosure 5022838 Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
Important Information Disclosure 5022838 Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Information Disclosure 5022840
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Information Disclosure 5022840
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Information Disclosure 5022840
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for 32-bit Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Information Disclosure 5022834
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for ARM64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Information Disclosure 5022834
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for x64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Information Disclosure 5022834
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for 32-bit Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Information Disclosure
5022834
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for ARM64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Information Disclosure
5022834
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H2 for x64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Information Disclosure
5022834
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for 32-bit Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Information Disclosure
5022834
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for ARM64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Information Disclosure
5022834
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 22H2 for x64-based Systems 5023696 (Security Update)
5023696 (Security Update)
5023696 (Security Update)
Important Information Disclosure
5022834
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 21H2 for ARM64-based Systems 5023698 (Security Update)
5023698 (Security Update)
Important Information Disclosure 5022836 Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 version 21H2 for x64-based Systems 5023698 (Security Update)
5023698 (Security Update)
Important Information Disclosure 5022836 Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 22H2 for ARM64-based Systems 5023706 (Security Update)
5023706 (Security Update)
Important Information Disclosure 5022845
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 Version 22H2 for x64-based Systems 5023706 (Security Update)
5023706 (Security Update)
Important Information Disclosure 5022845
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5023756 (Monthly Rollup)
5023752 (Security Only)
5023756 (Monthly Rollup)
5023752 (Security Only)
Important Information Disclosure 5022903
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5023756 (Monthly Rollup)
5023752 (Security Only)
5023756 (Monthly Rollup)
5023752 (Security Only)
Important Information Disclosure 5022903
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5023765 (Monthly Rollup)
5023764 (Security Only)
5023765 (Monthly Rollup)
5023764 (Security Only)
Important Information Disclosure 5022899
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Yes
Windows Server 2012 R2 (Server Core installation) 5023765 (Monthly Rollup)
5023764 (Security Only)
5023765 (Monthly Rollup)
5023764 (Security Only)
Important Information Disclosure 5022899
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Yes
Windows Server 2016 5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
Important Information Disclosure 5022838 Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
5023697 (Security Update)
Important Information Disclosure 5022838 Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Information Disclosure 5022840
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
5023702 (Security Update)
Important Information Disclosure 5022840
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5023705 (Security Update)
5023786 (AzureHotpatch)
5023705 (Security Update)
5023786 (AzureHotpatch)
Important Information Disclosure 5022842

5022921
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
No
Windows Server 2022 (Server Core installation) 5023705 (Security Update)
5023786 (AzureHotpatch)
5023705 (Security Update)
5023786 (AzureHotpatch)
Important Information Disclosure 5022842

5022921
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
No

Acknowledgements

CVE ID Acknowledgements
CVE-2023-24856 kap0k


CVE-2023-24919 - Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-24919
MITRE
NVD
CVE Title: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
CVSS:

CVSS:3.1 5.4/4.7
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionRequired
ScopeChanged
ConfidentialityLow
IntegrityLow
AvailabilityNone
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?

Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

A user could be tricked into entering credentials or responding to a pop up after opening a specially crafted file or clicking on a link, typically by way of an enticement in an email or URL.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user would need to click on a specially crafted URL that could present a popup box requesting additional user input.


According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?

Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker.


According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability?

The attacker is only able to modify the content of the vulnerable link to redirect the victim to a malicious site.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-14T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-24919
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Dynamics 365 (on-premises) version 9.0 5023506 (Security Update) Important Spoofing None Base: 5.4
Temporal: 4.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Dynamics 365 (on-premises) version 9.1 5023505 (Security Update) Important Spoofing None Base: 5.4
Temporal: 4.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2023-24919 batram


CVE-2023-24879 - Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-24879
MITRE
NVD
CVE Title: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
CVSS:

CVSS:3.1 5.4/4.7
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionRequired
ScopeChanged
ConfidentialityLow
IntegrityLow
AvailabilityNone
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?

Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

A user could be tricked into entering credentials or responding to a pop up after opening a specially crafted file or clicking on a link, typically by way of an enticement in an email or URL.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user would need to click on a specially crafted URL that could present a popup box requesting additional user input.


According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?

Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker.


According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability?

The attacker is only able to modify the content of the vulnerable link to redirect the victim to a malicious site.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-14T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-24879
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Dynamics 365 (on-premises) version 9.0 5023506 (Security Update) Important Spoofing None Base: 5.4
Temporal: 4.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Dynamics 365 (on-premises) version 9.1 5023505 (Security Update) Important Spoofing None Base: 5.4
Temporal: 4.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2023-24879 batram


CVE-2023-24920 - Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-24920
MITRE
NVD
CVE Title: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
CVSS:

CVSS:3.1 5.4/4.7
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionRequired
ScopeChanged
ConfidentialityLow
IntegrityLow
AvailabilityNone
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?

Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

A user could be tricked into entering credentials or responding to a pop up after opening a specially crafted file or clicking on a link, typically by way of an enticement in an email or URL.


According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?

Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker.


According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability?

The attacker is only able to modify the content of the vulnerable link to redirect the victim to a malicious site.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2023-03-14T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-24920
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Dynamics 365 (on-premises) version 9.0 5023506 (Security Update) Important Spoofing None Base: 5.4
Temporal: 4.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Dynamics 365 (on-premises) version 9.1 5023505 (Security Update) Important Spoofing None