Microsoft CVE Summary

This report contains detail for the following vulnerabilities:

CVE Issued by Tag CVE ID CVE Title
Microsoft.NET and Visual Studio CVE-2023-24895 .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability
Microsoft.NET and Visual Studio CVE-2023-33126 .NET and Visual Studio Remote Code Execution Vulnerability
Microsoft.NET and Visual Studio CVE-2023-24936 .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability
Microsoft.NET and Visual Studio CVE-2023-33135 .NET and Visual Studio Elevation of Privilege Vulnerability
Microsoft.NET and Visual Studio CVE-2023-32032 .NET and Visual Studio Elevation of Privilege Vulnerability
Microsoft.NET and Visual Studio CVE-2023-32030 .NET and Visual Studio Denial of Service Vulnerability
Microsoft.NET and Visual Studio CVE-2023-33128 .NET and Visual Studio Remote Code Execution Vulnerability
Microsoft.NET and Visual Studio CVE-2023-24897 .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability
Microsoft.NET Core CVE-2023-29331 .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability
Microsoft.NET Framework CVE-2023-29326 .NET Framework Remote Code Execution Vulnerability
MicrosoftASP .NET CVE-2023-33141 Yet Another Reverse Proxy (YARP) Denial of Service Vulnerability
MicrosoftAzure DevOps CVE-2023-21569 Azure DevOps Server Spoofing Vulnerability
MicrosoftAzure DevOps CVE-2023-21565 Azure DevOps Server Spoofing Vulnerability
MicrosoftMicrosoft Dynamics CVE-2023-24896 Dynamics 365 Finance Spoofing Vulnerability
ChromeMicrosoft Edge (Chromium-based) CVE-2023-2941 Chromium: CVE-2023-2941 Inappropriate implementation in Extensions API
MicrosoftMicrosoft Edge (Chromium-based) CVE-2023-33145 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
ChromeMicrosoft Edge (Chromium-based) CVE-2023-2937 Chromium: CVE-2023-2937 Inappropriate implementation in Picture In Picture
ChromeMicrosoft Edge (Chromium-based) CVE-2023-2936 Chromium: CVE-2023-2936 Type Confusion in V8
ChromeMicrosoft Edge (Chromium-based) CVE-2023-2935 Chromium: CVE-2023-2935 Type Confusion in V8
ChromeMicrosoft Edge (Chromium-based) CVE-2023-2940 Chromium: CVE-2023-2940 Inappropriate implementation in Downloads
ChromeMicrosoft Edge (Chromium-based) CVE-2023-2939 Chromium: CVE-2023-2939 Insufficient data validation in Installer
ChromeMicrosoft Edge (Chromium-based) CVE-2023-2938 Chromium: CVE-2023-2938 Inappropriate implementation in Picture In Picture
ChromeMicrosoft Edge (Chromium-based) CVE-2023-2931 Chromium: CVE-2023-2931 Use after free in PDF
ChromeMicrosoft Edge (Chromium-based) CVE-2023-2930 Chromium: CVE-2023-2930 Use after free in Extensions
ChromeMicrosoft Edge (Chromium-based) CVE-2023-2929 Chromium: CVE-2023-2929 Out of bounds write in Swiftshader
ChromeMicrosoft Edge (Chromium-based) CVE-2023-2934 Chromium: CVE-2023-2934 Out of bounds memory access in Mojo
ChromeMicrosoft Edge (Chromium-based) CVE-2023-2933 Chromium: CVE-2023-2933 Use after free in PDF
ChromeMicrosoft Edge (Chromium-based) CVE-2023-2932 Chromium: CVE-2023-2932 Use after free in PDF
ChromeMicrosoft Edge (Chromium-based) CVE-2023-3079 Chromium: CVE-2023-3079 Type Confusion in V8
MicrosoftMicrosoft Edge (Chromium-based) CVE-2023-29345 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
MicrosoftMicrosoft Edge (Chromium-based) CVE-2023-33143 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
MicrosoftMicrosoft Exchange Server CVE-2023-32031 Microsoft Exchange Server Remote Code Execution Vulnerability
MicrosoftMicrosoft Exchange Server CVE-2023-28310 Microsoft Exchange Server Remote Code Execution Vulnerability
MicrosoftMicrosoft Office CVE-2023-33146 Microsoft Office Remote Code Execution Vulnerability
MicrosoftMicrosoft Office Excel CVE-2023-33133 Microsoft Excel Remote Code Execution Vulnerability
MicrosoftMicrosoft Office Excel CVE-2023-32029 Microsoft Excel Remote Code Execution Vulnerability
MicrosoftMicrosoft Office Excel CVE-2023-33137 Microsoft Excel Remote Code Execution Vulnerability
MicrosoftMicrosoft Office OneNote CVE-2023-33140 Microsoft OneNote Spoofing Vulnerability
MicrosoftMicrosoft Office Outlook CVE-2023-33131 Microsoft Outlook Remote Code Execution Vulnerability
MicrosoftMicrosoft Office SharePoint CVE-2023-33142 Microsoft SharePoint Server Elevation of Privilege Vulnerability
MicrosoftMicrosoft Office SharePoint CVE-2023-33129 Microsoft SharePoint Denial of Service Vulnerability
MicrosoftMicrosoft Office SharePoint CVE-2023-33130 Microsoft SharePoint Server Spoofing Vulnerability
MicrosoftMicrosoft Office SharePoint CVE-2023-33132 Microsoft SharePoint Server Spoofing Vulnerability
MicrosoftMicrosoft Office SharePoint CVE-2023-29357 Microsoft SharePoint Server Elevation of Privilege Vulnerability
MicrosoftMicrosoft Power Apps CVE-2023-32024 Microsoft Power Apps Spoofing Vulnerability
MicrosoftMicrosoft Printer Drivers CVE-2023-32017 Microsoft PostScript Printer Driver Remote Code Execution Vulnerability
MicrosoftMicrosoft WDAC OLE DB provider for SQL CVE-2023-29372 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
MicrosoftMicrosoft Windows Codecs Library CVE-2023-29370 Windows Media Remote Code Execution Vulnerability
MicrosoftMicrosoft Windows Codecs Library CVE-2023-29365 Windows Media Remote Code Execution Vulnerability
MicrosoftNuGet Client CVE-2023-29337 NuGet Client Remote Code Execution Vulnerability
MicrosoftRemote Desktop Client CVE-2023-29362 Remote Desktop Client Remote Code Execution Vulnerability
MicrosoftRemote Desktop Client CVE-2023-29352 Windows Remote Desktop Security Feature Bypass Vulnerability
MicrosoftRole: DNS Server CVE-2023-32020 Windows DNS Spoofing Vulnerability
MicrosoftSysInternals CVE-2023-29353 Sysinternals Process Monitor for Windows Denial of Service Vulnerability
GitHubVisual Studio CVE-2023-29007 GitHub: CVE-2023-29007 Arbitrary configuration injection via `git submodule deinit`
MicrosoftVisual Studio CVE-2023-33139 Visual Studio Information Disclosure Vulnerability
GitHubVisual Studio CVE-2023-25652 GitHub: CVE-2023-25652 "git apply --reject" partially-controlled arbitrary file write
GitHubVisual Studio CVE-2023-25815 GitHub: CVE-2023-25815 Git looks for localized messages in an unprivileged place
AutoDeskVisual Studio CVE-2023-27911 AutoDesk: CVE-2023-27911 Heap buffer overflow vulnerability in Autodesk® FBX® SDK 2020 or prior
AutoDeskVisual Studio CVE-2023-27910 AutoDesk: CVE-2023-27910 stack buffer overflow vulnerability in Autodesk® FBX® SDK 2020 or prior
GitHubVisual Studio CVE-2023-29011 GitHub: CVE-2023-29011 The config file of `connect.exe` is susceptible to malicious placing
GitHubVisual Studio CVE-2023-29012 GitHub: CVE-2023-29012 Git CMD erroneously executes `doskey.exe` in current directory, if it exists
AutoDeskVisual Studio CVE-2023-27909 AutoDesk: CVE-2023-27909 Out-Of-Bounds Write Vulnerability in Autodesk® FBX® SDK 2020 or prior
MicrosoftVisual Studio Code CVE-2023-33144 Visual Studio Code Spoofing Vulnerability
MicrosoftWindows Authentication Methods CVE-2023-29364 Windows Authentication Elevation of Privilege Vulnerability
MicrosoftWindows Bus Filter Driver CVE-2023-32010 Windows Bus Filter Driver Elevation of Privilege Vulnerability
MicrosoftWindows Cloud Files Mini Filter Driver CVE-2023-29361 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
MicrosoftWindows Collaborative Translation Framework CVE-2023-32009 Windows Collaborative Translation Framework Elevation of Privilege Vulnerability
MicrosoftWindows Container Manager Service CVE-2023-32012 Windows Container Manager Service Elevation of Privilege Vulnerability
MicrosoftWindows CryptoAPI CVE-2023-24937 Windows CryptoAPI Denial of Service Vulnerability
MicrosoftWindows CryptoAPI CVE-2023-24938 Windows CryptoAPI Denial of Service Vulnerability
MicrosoftWindows DHCP Server CVE-2023-29355 DHCP Server Service Information Disclosure Vulnerability
MicrosoftWindows Filtering CVE-2023-29368 Windows Filtering Platform Elevation of Privilege Vulnerability
MicrosoftWindows GDI CVE-2023-29358 Windows GDI Elevation of Privilege Vulnerability
MicrosoftWindows Geolocation Service CVE-2023-29366 Windows Geolocation Service Remote Code Execution Vulnerability
MicrosoftWindows Group Policy CVE-2023-29351 Windows Group Policy Elevation of Privilege Vulnerability
MicrosoftWindows Hello CVE-2023-32018 Windows Hello Remote Code Execution Vulnerability
MicrosoftWindows Hyper-V CVE-2023-32013 Windows Hyper-V Denial of Service Vulnerability
MicrosoftWindows Installer CVE-2023-32016 Windows Installer Information Disclosure Vulnerability
MicrosoftWindows iSCSI CVE-2023-32011 Windows iSCSI Discovery Service Denial of Service Vulnerability
MicrosoftWindows Kernel CVE-2023-32019 Windows Kernel Information Disclosure Vulnerability
MicrosoftWindows NTFS CVE-2023-29346 NTFS Elevation of Privilege Vulnerability
MicrosoftWindows ODBC Driver CVE-2023-29373 Microsoft ODBC Driver Remote Code Execution Vulnerability
MicrosoftWindows OLE CVE-2023-29367 iSCSI Target WMI Provider Remote Code Execution Vulnerability
MicrosoftWindows PGM CVE-2023-29363 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
MicrosoftWindows PGM CVE-2023-32014 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
MicrosoftWindows PGM CVE-2023-32015 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
MicrosoftWindows Remote Procedure Call Runtime CVE-2023-29369 Remote Procedure Call Runtime Denial of Service Vulnerability
MicrosoftWindows Resilient File System (ReFS) CVE-2023-32008 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
MicrosoftWindows Server Service CVE-2023-32022 Windows Server Service Security Feature Bypass Vulnerability
MicrosoftWindows SMB CVE-2023-32021 Windows SMB Witness Service Security Feature Bypass Vulnerability
MicrosoftWindows TPM Device Driver CVE-2023-29360 Windows TPM Device Driver Elevation of Privilege Vulnerability
MicrosoftWindows Win32K CVE-2023-29371 Windows GDI Elevation of Privilege Vulnerability
MicrosoftWindows Win32K CVE-2023-29359 GDI Elevation of Privilege Vulnerability

CVE-2023-3079 - Chromium: CVE-2023-3079 Type Confusion in V8

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-3079
MITRE
NVD

Issuing CNA: Chrome

CVE Title: Chromium: CVE-2023-3079 Type Confusion in V8
CVSS:
None
Executive Summary:

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

Google is aware that an exploit for CVE-2023-3079 exists in the wild.


FAQ:

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
114.0.1823.41 6/6/2023 114.0.5735.110

Mitigations:
None
Workarounds:
None
Revision:
1.0    06-Jun-23    

Information published.


Unknown Unknown

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Found

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-3079
Product KB Article Severity Impact Supercedence CVSS Score Set Fixed Build Restart Required Known Issue
Microsoft Edge (Chromium-based) Release Notes (Security Update) Unknown Unknown None Base: N/A
Temporal: N/A
Vector: N/A
114.0.1823.41 No None

Acknowledgements

CVE ID Acknowledgements
CVE-2023-3079 None

CVE-2023-28310 - Microsoft Exchange Server Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-28310
MITRE
NVD

Issuing CNA: Microsoft

CVE Title: Microsoft Exchange Server Remote Code Execution Vulnerability
CVSS:

CVSS:3.1 Highest BaseScore:8.0/TemporalScore:7.0
Base score metrics
Attack VectorAdjacent
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

Executive Summary:
None
FAQ:

According to the CVSS metric, privileges required is low (PR:L). Does the attacker need to be in an authenticated role on the Exchange Server?

Yes, the attacker must be authenticated.


How could an attacker exploit this vulnerability?

An authenticated attacker who is on the same intranet as the Exchange server can achieve remote code execution via a PowerShell remoting session.


Mitigations:
None
Workarounds:
None
Revision:
1.0    13-Jun-23    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-28310
Product KB Article Severity Impact Supercedence CVSS Score Set Fixed Build Restart Required Known Issue
Microsoft Exchange Server 2016 Cumulative Update 23 5025903 (Security Update) Important Remote Code Execution 5024296 Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
15.01.2507.027 Yes None
Microsoft Exchange Server 2019 Cumulative Update 12 5026261 (Security Update) Important Remote Code Execution 5024296 Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
15.02.1118.030 Yes None
Microsoft Exchange Server 2019 Cumulative Update 13 5026261 (Security Update) Important Remote Code Execution 5024296 Base: 8.0
Temporal: 7.0
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
15.02.1258.016 Yes None

Acknowledgements

CVE ID Acknowledgements
CVE-2023-28310 Anonymous, m4yfly with TianGong Team of Legendsec at Qi'anxin Group, Anonymous


CVE-2023-24896 - Dynamics 365 Finance Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-24896
MITRE
NVD

Issuing CNA: Microsoft

CVE Title: Dynamics 365 Finance Spoofing Vulnerability
CVSS:

CVSS:3.1 Highest BaseScore:5.4/TemporalScore:4.7
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionRequired
ScopeChanged
ConfidentialityLow
IntegrityLow
AvailabilityNone
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

Executive Summary:
None
FAQ:

According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?

Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

A user could be tricked into entering credentials or responding to a pop up after opening a specially crafted file or clicking on a link, typically by way of an enticement in an email or URL.


According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability?

The user would need to access the URL of the malicious website, which could spoof the content of a legitimate website, and then click a popup displayed on that site.


According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?

Limited information from the victim's browser associated with the vulnerable URL can be sent to the attacker by the malicious code.


Mitigations:
None
Workarounds:
None
Revision:
1.0    13-Jun-23    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-24896
Product KB Article Severity Impact Supercedence CVSS Score Set Fixed Build Restart Required Known Issue
Dynamics 365 for Finance and Operations Important Spoofing None Base: 5.4
Temporal: 4.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Unknown Unknown None

Acknowledgements

CVE ID Acknowledgements
CVE-2023-24896 Khalid Amin with Cyshield


CVE-2023-24897 - .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-24897
MITRE
NVD

Issuing CNA: Microsoft

CVE Title: .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability
CVSS:

CVSS:3.1 Highest BaseScore:7.8/TemporalScore:6.8
Base score metrics
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

Executive Summary:
None
FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.

For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.


Mitigations:
None
Workarounds:
None
Revision:
1.0    13-Jun-23    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-24897
Product KB Article Severity Impact Supercedence CVSS Score Set Fixed Build Restart Required Known Issue
.NET 6.0 5027797 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
6.0.18 Maybe None
.NET 7.0 5027798 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
7.0.7 Maybe None
Microsoft .NET Framework 3.5 and 4.6.2 on Windows 10 for 32-bit Systems 5027230 (Security Update) Critical Remote Code Execution 5026382 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
10.0.10240.19983 Yes None
Microsoft .NET Framework 3.5 and 4.6.2 on Windows 10 for x64-based Systems 5027230 (Security Update) Critical Remote Code Execution 5026382 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
10.0.10240.19983 Yes None
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for 32-bit Systems 5027219 (Security Update) Critical Remote Code Execution 5026363 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
10.0.14393.5989 Yes None
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for x64-based Systems 5027219 (Security Update) Critical Remote Code Execution 5026363 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
10.0.14393.5989 Yes None
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016 5027219 (Security Update) Critical Remote Code Execution 5026363 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
10.0.14393.5989 Yes None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for 32-bit Systems 5027536 (Security Update) Critical Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.4050.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for ARM64-based Systems 5027536 (Security Update) Critical Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.4050.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systems 5027536 (Security Update) Critical Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 5027536 (Security Update) Critical Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.4050.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 (Server Core installation) 5027536 (Security Update) Critical Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.4050.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systems 5027536 (Security Update) Critical Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systems 5027536 (Security Update) Critical Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for 32-bit Systems 5027537 (Security Update) Critical Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for ARM64-based Systems 5027537 (Security Update) Critical Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for x64-based Systems 5027537 (Security Update) Critical Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for 32-bit Systems 5027538 (Security Update) Critical Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for ARM64-based Systems 5027538 (Security Update) Critical Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for x64-based Systems 5027538 (Security Update) Critical Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 11 version 21H2 for ARM64-based Systems 5027539 (Security Update) Critical Remote Code Execution 5026959, 5022730 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 11 version 21H2 for x64-based Systems 5027539 (Security Update) Critical Remote Code Execution 5026959, 5022730 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 5027536 (Security Update) Critical Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 (Server Core installation) 5027536 (Security Update) Critical Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 5027544 (Security Update) Critical Remote Code Execution 5022735, 5022726 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 (Server Core installation) 5027544 (Security Update) Critical Remote Code Execution 5022735, 5022726 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for 32-bit Systems 5027537 (Security Update) Critical Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for ARM64-based Systems 5027537 (Security Update) Critical Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for x64-based Systems 5027537 (Security Update) Critical Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for 32-bit Systems 5027538 (Security Update) Critical Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for ARM64-based Systems 5027538 (Security Update) Critical Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for x64-based Systems 5027538 (Security Update) Critical Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 21H2 for ARM64-based Systems 5027539 (Security Update) Critical Remote Code Execution 5026959, 5022730 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 21H2 for x64-based Systems 5027539 (Security Update) Critical Remote Code Execution 5026959, 5022730 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 22H2 for ARM64-based Systems 5027119 (Security Update) Critical Remote Code Execution 5026515, 5022497 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 22H2 for x64-based Systems 5027119 (Security Update) Critical Remote Code Execution 5026515, 5022497 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 5027544 (Security Update) Critical Remote Code Execution 5022735 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 (Server Core installation) 5027544 (Security Update) Critical Remote Code Execution 5022735 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 4.6.2 on Windows Server 2008 for 32-bit Systems Service Pack 2 5027543 (Monthly Rollup)
5027534 (Security Only)
Critical Remote Code Execution 5022731, 5022734
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2 on Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 5027543 (Monthly Rollup)
5027534 (Security Only)
Critical Remote Code Execution 5022731, 5022734
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2 on Windows Server 2008 for x64-based Systems Service Pack 2 5027543 (Monthly Rollup)
5027534 (Security Only)
Critical Remote Code Execution 5022731, 5022734
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2 on Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 5027543 (Monthly Rollup)
5027534 (Security Only)
Critical Remote Code Execution 5022731, 5022734
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 5027540 (Monthly Rollup)
5027531 (Security Only)
Critical Remote Code Execution 5022731
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 5027540 (Monthly Rollup)
5027531 (Security Only)
Critical Remote Code Execution 5022731
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 5027541 (Monthly Rollup)
5027532 (Security Only)
Critical Remote Code Execution 5022732
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation) 5027541 (Monthly Rollup)
5027532 (Security Only)
Critical Remote Code Execution 5022732
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 5027542 (Monthly Rollup)
5027533 (Security Only)
Critical Remote Code Execution 5022733
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation) 5027542 (Monthly Rollup)
5027533 (Security Only)
Critical Remote Code Execution 5022733
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems 5027123 (Security Update) Critical Remote Code Execution 5022503 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems 5027123 (Security Update) Critical Remote Code Execution 5022503 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 5027540 (Monthly Rollup)
5027531 (Security Only)
Critical Remote Code Execution 5022731
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 5027540 (Monthly Rollup)
5027531 (Security Only)
Critical Remote Code Execution 5022731
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2012 5027541 (Monthly Rollup)
5027532 (Security Only)
Critical Remote Code Execution 5022732
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation) 5027541 (Monthly Rollup)
5027532 (Security Only)
Critical Remote Code Execution 5022732
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2012 R2 5027542 (Monthly Rollup)
5027533 (Security Only)
Critical Remote Code Execution 5022733
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation) 5027542 (Monthly Rollup)
5027533 (Security Only)
Critical Remote Code Execution 5022733
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2016 5027123 (Security Update) Critical Remote Code Execution 5022503 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation) 5027123 (Security Update) Critical Remote Code Execution 5022503 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft Visual Studio 2013 Update 5 5026610 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
12.0.40700.0 Maybe None
Microsoft Visual Studio 2015 Update 3 5025792 (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
14.0.27555.0 Maybe None
Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
15.9.55 Maybe None
Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10) Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
16.11.27 Maybe None
Microsoft Visual Studio 2022 version 17.0 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
17.0.22 Maybe None
Microsoft Visual Studio 2022 version 17.2 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
17.2.16 Maybe None
Microsoft Visual Studio 2022 version 17.4 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
17.4.8 Maybe None
Microsoft Visual Studio 2022 version 17.6 Release Notes (Security Update) Critical Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
17.6.3 Maybe None

Acknowledgements

CVE ID Acknowledgements
CVE-2023-24897 goodbyeselene


HAO LI of VenusTech ADLab


CVE-2023-24937 - Windows CryptoAPI Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-24937
MITRE
NVD

Issuing CNA: Microsoft

CVE Title: Windows CryptoAPI Denial of Service Vulnerability
CVSS:

CVSS:3.1 Highest BaseScore:6.5/TemporalScore:5.7
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityNone
IntegrityNone
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

Executive Summary:
None
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    13-Jun-23    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-24937
Product KB Article Severity Impact Supercedence CVSS Score Set Fixed Build Restart Required Known Issue
Windows 10 Version 1809 for 32-bit Systems 5027222 (Security Update) Important Denial of Service 5026362
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.17763.4499
Yes 5027222
Windows 10 Version 1809 for ARM64-based Systems 5027222 (Security Update) Important Denial of Service 5026362
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.17763.4499
Yes 5027222
Windows 10 Version 1809 for x64-based Systems 5027222 (Security Update) Important Denial of Service 5026362
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.17763.4499
Yes 5027222
Windows 10 Version 21H2 for 32-bit Systems 5027215 (Security Update) Important Denial of Service 5026361
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.19044.3087
Yes 5027215
Windows 10 Version 21H2 for ARM64-based Systems 5027215 (Security Update) Important Denial of Service 5026361
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.19044.3087
Yes 5027215
Windows 10 Version 21H2 for x64-based Systems 5027215 (Security Update) Important Denial of Service 5026361
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.19044.3087
Yes 5027215
Windows 10 Version 22H2 for 32-bit Systems 5027215 (Security Update) Important Denial of Service
5026361
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

10.0.19045.3087
Yes 5027215
Windows 10 Version 22H2 for ARM64-based Systems 5027215 (Security Update) Important Denial of Service
5026361
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

10.0.19045.3087
Yes 5027215
Windows 10 Version 22H2 for x64-based Systems 5027215 (Security Update) Important Denial of Service
5026361
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

10.0.19045.3087
Yes 5027215
Windows 11 version 21H2 for ARM64-based Systems 5027223 (Security Update) Important Denial of Service 5026368
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.22000.2057
Yes 5027223
Windows 11 version 21H2 for x64-based Systems 5027223 (Security Update) Important Denial of Service 5026368
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.22000.2057
Yes 5027223
Windows 11 Version 22H2 for ARM64-based Systems 5027231 (Security Update) Important Denial of Service 5026372
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.22621.1848
Yes 5027231
Windows 11 Version 22H2 for x64-based Systems 5027231 (Security Update) Important Denial of Service 5026372
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.22621.1848
Yes 5027231
Windows Server 2019 5027222 (Security Update) Important Denial of Service 5026362
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.17763.4499
Yes 5027222
Windows Server 2019 (Server Core installation) 5027222 (Security Update) Important Denial of Service 5026362
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.17763.4499
Yes 5027222
Windows Server 2022 5027225 (Security Update) Important Denial of Service 5026370
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.20348.1787
Yes 5027225
Windows Server 2022 (Server Core installation) 5027225 (Security Update) Important Denial of Service 5026370
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.20348.1787
Yes 5027225

Acknowledgements

CVE ID Acknowledgements
CVE-2023-24937 Kevin Jones with GitHub


CVE-2023-24938 - Windows CryptoAPI Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-24938
MITRE
NVD

Issuing CNA: Microsoft

CVE Title: Windows CryptoAPI Denial of Service Vulnerability
CVSS:

CVSS:3.1 Highest BaseScore:6.5/TemporalScore:5.7
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityNone
IntegrityNone
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

Executive Summary:
None
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    13-Jun-23    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-24938
Product KB Article Severity Impact Supercedence CVSS Score Set Fixed Build Restart Required Known Issue
Windows 10 Version 1809 for 32-bit Systems 5027222 (Security Update) Important Denial of Service 5026362
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.17763.4499
Yes 5027222
Windows 10 Version 1809 for ARM64-based Systems 5027222 (Security Update) Important Denial of Service 5026362
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.17763.4499
Yes 5027222
Windows 10 Version 1809 for x64-based Systems 5027222 (Security Update) Important Denial of Service 5026362
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.17763.4499
Yes 5027222
Windows 10 Version 21H2 for 32-bit Systems 5027215 (Security Update) Important Denial of Service 5026361
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.19044.3087
Yes 5027215
Windows 10 Version 21H2 for ARM64-based Systems 5027215 (Security Update) Important Denial of Service 5026361
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.19044.3087
Yes 5027215
Windows 10 Version 21H2 for x64-based Systems 5027215 (Security Update) Important Denial of Service 5026361
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.19044.3087
Yes 5027215
Windows 10 Version 22H2 for 32-bit Systems 5027215 (Security Update) Important Denial of Service
5026361
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

10.0.19045.3087
Yes 5027215
Windows 10 Version 22H2 for ARM64-based Systems 5027215 (Security Update) Important Denial of Service
5026361
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

10.0.19045.3087
Yes 5027215
Windows 10 Version 22H2 for x64-based Systems 5027215 (Security Update) Important Denial of Service
5026361
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

10.0.19045.3087
Yes 5027215
Windows 11 version 21H2 for ARM64-based Systems 5027223 (Security Update) Important Denial of Service 5026368
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.22000.2057
Yes 5027223
Windows 11 version 21H2 for x64-based Systems 5027223 (Security Update) Important Denial of Service 5026368
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.22000.2057
Yes 5027223
Windows 11 Version 22H2 for ARM64-based Systems 5027231 (Security Update) Important Denial of Service 5026372
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.22621.1848
Yes 5027231
Windows 11 Version 22H2 for x64-based Systems 5027231 (Security Update) Important Denial of Service 5026372
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.22621.1848
Yes 5027231
Windows Server 2019 5027222 (Security Update) Important Denial of Service 5026362
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.17763.4499
Yes 5027222
Windows Server 2019 (Server Core installation) 5027222 (Security Update) Important Denial of Service 5026362
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.17763.4499
Yes 5027222
Windows Server 2022 5027225 (Security Update) Important Denial of Service 5026370
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.20348.1787
Yes 5027225
Windows Server 2022 (Server Core installation) 5027225 (Security Update) Important Denial of Service 5026370
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
10.0.20348.1787
Yes 5027225

Acknowledgements

CVE ID Acknowledgements
CVE-2023-24938 Ashutosh Singh and Rishabh Rathore


CVE-2023-29326 - .NET Framework Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-29326
MITRE
NVD

Issuing CNA: Microsoft

CVE Title: .NET Framework Remote Code Execution Vulnerability
CVSS:

CVSS:3.1 Highest BaseScore:7.8/TemporalScore:6.8
Base score metrics
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

Executive Summary:
None
FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.

For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.


Mitigations:
None
Workarounds:
None
Revision:
1.0    13-Jun-23    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-29326
Product KB Article Severity Impact Supercedence CVSS Score Set Fixed Build Restart Required Known Issue
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 5027543 (Monthly Rollup)
5027534 (Security Only)
Important Remote Code Execution 5022734
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 5027543 (Monthly Rollup)
5027534 (Security Only)
Important Remote Code Execution 5022734
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970
4.7.4050.0
Maybe None
Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 5027543 (Monthly Rollup)
5027534 (Security Only)
Important Remote Code Execution 5022734
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 5027543 (Monthly Rollup)
5027534 (Security Only)
Important Remote Code Execution 5022734
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970
4.7.4050.0
Maybe None
Microsoft .NET Framework 3.5 and 4.6.2 on Windows 10 for 32-bit Systems 5027230 (Security Update) Important Remote Code Execution 5026382 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
10.0.10240.19983 Yes None
Microsoft .NET Framework 3.5 and 4.6.2 on Windows 10 for x64-based Systems 5027230 (Security Update) Important Remote Code Execution 5026382 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
10.0.10240.19983 Yes None
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for 32-bit Systems 5027219 (Security Update) Important Remote Code Execution 5026363 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
10.0.14393.5989 Yes None
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for x64-based Systems 5027219 (Security Update) Important Remote Code Execution 5026363 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
10.0.14393.5989 Yes None
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016 5027219 (Security Update) Important Remote Code Execution 5026363 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
10.0.14393.5989 Yes None
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016 (Server Core installation) 5027219 (Security Update) Important Remote Code Execution 5026363 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
10.0.14393.5989 Yes None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for 32-bit Systems 5027536 (Security Update) Important Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.4050.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for ARM64-based Systems 5027536 (Security Update) Important Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.4050.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systems 5027536 (Security Update) Important Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 5027536 (Security Update) Important Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.4050.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 (Server Core installation) 5027536 (Security Update) Important Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.4050.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systems 5027536 (Security Update) Important Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systems 5027536 (Security Update) Important Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for 32-bit Systems 5027537 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for ARM64-based Systems 5027537 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for x64-based Systems 5027537 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for 32-bit Systems 5027538 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for ARM64-based Systems 5027538 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for x64-based Systems 5027538 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 11 version 21H2 for ARM64-based Systems 5027539 (Security Update) Important Remote Code Execution 5026959, 5022730 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 11 version 21H2 for x64-based Systems 5027539 (Security Update) Important Remote Code Execution 5026959, 5022730 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 5027536 (Security Update) Important Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 (Server Core installation) 5027536 (Security Update) Important Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 5027544 (Security Update) Important Remote Code Execution 5022735, 5022726 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 (Server Core installation) 5027544 (Security Update) Important Remote Code Execution 5022735, 5022726 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for 32-bit Systems 5027537 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for ARM64-based Systems 5027537 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for x64-based Systems 5027537 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for 32-bit Systems 5027538 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for ARM64-based Systems 5027538 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for x64-based Systems 5027538 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 21H2 for ARM64-based Systems 5027539 (Security Update) Important Remote Code Execution 5026959, 5022730 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 21H2 for x64-based Systems 5027539 (Security Update) Important Remote Code Execution 5026959, 5022730 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 22H2 for ARM64-based Systems 5027119 (Security Update) Important Remote Code Execution 5026515, 5022497 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 22H2 for x64-based Systems 5027119 (Security Update) Important Remote Code Execution 5026515, 5022497 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 5027544 (Security Update) Important Remote Code Execution 5022735 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 (Server Core installation) 5027544 (Security Update) Important Remote Code Execution 5022735 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 on Windows Server 2012 5027541 (Monthly Rollup)
5027532 (Security Only)
Important Remote Code Execution 5022732
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation) 5027541 (Monthly Rollup)
5027532 (Security Only)
Important Remote Code Execution 5022732
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.5 on Windows Server 2012 R2 5027542 (Monthly Rollup)
5027533 (Security Only)
Important Remote Code Execution 5022733
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (Server Core installation) 5027542 (Monthly Rollup)
5027533 (Security Only)
Important Remote Code Execution 5022733
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 5027540 (Monthly Rollup)
5027531 (Security Only)
Important Remote Code Execution 5022731
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 5027540 (Monthly Rollup)
5027531 (Security Only)
Important Remote Code Execution 5022731
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None

Acknowledgements

CVE ID Acknowledgements
CVE-2023-29326

CVE-2023-29345 - Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-29345
MITRE
NVD

Issuing CNA: Microsoft

CVE Title: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
CVSS:

CVSS:3.1 Highest BaseScore:6.1/TemporalScore:5.3
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeChanged
ConfidentialityLow
IntegrityLow
AvailabilityNone
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

Executive Summary:
None
FAQ:

According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

This vulnerability could lead to a browser sandbox escape.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user would have to click on a specially crafted URL to be compromised by the attacker.


According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability?

Integrity is impacted as XSS allows an attacker to add their malicious script to fetch victim's sensitive info or to change DOM execution.


According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?

Limited information from the victim's browser associated with the vulnerable URL can be sent to the attacker by the malicious code.


What kind of security feature could be bypassed by successfully exploiting this vulnerability?

The permissions dialog feature could be bypassed when prompted while attempting to download.


Mitigations:
None
Workarounds:
None
Revision:
1.0    02-Jun-23    

Information published.


Low Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-29345
Product KB Article Severity Impact Supercedence CVSS Score Set Fixed Build Restart Required Known Issue
Microsoft Edge (Chromium-based) Release Notes (Security Update) Low Security Feature Bypass None Base: 6.1
Temporal: 5.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
114.0.1823.37 No None

Acknowledgements

CVE ID Acknowledgements
CVE-2023-29345 lxhom


CVE-2023-29353 - Sysinternals Process Monitor for Windows Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-29353
MITRE
NVD

Issuing CNA: Microsoft

CVE Title: Sysinternals Process Monitor for Windows Denial of Service Vulnerability
CVSS:

CVSS:3.1 Highest BaseScore:5.5/TemporalScore:4.8
Base score metrics
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeUnchanged
ConfidentialityNone
IntegrityNone
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

Executive Summary:
None
FAQ:

How do I get the update for a Windows App?

The Microsoft Store will automatically update affected customers.

It is possible for customers to disable automatic updates for the Microsoft Store. The Microsoft Store will not automatically install this update for those customers. You can get the update through the store by following this guide: Get updates for apps and games in Microsoft Store.

Note that Process Monitor is only available as part of an MSIX package called Sysinternals Suite.


Mitigations:
None
Workarounds:
None
Revision:
1.0    13-Jun-23    

Information published.


Low Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-29353
Product KB Article Severity Impact Supercedence CVSS Score Set Fixed Build Restart Required Known Issue
Sysinternals Suite Release Notes (Security Update) Low Denial of Service None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
2023.6 Maybe None
Windows Sysinternals Process Monitor Release Notes (Security Update) Low Denial of Service None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
3.94 Maybe None

Acknowledgements

CVE ID Acknowledgements
CVE-2023-29353 M. Akil Gündoğan


CVE-2023-32024 - Microsoft Power Apps Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-32024
MITRE
NVD

Issuing CNA: Microsoft

CVE Title: Microsoft Power Apps Spoofing Vulnerability
CVSS:

CVSS:3.1 Highest BaseScore:3.0/TemporalScore:2.6
Base score metrics
Attack VectorNetwork
Attack ComplexityHigh
Privileges RequiredLow
User InteractionRequired
ScopeChanged
ConfidentialityLow
IntegrityNone
AvailabilityNone
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

Executive Summary:
None
FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user would have to click on a specially crafted URL to be compromised by the attacker.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

The vulnerability is in the web server, but the malicious scripts execute in the victim’s browser on their machine.


According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?

Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker.


How do I know that I'm protected from this vulnerability?

A new PowerApp compiler (version 3.23052.16) has been rolled out world wide.

If you have an existing Canvas App you'll need to to save and republish your canvas app. Please see Save and publish canvas apps for information on this process. If you create a new Canvas App you will already be protected from this vulnerability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    13-Jun-23    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-32024
Product KB Article Severity Impact Supercedence CVSS Score Set Fixed Build Restart Required Known Issue
Microsoft Power Apps Information (Security Update) Important Spoofing None Base: 3.0
Temporal: 2.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C
3.23052.16 No None

Acknowledgements

CVE ID Acknowledgements
CVE-2023-32024 Jordan Hopkins


CVE-2023-32029 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-32029
MITRE
NVD

Issuing CNA: Microsoft

CVE Title: Microsoft Excel Remote Code Execution Vulnerability
CVSS:

CVSS:3.1 Highest BaseScore:7.8/TemporalScore:6.8
Base score metrics
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

Executive Summary:
None
FAQ:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send the user a malicious file and convince the user to open said file.


According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    13-Jun-23    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-32029
Product KB Article Severity Impact Supercedence CVSS Score Set Fixed Build Restart Required Known Issue
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
https://aka.ms/OfficeSecurityReleases No None
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
https://aka.ms/OfficeSecurityReleases No None
Microsoft Excel 2013 RT Service Pack 1 5002414 (Security Update) Important Remote Code Execution 5002384 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
15.0.5563.1000 Maybe None
Microsoft Excel 2013 Service Pack 1 (32-bit editions) 5002414 (Security Update) Important Remote Code Execution 5002384 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
15.0.5563.1000 Maybe None
Microsoft Excel 2013 Service Pack 1 (64-bit editions) 5002414 (Security Update) Important Remote Code Execution 5002384 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
15.0.5563.1000 Maybe None
Microsoft Excel 2016 (32-bit edition) 5002405 (Security Update) Important Remote Code Execution 5002386 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
16.0.5400.1000 Maybe None
Microsoft Excel 2016 (64-bit edition) 5002405 (Security Update) Important Remote Code Execution 5002386 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
16.0.5400.1000 Maybe None
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
https://aka.ms/OfficeSecurityReleases No None
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
https://aka.ms/OfficeSecurityReleases No None
Microsoft Office 2019 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
16.74.23061100 Maybe None
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
https://aka.ms/OfficeSecurityReleases No None
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
https://aka.ms/OfficeSecurityReleases No None
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
16.74.23061100 Maybe None
Microsoft Office Online Server 5002401 (Security Update) Important Remote Code Execution 5002372 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
16.0.10399.20000 Maybe None

Acknowledgements

CVE ID Acknowledgements
CVE-2023-32029 Marcin 'Icewall' Noga with Cisco Talos


CVE-2023-32031 - Microsoft Exchange Server Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-32031
MITRE
NVD

Issuing CNA: Microsoft

CVE Title: Microsoft Exchange Server Remote Code Execution Vulnerability
CVSS:

CVSS:3.1 Highest BaseScore:8.8/TemporalScore:7.7
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

Executive Summary:
None
FAQ:

According to the CVSS metric, privileges required is low (PR:L). Does the attacker need to be in an authenticated role on the Exchange Server?

Yes, the attacker must be authenticated.


According to the CVSS metric, the attack vector is network (AV:N) and the user interaction is none (UI:N). What is the target used in the context of the remote code execution?

The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call.


Mitigations:
None
Workarounds:
None
Revision:
1.0    13-Jun-23    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-32031
Product KB Article Severity Impact Supercedence CVSS Score Set Fixed Build Restart Required Known Issue
Microsoft Exchange Server 2016 Cumulative Update 23 5025903 (Security Update) Important Remote Code Execution 5024296 Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
15.01.2507.027 Yes None
Microsoft Exchange Server 2019 Cumulative Update 12 5026261 (Security Update) Important Remote Code Execution 5024296 Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
15.02.1118.030 Yes None
Microsoft Exchange Server 2019 Cumulative Update 13 5026261 (Security Update) Important Remote Code Execution 5024296 Base: 8.8
Temporal: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
15.02.1258.016 Yes None

Acknowledgements

CVE ID Acknowledgements
CVE-2023-32031 Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative


CVE-2023-33137 - Microsoft Excel Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-33137
MITRE
NVD

Issuing CNA: Microsoft

CVE Title: Microsoft Excel Remote Code Execution Vulnerability
CVSS:

CVSS:3.1 Highest BaseScore:7.8/TemporalScore:6.8
Base score metrics
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

Executive Summary:
None
FAQ:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send the user a malicious file and convince the user to open said file.


According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    13-Jun-23    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-33137
Product KB Article Severity Impact Supercedence CVSS Score Set Fixed Build Restart Required Known Issue
Microsoft Excel 2013 RT Service Pack 1 5002414 (Security Update) Important Remote Code Execution 5002384 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
15.0.5563.1000 Maybe None
Microsoft Excel 2013 Service Pack 1 (32-bit editions) 5002414 (Security Update) Important Remote Code Execution 5002384 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
15.0.5563.1000 Maybe None
Microsoft Excel 2013 Service Pack 1 (64-bit editions) 5002414 (Security Update) Important Remote Code Execution 5002384 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
15.0.5563.1000 Maybe None
Microsoft Excel 2016 (32-bit edition) 5002405 (Security Update) Important Remote Code Execution 5002386 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
16.0.5400.1000 Maybe None
Microsoft Excel 2016 (64-bit edition) 5002405 (Security Update) Important Remote Code Execution 5002386 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
16.0.5400.1000 Maybe None
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
https://aka.ms/OfficeSecurityReleases No None
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
https://aka.ms/OfficeSecurityReleases No None
Microsoft Office Online Server 5002401 (Security Update) Important Remote Code Execution 5002372 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
16.0.10399.20000 Maybe None

Acknowledgements

CVE ID Acknowledgements
CVE-2023-33137 Excel Engineering team


CVE-2023-33139 - Visual Studio Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-33139
MITRE
NVD

Issuing CNA: Microsoft

CVE Title: Visual Studio Information Disclosure Vulnerability
CVSS:

CVSS:3.1 Highest BaseScore:5.5/TemporalScore:5.0
Base score metrics
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeUnchanged
ConfidentialityHigh
IntegrityNone
AvailabilityNone
Temporal score metrics
Exploit Code MaturityProof-of-Concept
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

Executive Summary:
None
FAQ:

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.


According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is information disclosure?

The attack itself is carried out locally. For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer which could leak data.


Mitigations:
None
Workarounds:
None
Revision:
1.0    13-Jun-23    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-33139
Product KB Article Severity Impact Supercedence CVSS Score Set Fixed Build Restart Required Known Issue
Microsoft Visual Studio 2013 Update 5 5026454 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 5.0
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
12.0.40702.0 Maybe None
Microsoft Visual Studio 2015 Update 3 5026455 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 5.0
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
14.0.27554.0 Maybe None
Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 5.0
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
15.9.55 Maybe None
Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10) Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 5.0
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
16.11.27 Maybe None
Microsoft Visual Studio 2022 version 17.0 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 5.0
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
17.0.22 Maybe None
Microsoft Visual Studio 2022 version 17.2 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 5.0
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
17.2.16 Maybe None
Microsoft Visual Studio 2022 version 17.4 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 5.0
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
17.4.8 Maybe None
Microsoft Visual Studio 2022 version 17.6 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 5.0
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
17.6.3 Maybe None

Acknowledgements

CVE ID Acknowledgements
CVE-2023-33139 HAO LI of VenusTech ADLab


CVE-2023-33143 - Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-33143
MITRE
NVD

Issuing CNA: Microsoft

CVE Title: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
CVSS:

CVSS:3.1 Highest BaseScore:7.5/TemporalScore:6.5
Base score metrics
Attack VectorNetwork
Attack ComplexityHigh
Privileges RequiredNone
User InteractionRequired
ScopeChanged
ConfidentialityLow
IntegrityLow
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

Executive Summary:
None
FAQ:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

Exploitation of the vulnerability requires that a user open a specially crafted file.

  • In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.
  • In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.

An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.


According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

This vulnerability could lead to a browser sandbox escape.


According to the CVSS metric, successful exploitation of this vulnerability could lead to loss of availability (A:H)? What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires the user to click on a malicious URL or an embedded link in an email message which could lead to denial of service (DOS) or the Browser to crash.


According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?

Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker.


According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability?

The user would need to access the URL of the malicious website, which could spoof the content of a legitimate website, and then click a popup displayed on that site.


What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version
114.0.1823.37 6/2/2023 114.0.5735.90/91

What privileges could be gained by an attacker who successfully exploited the vulnerability?

The attacker would gain the rights of the user that is running the affected application.


Mitigations:
None
Workarounds:
None
Revision:
1.0    02-Jun-23    

Information published.


Moderate Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-33143
Product KB Article Severity Impact Supercedence CVSS Score Set Fixed Build Restart Required Known Issue
Microsoft Edge (Chromium-based) Release Notes (Security Update) Moderate Elevation of Privilege None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H/E:U/RL:O/RC:C
114.0.1823.37 No None

Acknowledgements

CVE ID Acknowledgements
CVE-2023-33143 Anonymous


CVE-2023-33146 - Microsoft Office Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-33146
MITRE
NVD

Issuing CNA: Microsoft

CVE Title: Microsoft Office Remote Code Execution Vulnerability
CVSS:

CVSS:3.1 Highest BaseScore:7.8/TemporalScore:6.8
Base score metrics
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

Executive Summary:
None
FAQ:

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

A user needs to be tricked into running malicious files.


Are the updates for the Microsoft Office for Mac currently available?

The security update for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are not immediately available. The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information.


Where can I find more information?

Please see the Microsoft 365 Insider Blog Post relating to the temporary disablement of the ability to insert SketchUp graphics (.skp files) here: SketchUp files in Office Update.


According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.


Mitigations:
None
Workarounds:
None
Revision:
1.0    13-Jun-23    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-33146
Product KB Article Severity Impact Supercedence CVSS Score Set Fixed Build Restart Required Known Issue
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
https://aka.ms/OfficeSecurityReleases No None
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
https://aka.ms/OfficeSecurityReleases No None
Microsoft Office 2019 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
16.74.23061100 Maybe None
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
16.74.23061100 Maybe None

Acknowledgements

CVE ID Acknowledgements
CVE-2023-33146 greenbamboo


Kai Lu with Zscaler's ThreatLabz


CVE-2023-21565 - Azure DevOps Server Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-21565
MITRE
NVD

Issuing CNA: Microsoft

CVE Title: Azure DevOps Server Spoofing Vulnerability
CVSS:

CVSS:3.1 Highest BaseScore:7.1/TemporalScore:6.2
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityLow
AvailabilityNone
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

Executive Summary:
None
FAQ:

According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?

Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges.


According to the CVSS metric, successful exploitation of this vulnerability could lead to no loss of availability (A:N)? What does that mean for this vulnerability?

An attacker cannot impact the availability of the service.


According to the CVSS metric, successful exploitation of this vulnerability could lead to total loss of confidentiality (C:H)? What does that mean for this vulnerability?

An attacker who successfully exploited the vulnerability could access data that is available for the current user. Depending on the user's authorization the attacker could collect detailed data about ADO elements such as org/proj configuration, users, groups, teams, projects, pipelines, board, or wiki. An attacker could also craft page elements to collect user secrets.


According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability?

An attacker is able to manipulate DOM model of website adding/removing elements, with crafted script is able to do actions on ADO in current user context without user consent or awareness.


Mitigations:
None
Workarounds:
None
Revision:
1.0    13-Jun-23    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-21565
Product KB Article Severity Impact Supercedence CVSS Score Set Fixed Build Restart Required Known Issue
Azure DevOps Server 2020.1.2 Release Notes (Security Update) Important Spoofing None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C
20230601.3 Maybe None
Azure DevOps Server 2022 Release Notes (Security Update) Important Spoofing None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C
20230602.4 Maybe None
Azure DevOps Server 2022.0.1 Release Notes (Security Update) Important Spoofing None Base: 7.1
Temporal: 6.2
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C
20230602.5 Maybe None

Acknowledgements

CVE ID Acknowledgements
CVE-2023-21565 Martin Wrona (martin_jw) with Digitec Galaxus AG


CVE-2023-21569 - Azure DevOps Server Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-21569
MITRE
NVD

Issuing CNA: Microsoft

CVE Title: Azure DevOps Server Spoofing Vulnerability
CVSS:

CVSS:3.1 Highest BaseScore:5.5/TemporalScore:4.8
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionRequired
ScopeUnchanged
ConfidentialityLow
IntegrityLow
AvailabilityLow
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

Executive Summary:
None
FAQ:

According to the CVSS metrics, successful exploitation of this vulnerability could lead to minor loss of confidentiality (C:L), integrity (I:L) and availability (A:L). What does that mean for this vulnerability?

While we cannot rule out the impact to Confidentiality, Integrity, and Availability, the ability to exploit this vulnerability by itself is limited. An attacker would need to combine this with other vulnerabilities to perform an attack.


According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker would have to send the victim a malicious file that the victim would have to execute.


According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?

Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges.


Mitigations:
None
Workarounds:
None
Revision:
1.0    13-Jun-23    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-21569
Product KB Article Severity Impact Supercedence CVSS Score Set Fixed Build Restart Required Known Issue
Azure DevOps Server 2020.1.2 Release Notes (Security Update) Important Spoofing None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C
20230601.3 Maybe None
Azure DevOps Server 2022 Release Notes (Security Update) Moderate Spoofing None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C
20230602.4 Maybe None
Azure DevOps Server 2022.0.1 Release Notes (Security Update) Moderate Spoofing None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C
20230602.5 Maybe None

Acknowledgements

CVE ID Acknowledgements
CVE-2023-21569 Martin Wrona (martin_jw) with Digitec Galaxus AG


CVE-2023-24895 - .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-24895
MITRE
NVD

Issuing CNA: Microsoft

CVE Title: .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability
CVSS:

CVSS:3.1 Highest BaseScore:7.8/TemporalScore:6.8
Base score metrics
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

Executive Summary:
None
FAQ:

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.

For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.


Mitigations:
None
Workarounds:
None
Revision:
1.0    13-Jun-23    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-24895
Product KB Article Severity Impact Supercedence CVSS Score Set Fixed Build Restart Required Known Issue
.NET 6.0 5027797 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
6.0.18 Maybe None
.NET 7.0 5027798 (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
7.0.7 Maybe None
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 5027543 (Monthly Rollup)
5027534 (Security Only)
Important Remote Code Execution 5022734
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 5027534 (Security Only)
5027543 (Monthly Rollup)
Important Remote Code Execution
5022734
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.4050.0
3.0.6920.8954; 2.0.50727.8970
Maybe None
Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 5027543 (Monthly Rollup)
5027534 (Security Only)
Important Remote Code Execution 5022734
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 5027534 (Security Only)
5027543 (Monthly Rollup)
Important Remote Code Execution
5022734
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.4050.0
3.0.6920.8954; 2.0.50727.8970
Maybe None
Microsoft .NET Framework 3.5 and 4.6.2 on Windows 10 for 32-bit Systems 5027230 (Security Update) Important Remote Code Execution 5026382 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
10.0.10240.19983 Yes None
Microsoft .NET Framework 3.5 and 4.6.2 on Windows 10 for x64-based Systems 5027230 (Security Update) Important Remote Code Execution 5026382 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
10.0.10240.19983 Yes None
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for 32-bit Systems 5027219 (Security Update) Important Remote Code Execution 5026363 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
10.0.14393.5989 Yes None
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for x64-based Systems 5027219 (Security Update) Important Remote Code Execution 5026363 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
10.0.14393.5989 Yes None
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016 5027219 (Security Update) Important Remote Code Execution 5026363 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
10.0.14393.5989 Yes None
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016 (Server Core installation) 5027219 (Security Update) Important Remote Code Execution 5026363 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
10.0.14393.5989 Yes None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for 32-bit Systems 5027536 (Security Update) Important Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.4050.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for ARM64-based Systems 5027536 (Security Update) Important Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.4050.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systems 5027536 (Security Update) Important Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 5027536 (Security Update) Important Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.4050.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 (Server Core installation) 5027536 (Security Update) Important Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.4050.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systems 5027536 (Security Update) Important Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systems 5027536 (Security Update) Important Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for 32-bit Systems 5027537 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for ARM64-based Systems 5027537 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for x64-based Systems 5027537 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for 32-bit Systems 5027538 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for ARM64-based Systems 5027538 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for x64-based Systems 5027538 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 11 version 21H2 for ARM64-based Systems 5027539 (Security Update) Important Remote Code Execution 5026959, 5022730 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 11 version 21H2 for x64-based Systems 5027539 (Security Update) Important Remote Code Execution 5026959, 5022730 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 5027536 (Security Update) Important Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 (Server Core installation) 5027536 (Security Update) Important Remote Code Execution 5022782 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 5027544 (Security Update) Important Remote Code Execution 5022735, 5022726 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 (Server Core installation) 5027544 (Security Update) Important Remote Code Execution 5022735, 5022726 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for 32-bit Systems 5027537 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for ARM64-based Systems 5027537 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for x64-based Systems 5027537 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for 32-bit Systems 5027538 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for ARM64-based Systems 5027538 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for x64-based Systems 5027538 (Security Update) Important Remote Code Execution 5022728, 5026958, 5022729 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 21H2 for ARM64-based Systems 5027539 (Security Update) Important Remote Code Execution 5026959, 5022730 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 21H2 for x64-based Systems 5027539 (Security Update) Important Remote Code Execution 5026959, 5022730 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 22H2 for ARM64-based Systems 5027119 (Security Update) Important Remote Code Execution 5026515, 5022497 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 22H2 for x64-based Systems 5027119 (Security Update) Important Remote Code Execution 5026515, 5022497 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 5027544 (Security Update) Important Remote Code Execution 5022735 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 (Server Core installation) 5027544 (Security Update) Important Remote Code Execution 5022735 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 on Windows Server 2012 5027541 (Monthly Rollup)
5027532 (Security Only)
Important Remote Code Execution 5022732
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation) 5027541 (Monthly Rollup)
5027532 (Security Only)
Important Remote Code Execution 5022732
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.5 on Windows Server 2012 R2 5027542 (Monthly Rollup)
5027533 (Security Only)
Important Remote Code Execution 5022733
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (Server Core installation) 5027542 (Monthly Rollup)
5027533 (Security Only)
Important Remote Code Execution 5022733
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 5027540 (Monthly Rollup)
5027531 (Security Only)
Important Remote Code Execution 5022731
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 5027540 (Monthly Rollup)
5027531 (Security Only)
Important Remote Code Execution 5022731
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 4.6.2 on Windows Server 2008 for 32-bit Systems Service Pack 2 5027543 (Monthly Rollup)
5027534 (Security Only)
Important Remote Code Execution 5022731, 5022734
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2 on Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 5027543 (Monthly Rollup)
5027534 (Security Only)
Important Remote Code Execution 5022731, 5022734
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2 on Windows Server 2008 for x64-based Systems Service Pack 2 5027543 (Monthly Rollup)
5027534 (Security Only)
Important Remote Code Execution 5022731, 5022734
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2 on Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 5027543 (Monthly Rollup)
5027534 (Security Only)
Important Remote Code Execution 5022731, 5022734
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 5027540 (Monthly Rollup)
5027531 (Security Only)
Important Remote Code Execution 5022731
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 5027540 (Monthly Rollup)
5027531 (Security Only)
Important Remote Code Execution 5022731
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 5027541 (Monthly Rollup)
5027532 (Security Only)
Important Remote Code Execution 5022732
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation) 5027541 (Monthly Rollup)
5027532 (Security Only)
Important Remote Code Execution 5022732
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 5027542 (Monthly Rollup)
5027533 (Security Only)
Important Remote Code Execution 5022733
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation) 5027542 (Monthly Rollup)
5027533 (Security Only)
Important Remote Code Execution 5022733
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems 5027123 (Security Update) Important Remote Code Execution 5022503 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems 5027123 (Security Update) Important Remote Code Execution 5022503 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 5027540 (Monthly Rollup)
5027531 (Security Only)
Important Remote Code Execution 5022731
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 5027540 (Monthly Rollup)
5027531 (Security Only)
Important Remote Code Execution 5022731
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2012 5027541 (Monthly Rollup)
5027532 (Security Only)
Important Remote Code Execution 5022732
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation) 5027541 (Monthly Rollup)
5027532 (Security Only)
Important Remote Code Execution 5022732
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2012 R2 5027542 (Monthly Rollup)
5027533 (Security Only)
Important Remote Code Execution 5022733
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation) 5027542 (Monthly Rollup)
5027533 (Security Only)
Important Remote Code Execution 5022733
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2016 5027123 (Security Update) Important Remote Code Execution 5022503 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation) 5027123 (Security Update) Important Remote Code Execution 5022503 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft Visual Studio 2022 version 17.0 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
17.0.22 Maybe None
Microsoft Visual Studio 2022 version 17.2 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
17.2.16 Maybe None
Microsoft Visual Studio 2022 version 17.4 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
17.4.8 Maybe None
Microsoft Visual Studio 2022 version 17.6 Release Notes (Security Update) Important Remote Code Execution None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
17.6.3 Maybe None

Acknowledgements

CVE ID Acknowledgements
CVE-2023-24895



CVE-2023-24936 - .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-24936
MITRE
NVD

Issuing CNA: Microsoft

CVE Title: .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability
CVSS:

CVSS:3.1 Highest BaseScore:8.1/TemporalScore:7.1
Base score metrics
Attack VectorNetwork
Attack ComplexityHigh
Privileges RequiredNone
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

Executive Summary:
None
FAQ:

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.


What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could gain administrator privileges.


How could an attacker exploit this vulnerability?

An attacker could exploit this vulnerability by tricking a user into opening a malicious XML file.


Mitigations:
None
Workarounds:
None
Revision:
1.0    13-Jun-23    

Information published.


Moderate Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-24936
Product KB Article Severity Impact Supercedence CVSS Score Set Fixed Build Restart Required Known Issue
.NET 6.0 5027797 (Security Update) Moderate Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
6.0.18 Maybe None
.NET 7.0 5027798 (Security Update) Moderate Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
7.0.7 Maybe None
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 5027543 (Monthly Rollup)
5027534 (Security Only)
Moderate Elevation of Privilege 5022734
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 5027534 (Security Only)
5027543 (Monthly Rollup)
Moderate Elevation of Privilege
5022734
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.4050.0
3.0.6920.8954; 2.0.50727.8970
Maybe None
Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 5027543 (Monthly Rollup)
5027534 (Security Only)
Moderate Elevation of Privilege 5022734
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 5027534 (Security Only)
5027543 (Monthly Rollup)
Moderate Elevation of Privilege
5022734
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.4050.0
3.0.6920.8954; 2.0.50727.8970
Maybe None
Microsoft .NET Framework 3.5 and 4.6.2 on Windows 10 for 32-bit Systems 5027230 (Security Update) Moderate Elevation of Privilege 5026382 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
10.0.10240.19983 Yes None
Microsoft .NET Framework 3.5 and 4.6.2 on Windows 10 for x64-based Systems 5027230 (Security Update) Moderate Elevation of Privilege 5026382 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
10.0.10240.19983 Yes None
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for 32-bit Systems 5027219 (Security Update) Moderate Elevation of Privilege 5026363 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
10.0.14393.5989 Yes None
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for x64-based Systems 5027219 (Security Update) Moderate Elevation of Privilege 5026363 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
10.0.14393.5989 Yes None
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016 5027219 (Security Update) Moderate Elevation of Privilege 5026363 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
10.0.14393.5989 Yes None
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016 (Server Core installation) 5027219 (Security Update) Moderate Elevation of Privilege 5026363 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
10.0.14393.5989 Yes None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for 32-bit Systems 5027536 (Security Update) Moderate Elevation of Privilege 5022782 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.4050.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for ARM64-based Systems 5027536 (Security Update) Moderate Elevation of Privilege 5022782 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.4050.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systems 5027536 (Security Update) Moderate Elevation of Privilege 5022782 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 5027536 (Security Update) Moderate Elevation of Privilege 5022782 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.4050.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 (Server Core installation) 5027536 (Security Update) Moderate Elevation of Privilege 5022782 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.4050.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systems 5027536 (Security Update) Moderate Elevation of Privilege 5022782 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systems 5027536 (Security Update) Moderate Elevation of Privilege 5022782 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for 32-bit Systems 5027537 (Security Update) Moderate Elevation of Privilege 5022728, 5026958, 5022729 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for ARM64-based Systems 5027537 (Security Update) Moderate Elevation of Privilege 5022728, 5026958, 5022729 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for x64-based Systems 5027537 (Security Update) Moderate Elevation of Privilege 5022728, 5026958, 5022729 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for 32-bit Systems 5027538 (Security Update) Moderate Elevation of Privilege 5022728, 5026958, 5022729 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for ARM64-based Systems 5027538 (Security Update) Moderate Elevation of Privilege 5022728, 5026958, 5022729 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for x64-based Systems 5027538 (Security Update) Moderate Elevation of Privilege 5022728, 5026958, 5022729 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 11 version 21H2 for ARM64-based Systems 5027539 (Security Update) Moderate Elevation of Privilege 5026959, 5022730 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 11 version 21H2 for x64-based Systems 5027539 (Security Update) Moderate Elevation of Privilege 5026959, 5022730 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 5027536 (Security Update) Moderate Elevation of Privilege 5022782 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 (Server Core installation) 5027536 (Security Update) Moderate Elevation of Privilege 5022782 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 5027544 (Security Update) Moderate Elevation of Privilege 5022735, 5022726 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 (Server Core installation) 5027544 (Security Update) Moderate Elevation of Privilege 5022735, 5022726 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for 32-bit Systems 5027537 (Security Update) Moderate Elevation of Privilege 5022728, 5026958, 5022729 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for ARM64-based Systems 5027537 (Security Update) Moderate Elevation of Privilege 5022728, 5026958, 5022729 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for x64-based Systems 5027537 (Security Update) Moderate Elevation of Privilege 5022728, 5026958, 5022729 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for 32-bit Systems 5027538 (Security Update) Moderate Elevation of Privilege 5022728, 5026958, 5022729 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for ARM64-based Systems 5027538 (Security Update) Moderate Elevation of Privilege 5022728, 5026958, 5022729 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for x64-based Systems 5027538 (Security Update) Moderate Elevation of Privilege 5022728, 5026958, 5022729 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 21H2 for ARM64-based Systems 5027539 (Security Update) Moderate Elevation of Privilege 5026959, 5022730 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 21H2 for x64-based Systems 5027539 (Security Update) Moderate Elevation of Privilege 5026959, 5022730 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 22H2 for ARM64-based Systems 5027119 (Security Update) Moderate Elevation of Privilege 5026515, 5022497 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 22H2 for x64-based Systems 5027119 (Security Update) Moderate Elevation of Privilege 5026515, 5022497 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 5027544 (Security Update) Moderate Elevation of Privilege 5022735 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 (Server Core installation) 5027544 (Security Update) Moderate Elevation of Privilege 5022735 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 on Windows Server 2012 5027541 (Monthly Rollup)
5027532 (Security Only)
Moderate Elevation of Privilege 5022732
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation) 5027541 (Monthly Rollup)
5027532 (Security Only)
Moderate Elevation of Privilege 5022732
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.5 on Windows Server 2012 R2 5027542 (Monthly Rollup)
5027533 (Security Only)
Moderate Elevation of Privilege 5022733
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (Server Core installation) 5027542 (Monthly Rollup)
5027533 (Security Only)
Moderate Elevation of Privilege 5022733
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 5027540 (Monthly Rollup)
5027531 (Security Only)
Moderate Elevation of Privilege 5022731
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 5027540 (Monthly Rollup)
5027531 (Security Only)
Moderate Elevation of Privilege 5022731
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 4.6.2 on Windows Server 2008 for 32-bit Systems Service Pack 2 5027543 (Monthly Rollup)
5027534 (Security Only)
Moderate Elevation of Privilege 5022731, 5022734
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2 on Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 5027543 (Monthly Rollup)
5027534 (Security Only)
Moderate Elevation of Privilege 5022731, 5022734
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2 on Windows Server 2008 for x64-based Systems Service Pack 2 5027543 (Monthly Rollup)
5027534 (Security Only)
Moderate Elevation of Privilege 5022731, 5022734
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2 on Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 5027543 (Monthly Rollup)
5027534 (Security Only)
Moderate Elevation of Privilege 5022731, 5022734
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 5027540 (Monthly Rollup)
5027531 (Security Only)
Moderate Elevation of Privilege 5022731
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 5027540 (Monthly Rollup)
5027531 (Security Only)
Moderate Elevation of Privilege 5022731
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 5027541 (Monthly Rollup)
5027532 (Security Only)
Moderate Elevation of Privilege 5022732
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation) 5027541 (Monthly Rollup)
5027532 (Security Only)
Moderate Elevation of Privilege 5022732
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 5027542 (Monthly Rollup)
5027533 (Security Only)
Moderate Elevation of Privilege 5022733
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation) 5027542 (Monthly Rollup)
5027533 (Security Only)
Moderate Elevation of Privilege 5022733
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems 5027123 (Security Update) Moderate Elevation of Privilege 5022503 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems 5027123 (Security Update) Moderate Elevation of Privilege 5022503 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 5027540 (Monthly Rollup)
5027531 (Security Only)
Moderate Elevation of Privilege 5022731
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 5027540 (Monthly Rollup)
5027531 (Security Only)
Moderate Elevation of Privilege 5022731
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2012 5027541 (Monthly Rollup)
5027532 (Security Only)
Moderate Elevation of Privilege 5022732
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation) 5027541 (Monthly Rollup)
5027532 (Security Only)
Moderate Elevation of Privilege 5022732
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2012 R2 5027542 (Monthly Rollup)
5027533 (Security Only)
Moderate Elevation of Privilege 5022733
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation) 5027542 (Monthly Rollup)
5027533 (Security Only)
Moderate Elevation of Privilege 5022733
Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2016 5027123 (Security Update) Moderate Elevation of Privilege 5022503 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation) 5027123 (Security Update) Moderate Elevation of Privilege 5022503 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft Visual Studio 2022 version 17.0 Release Notes (Security Update) Moderate Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
17.0.22 Maybe None
Microsoft Visual Studio 2022 version 17.2 Release Notes (Security Update) Moderate Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
17.2.16 Maybe None
Microsoft Visual Studio 2022 version 17.4 Release Notes (Security Update) Moderate Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
17.4.8 Maybe None
Microsoft Visual Studio 2022 version 17.5 Release Notes (Security Update) Moderate Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
17.5.6 Maybe None
Microsoft Visual Studio 2022 version 17.6 Release Notes (Security Update) Moderate Elevation of Privilege None Base: 8.1
Temporal: 7.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
17.6.3 Maybe None

Acknowledgements

CVE ID Acknowledgements
CVE-2023-24936 H01 and H02 from FPT Software Cybersecurity Assurance Service with https://www.fpt-software.com/


H01 and H02 from FPT Software Cybersecurity Assurance Service with https://www.fpt-software.com/


CVE-2023-29331 - .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2023-29331
MITRE
NVD

Issuing CNA: Microsoft

CVE Title: .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability
CVSS:

CVSS:3.1 Highest BaseScore:7.5/TemporalScore:6.7
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged
ConfidentialityNone
IntegrityNone
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityProof-of-Concept
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

Executive Summary:
None
FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    13-Jun-23    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2023-29331
Product KB Article Severity Impact Supercedence CVSS Score Set Fixed Build Restart Required Known Issue
.NET 6.0 5027797 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
6.0.18 Maybe None
.NET 7.0 5027798 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
7.0.7 Maybe None
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 5027543 (Monthly Rollup)
5027534 (Security Only)
Important Denial of Service 5022734
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 5027534 (Security Only)
5027543 (Monthly Rollup)
Important Denial of Service
5022734
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.7.4050.0
3.0.6920.8954; 2.0.50727.8970
Maybe None
Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 5027543 (Monthly Rollup)
5027534 (Security Only)
Important Denial of Service 5022734
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 5027534 (Security Only)
5027543 (Monthly Rollup)
Important Denial of Service
5022734
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.7.4050.0
3.0.6920.8954; 2.0.50727.8970
Maybe None
Microsoft .NET Framework 3.5 and 4.6.2 on Windows 10 for 32-bit Systems 5027230 (Security Update) Important Denial of Service 5026382 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
10.0.10240.19983 Yes None
Microsoft .NET Framework 3.5 and 4.6.2 on Windows 10 for x64-based Systems 5027230 (Security Update) Important Denial of Service 5026382 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
10.0.10240.19983 Yes None
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for 32-bit Systems 5027219 (Security Update) Important Denial of Service 5026363 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
10.0.14393.5989 Yes None
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for x64-based Systems 5027219 (Security Update) Important Denial of Service 5026363 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
10.0.14393.5989 Yes None
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016 5027219 (Security Update) Important Denial of Service 5026363 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
10.0.14393.5989 Yes None
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016 (Server Core installation) 5027219 (Security Update) Important Denial of Service 5026363 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
10.0.14393.5989 Yes None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for 32-bit Systems 5027536 (Security Update) Important Denial of Service 5022782 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.7.4050.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for ARM64-based Systems 5027536 (Security Update) Important Denial of Service 5022782 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.7.4050.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systems 5027536 (Security Update) Important Denial of Service 5022782 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 5027536 (Security Update) Important Denial of Service 5022782 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.7.4050.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 (Server Core installation) 5027536 (Security Update) Important Denial of Service 5022782 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.7.4050.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systems 5027536 (Security Update) Important Denial of Service 5022782 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systems 5027536 (Security Update) Important Denial of Service 5022782 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for 32-bit Systems 5027537 (Security Update) Important Denial of Service 5022728, 5026958, 5022729 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for ARM64-based Systems 5027537 (Security Update) Important Denial of Service 5022728, 5026958, 5022729 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for x64-based Systems 5027537 (Security Update) Important Denial of Service 5022728, 5026958, 5022729 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for 32-bit Systems 5027538 (Security Update) Important Denial of Service 5022728, 5026958, 5022729 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for ARM64-based Systems 5027538 (Security Update) Important Denial of Service 5022728, 5026958, 5022729 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for x64-based Systems 5027538 (Security Update) Important Denial of Service 5022728, 5026958, 5022729 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 11 version 21H2 for ARM64-based Systems 5027539 (Security Update) Important Denial of Service 5026959, 5022730 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows 11 version 21H2 for x64-based Systems 5027539 (Security Update) Important Denial of Service 5026959, 5022730 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 5027536 (Security Update) Important Denial of Service 5022782 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 (Server Core installation) 5027536 (Security Update) Important Denial of Service 5022782 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 5027544 (Security Update) Important Denial of Service 5022735, 5022726 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 (Server Core installation) 5027544 (Security Update) Important Denial of Service 5022735, 5022726 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.4644.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for 32-bit Systems 5027537 (Security Update) Important Denial of Service 5022728, 5026958, 5022729 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for ARM64-based Systems 5027537 (Security Update) Important Denial of Service 5022728, 5026958, 5022729 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for x64-based Systems 5027537 (Security Update) Important Denial of Service 5022728, 5026958, 5022729 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for 32-bit Systems 5027538 (Security Update) Important Denial of Service 5022728, 5026958, 5022729 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for ARM64-based Systems 5027538 (Security Update) Important Denial of Service 5022728, 5026958, 5022729 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for x64-based Systems 5027538 (Security Update) Important Denial of Service 5022728, 5026958, 5022729 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 21H2 for ARM64-based Systems 5027539 (Security Update) Important Denial of Service 5026959, 5022730 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 21H2 for x64-based Systems 5027539 (Security Update) Important Denial of Service 5026959, 5022730 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 22H2 for ARM64-based Systems 5027119 (Security Update) Important Denial of Service 5026515, 5022497 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 22H2 for x64-based Systems 5027119 (Security Update) Important Denial of Service 5026515, 5022497 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 5027544 (Security Update) Important Denial of Service 5022735 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 (Server Core installation) 5027544 (Security Update) Important Denial of Service 5022735 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.8.9166.0 Maybe None
Microsoft .NET Framework 3.5 on Windows Server 2012 5027541 (Monthly Rollup)
5027532 (Security Only)
Important Denial of Service 5022732
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation) 5027541 (Monthly Rollup)
5027532 (Security Only)
Important Denial of Service 5022732
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.5 on Windows Server 2012 R2 5027542 (Monthly Rollup)
5027533 (Security Only)
Important Denial of Service 5022733
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (Server Core installation) 5027542 (Monthly Rollup)
5027533 (Security Only)
Important Denial of Service 5022733
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 5027540 (Monthly Rollup)
5027531 (Security Only)
Important Denial of Service 5022731
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 5027540 (Monthly Rollup)
5027531 (Security Only)
Important Denial of Service 5022731
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
3.0.6920.8954; 2.0.50727.8970 Maybe None
Microsoft .NET Framework 4.6.2 on Windows Server 2008 for 32-bit Systems Service Pack 2 5027543 (Monthly Rollup)
5027534 (Security Only)
Important Denial of Service 5022731, 5022734
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2 on Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 5027543 (Monthly Rollup)
5027534 (Security Only)
Important Denial of Service 5022731, 5022734
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
4.7.04043.0
4.7.4050.0
Maybe None
Microsoft .NET Framework 4.6.2 on Windows Server 2008 for x64-based Systems Service Pack 2