This report contains detail for the following vulnerabilities:
Tag | CVE ID | CVE Title |
---|---|---|
.NET and Visual Studio | CVE-2023-21808 | .NET and Visual Studio Remote Code Execution Vulnerability |
.NET Framework | CVE-2023-21722 | .NET Framework Denial of Service Vulnerability |
3D Builder | CVE-2023-23390 | 3D Builder Remote Code Execution Vulnerability |
3D Builder | CVE-2023-23377 | 3D Builder Remote Code Execution Vulnerability |
3D Builder | CVE-2023-23378 | Print 3D Remote Code Execution Vulnerability |
Azure App Service | CVE-2023-21777 | Azure App Service on Azure Stack Hub Elevation of Privilege Vulnerability |
Azure Data Box Gateway | CVE-2023-21703 | Azure Data Box Gateway Remote Code Execution Vulnerability |
Azure DevOps | CVE-2023-21564 | Azure DevOps Server Cross-Site Scripting Vulnerability |
Azure DevOps | CVE-2023-21553 | Azure DevOps Server Remote Code Execution Vulnerability |
Azure Machine Learning | CVE-2023-23382 | Azure Machine Learning Compute Instance Information Disclosure Vulnerability |
HoloLens | CVE-2019-15126 | MITRE: CVE-2019-15126 Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device |
Internet Storage Name Service | CVE-2023-21699 | Windows Internet Storage Name Service (iSNS) Server Information Disclosure Vulnerability |
Internet Storage Name Service | CVE-2023-21697 | Windows Internet Storage Name Service (iSNS) Server Information Disclosure Vulnerability |
Mariner | CVE-2022-43552 | Unknown |
Microsoft Defender for Endpoint | CVE-2023-21809 | Microsoft Defender for Endpoint Security Feature Bypass Vulnerability |
Microsoft Defender for IoT | CVE-2023-23379 | Microsoft Defender for IoT Elevation of Privilege Vulnerability |
Microsoft Dynamics | CVE-2023-21807 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
Microsoft Dynamics | CVE-2023-21573 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
Microsoft Dynamics | CVE-2023-21571 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
Microsoft Dynamics | CVE-2023-21572 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
Microsoft Dynamics | CVE-2023-21778 | Microsoft Dynamics Unified Service Desk Remote Code Execution Vulnerability |
Microsoft Dynamics | CVE-2023-21570 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
Microsoft Edge (Chromium-based) | CVE-2023-23374 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability |
Microsoft Edge (Chromium-based) | CVE-2023-21794 | Microsoft Edge (Chromium-based) Spoofing Vulnerability |
Microsoft Edge (Chromium-based) | CVE-2023-21720 | Microsoft Edge (Chromium-based) Tampering Vulnerability |
Microsoft Exchange Server | CVE-2023-21710 | Microsoft Exchange Server Remote Code Execution Vulnerability |
Microsoft Exchange Server | CVE-2023-21707 | Microsoft Exchange Server Remote Code Execution Vulnerability |
Microsoft Exchange Server | CVE-2023-21706 | Microsoft Exchange Server Remote Code Execution Vulnerability |
Microsoft Exchange Server | CVE-2023-21529 | Microsoft Exchange Server Remote Code Execution Vulnerability |
Microsoft Graphics Component | CVE-2023-21804 | Windows Graphics Component Elevation of Privilege Vulnerability |
Microsoft Graphics Component | CVE-2023-21823 | Windows Graphics Component Remote Code Execution Vulnerability |
Microsoft Office | CVE-2023-21714 | Microsoft Office Information Disclosure Vulnerability |
Microsoft Office OneNote | CVE-2023-21721 | Microsoft OneNote Spoofing Vulnerability |
Microsoft Office Publisher | CVE-2023-21715 | Microsoft Publisher Security Features Bypass Vulnerability |
Microsoft Office SharePoint | CVE-2023-21717 | Microsoft SharePoint Server Elevation of Privilege Vulnerability |
Microsoft Office Word | CVE-2023-21716 | Microsoft Word Remote Code Execution Vulnerability |
Microsoft PostScript Printer Driver | CVE-2023-21693 | Microsoft PostScript Printer Driver Information Disclosure Vulnerability |
Microsoft PostScript Printer Driver | CVE-2023-21801 | Microsoft PostScript Printer Driver Remote Code Execution Vulnerability |
Microsoft PostScript Printer Driver | CVE-2023-21684 | Microsoft PostScript Printer Driver Remote Code Execution Vulnerability |
Microsoft WDAC OLE DB provider for SQL | CVE-2023-21686 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability |
Microsoft WDAC OLE DB provider for SQL | CVE-2023-21685 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability |
Microsoft WDAC OLE DB provider for SQL | CVE-2023-21799 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability |
Microsoft Windows Codecs Library | CVE-2023-21802 | Windows Media Remote Code Execution Vulnerability |
Power BI | CVE-2023-21806 | Power BI Report Server Spoofing Vulnerability |
SQL Server | CVE-2023-21713 | Microsoft SQL Server Remote Code Execution Vulnerability |
SQL Server | CVE-2023-21718 | Microsoft SQL ODBC Driver Remote Code Execution Vulnerability |
SQL Server | CVE-2023-21528 | Microsoft SQL Server Remote Code Execution Vulnerability |
SQL Server | CVE-2023-21705 | Microsoft SQL Server Remote Code Execution Vulnerability |
SQL Server | CVE-2023-21568 | Microsoft SQL Server Integration Service (VS extension) Remote Code Execution Vulnerability |
SQL Server | CVE-2023-21704 | Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability |
Visual Studio | CVE-2023-21566 | Visual Studio Elevation of Privilege Vulnerability |
Visual Studio | CVE-2023-21815 | Visual Studio Remote Code Execution Vulnerability |
Visual Studio | CVE-2023-23381 | Visual Studio Remote Code Execution Vulnerability |
Visual Studio | CVE-2023-21567 | Visual Studio Denial of Service Vulnerability |
Windows Active Directory | CVE-2023-21816 | Windows Active Directory Domain Services API Denial of Service Vulnerability |
Windows ALPC | CVE-2023-21688 | NT OS Kernel Elevation of Privilege Vulnerability |
Windows Common Log File System Driver | CVE-2023-23376 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
Windows Common Log File System Driver | CVE-2023-21812 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
Windows Cryptographic Services | CVE-2023-21813 | Windows Secure Channel Denial of Service Vulnerability |
Windows Cryptographic Services | CVE-2023-21819 | Windows Secure Channel Denial of Service Vulnerability |
Windows Distributed File System (DFS) | CVE-2023-21820 | Windows Distributed File System (DFS) Remote Code Execution Vulnerability |
Windows Fax and Scan Service | CVE-2023-21694 | Windows Fax Service Remote Code Execution Vulnerability |
Windows HTTP.sys | CVE-2023-21687 | HTTP.sys Information Disclosure Vulnerability |
Windows Installer | CVE-2023-21800 | Windows Installer Elevation of Privilege Vulnerability |
Windows iSCSI | CVE-2023-21803 | Windows iSCSI Discovery Service Remote Code Execution Vulnerability |
Windows iSCSI | CVE-2023-21700 | Windows iSCSI Discovery Service Denial of Service Vulnerability |
Windows iSCSI | CVE-2023-21702 | Windows iSCSI Service Denial of Service Vulnerability |
Windows iSCSI | CVE-2023-21811 | Windows iSCSI Service Denial of Service Vulnerability |
Windows Kerberos | CVE-2023-21817 | Windows Kerberos Elevation of Privilege Vulnerability |
Windows MSHTML Platform | CVE-2023-21805 | Windows MSHTML Platform Remote Code Execution Vulnerability |
Windows ODBC Driver | CVE-2023-21797 | Microsoft ODBC Driver Remote Code Execution Vulnerability |
Windows ODBC Driver | CVE-2023-21798 | Microsoft ODBC Driver Remote Code Execution Vulnerability |
Windows Protected EAP (PEAP) | CVE-2023-21695 | Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability |
Windows Protected EAP (PEAP) | CVE-2023-21701 | Microsoft Protected Extensible Authentication Protocol (PEAP) Denial of Service Vulnerability |
Windows Protected EAP (PEAP) | CVE-2023-21692 | Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability |
Windows Protected EAP (PEAP) | CVE-2023-21691 | Microsoft Protected Extensible Authentication Protocol (PEAP) Information Disclosure Vulnerability |
Windows Protected EAP (PEAP) | CVE-2023-21690 | Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability |
Windows Protected EAP (PEAP) | CVE-2023-21689 | Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability |
Windows SChannel | CVE-2023-21818 | Windows Secure Channel Denial of Service Vulnerability |
Windows Win32K | CVE-2023-21822 | Windows Graphics Component Elevation of Privilege Vulnerability |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
CVE-2023-21528 MITRE NVD |
CVE Title: Microsoft SQL Server Remote Code Execution Vulnerability
CVSS: CVSS:3.1 7.8/6.8
FAQ: There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?
Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product in order to apply this and future security updates.
What are the GDR and CU update designations and how do they differ? The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release.
For any given baseline, either the GDR or CU updates could be options (see below).
Note: You are allowed to make a change from GDR updates to CU updates ONE TIME. Once a SQL Server CU update is applied to a SQL Server installation, there is NO way to go back to the GDR update path. Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)? Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually. According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21528 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (CU 4) | 5021045 (Security Update) | Important | Remote Code Execution | 5014164 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (GDR) | 5021037 (Security Update) | Important | Remote Code Execution | 5014165 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (CU 4) | 5021045 (Security Update) | Important | Remote Code Execution | 5014164 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (GDR) | 5021037 (Security Update) | Important | Remote Code Execution | 5014165 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR) | 5021129 (Security Update) | Important | Remote Code Execution | 5014355 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure Connectivity Pack | 5021128 (Security Update) | Important | Remote Code Execution | 5015371 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2017 for x64-based Systems (CU 31) | 5021126 (Security Update) | Important | Remote Code Execution | 5014553 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2017 for x64-based Systems (GDR) | 5021127 (Security Update) | Important | Remote Code Execution | 5014354 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2019 for x64-based Systems (CU 18) | 5021124 (Security Update) | Important | Remote Code Execution | 5014353 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2019 for x64-based Systems (GDR) | 5021125 (Security Update) | Important | Remote Code Execution | 5014356 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2022 for x64-based Systems (GDR) | 5021522 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
CVE ID | Acknowledgements |
CVE-2023-21528 | Nicolas Joly of MSRC |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
CVE-2023-21684 MITRE NVD |
CVE Title: Microsoft PostScript Printer Driver Remote Code Execution Vulnerability
CVSS: CVSS:3.1 8.8/7.7
FAQ: How could an attacker exploit this vulnerability? An authenticated attacker could send a specially crafted file to a shared printer. This could result in arbitrary code execution on the system that is sharing the printer. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21684 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Windows 10 for 32-bit Systems | 5022858 (Security Update) | Important | Remote Code Execution | 5022297 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 for x64-based Systems | 5022858 (Security Update) | Important | Remote Code Execution | 5022297 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 1607 for 32-bit Systems | 5022838 (Security Update) | Important | Remote Code Execution | 5022289 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 1607 for x64-based Systems | 5022838 (Security Update) | Important | Remote Code Execution | 5022289 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 1809 for 32-bit Systems | 5022840 (Security Update) | Important | Remote Code Execution | 5022286 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 1809 for ARM64-based Systems | 5022840 (Security Update) | Important | Remote Code Execution | 5022286 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 1809 for x64-based Systems | 5022840 (Security Update) | Important | Remote Code Execution | 5022286 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 20H2 for 32-bit Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 20H2 for ARM64-based Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 20H2 for x64-based Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 21H2 for 32-bit Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 21H2 for ARM64-based Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 21H2 for x64-based Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 22H2 for 32-bit Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 22H2 for ARM64-based Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 22H2 for x64-based Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 11 version 21H2 for ARM64-based Systems | 5022836 (Security Update) | Important | Remote Code Execution | 5022287 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 11 version 21H2 for x64-based Systems | 5022836 (Security Update) | Important | Remote Code Execution | 5022287 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 11 Version 22H2 for ARM64-based Systems | 5022845 (Security Update) | Important | Remote Code Execution | 5022303 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 11 Version 22H2 for x64-based Systems | 5022845 (Security Update) | Important | Remote Code Execution | 5022303 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2008 for 32-bit Systems Service Pack 2 | 5022890 (Monthly Rollup) 5022893 (Security Only) |
Important | Remote Code Execution | 5022340 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 5022890 (Monthly Rollup) 5022893 (Security Only) |
Important | Remote Code Execution | 5022340 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2008 for x64-based Systems Service Pack 2 | 5022890 (Monthly Rollup) 5022893 (Security Only) |
Important | Remote Code Execution | 5022340 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 5022890 (Monthly Rollup) 5022893 (Security Only) |
Important | Remote Code Execution | 5022340 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 5022872 (Monthly Rollup) 5022874 (Security Only) |
Important | Remote Code Execution | 5022338 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 5022872 (Monthly Rollup) 5022874 (Security Only) |
Important | Remote Code Execution | 5022338 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2012 | 5022903 (Monthly Rollup) 5022895 (Security Only) |
Important | Remote Code Execution | 5022348 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2012 (Server Core installation) | 5022903 (Monthly Rollup) 5022895 (Security Only) |
Important | Remote Code Execution | 5022348 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2012 R2 | 5022899 (Monthly Rollup) 5022894 (Security Only) |
Important | Remote Code Execution | 5022352 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2012 R2 (Server Core installation) | 5022899 (Monthly Rollup) 5022894 (Security Only) |
Important | Remote Code Execution | 5022352 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2016 | 5022838 (Security Update) | Important | Remote Code Execution | 5022289 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2016 (Server Core installation) | 5022838 (Security Update) | Important | Remote Code Execution | 5022289 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2019 | 5022840 (Security Update) | Important | Remote Code Execution | 5022286 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2019 (Server Core installation) | 5022840 (Security Update) | Important | Remote Code Execution | 5022286 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2022 | 5022842 (Security Update) | Important | Remote Code Execution | 5022291 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2022 (Server Core installation) | 5022842 (Security Update) | Important | Remote Code Execution | 5022291 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
CVE ID | Acknowledgements |
CVE-2023-21684 | kap0k |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
CVE-2023-21777 MITRE NVD |
CVE Title: Azure App Service on Azure Stack Hub Elevation of Privilege Vulnerability
CVSS: CVSS:3.1 8.7/7.6
FAQ: According to the CVSS metrics, the attack vector is local (AV:L) and privilege required is low (PR:L). What does that mean for this vulnerability? An attacker must have access to the targeted worker role and the ability to deploy a malicious application within the worker. The attack itself is carried out locally on the worker role where a malicious application has been deployed. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? This vulnerability could lead to the attacker gaining the ability to interact with other tenant’s applications and content. According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H) and major loss of integrity (I:H) but have low effect on availability (A:L). What does that mean for this vulnerability? Exploiting this vulnerability could enable an attacker with the ability to access and modify content of a targeted application or workload leading to major loss of confidentiality and integrity. The attacker cannot fully deny service availability across all infrastructure, hence low effect on availability. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21777 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Azure App Service on Azure Stack Hub | Release Notes (App Service Installer) | Important | Elevation of Privilege | None | Base: 8.7 Temporal: 7.6 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L/E:U/RL:O/RC:C |
Maybe |
CVE ID | Acknowledgements |
CVE-2023-21777 | Denis Faiustov Ruslan Sayfiev |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
CVE-2023-21778 MITRE NVD |
CVE Title: Microsoft Dynamics Unified Service Desk Remote Code Execution Vulnerability
CVSS: CVSS:3.1 8.3/7.2
FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? Exploitation of the vulnerability requires that a user open a specially crafted file.
An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? In this case, the attack is carried over the webpage but it compromises the web server running the page. In addition, the attacker might be able to call victim's local files in the Resources directory and execute Windows commands that are outside of the Dynamics application. According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? The attacker must be authenticated to be able to exploit this vulnerability. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21778 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Microsoft Dynamics 365 Unified Service Desk | Important | Remote Code Execution | None | Base: 8.3 Temporal: 7.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Unknown |
CVE ID | Acknowledgements |
CVE-2023-21778 | Erik Donker with Vattenfall Erik Donker |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||||||||
CVE-2023-21794 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
CVSS: CVSS:3.1 4.3/3.9
FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would have to click on a specially crafted URL to be compromised by the attacker. According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability? The user would need to access the URL of the malicious website, which could spoof the content of a legitimate website, and then click a popup displayed on that site. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2023-02-09T08:00:00     Information published. |
Low | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21794 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Low | Spoofing | None | Base: 4.3 Temporal: 3.9 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
No |
CVE ID | Acknowledgements |
CVE-2023-21794 | Anonymous |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
CVE-2023-21806 MITRE NVD |
CVE Title: Power BI Report Server Spoofing Vulnerability
CVSS: CVSS:3.1 8.2/7.1
FAQ: According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? The vulnerability is in the web server, but the malicious scripts execute in the victim’s browser on their machine. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker would have to send the victim a malicious file that the victim would have to execute. According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? The attacker must have permissions to access the target domain environment to be able to exploit this vulnerability According to the CVSS metric, successful exploitation of this vulnerability could lead to total loss of confidentiality (C:H)? What does that mean for this vulnerability? There could be a loss of confidentiality if an unaware user clicked on a popup therefore creating an opportunity for an attacker to retrieve cookies or present the user with a dialog box to enter user credentials. According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of availability (A:L)? What does that mean for this vulnerability? The attacker cannot fully deny service availability across all infrastructure, hence low effect on availability. According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability? An attacker could modify the contents of a reports file creating the potential opportunity for Java Script to be run as part of the Spoofing vulnerability. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21806 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Power BI Report Server - January 2023 | 5023884 (Security Update) | Important | Spoofing | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L/E:U/RL:O/RC:C |
Maybe |
CVE ID | Acknowledgements |
CVE-2023-21806 | Steffen Langenfeld and Sebastian Biehler |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
CVE-2023-21807 MITRE NVD |
CVE Title: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
CVSS: CVSS:3.1 5.8/5.1
FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would have to click on a specially crafted URL to be compromised by the attacker. According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? A user could be tricked into entering credentials or responding to a pop up after opening a specially crafted file or clicking on a link, typically by way of an enticement in an email or URL. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21807 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Microsoft Dynamics 365 (on-premises) version 9.0 | 5022994 (Security Update) | Important | Spoofing | None | Base: 5.8 Temporal: 5.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
Microsoft Dynamics 365 (on-premises) version 9.1 | 5023001 (Security Update) | Important | Spoofing | None | Base: 5.8 Temporal: 5.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
CVE ID | Acknowledgements |
CVE-2023-21807 | batram |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
CVE-2023-21704 MITRE NVD |
CVE Title: Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVSS: CVSS:3.1 7.8/6.8
FAQ: There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?
Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product in order to apply this and future security updates.
What are the GDR and CU update designations and how do they differ? The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release.
For any given baseline, either the GDR or CU updates could be options (see below).
Note: You are allowed to make a change from GDR updates to CU updates ONE TIME. Once a SQL Server CU update is applied to a SQL Server installation, there is NO way to go back to the GDR update path. Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)? Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually. How could an attacker exploit this vulnerability? An attacker could exploit the vulnerability by tricking an un-authenticated user into attempting to connect to a malicious SQL server database via ODBC. This could result in the database returning malicious data that might cause arbitrary code execution on the client. According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21704 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (CU 4) | 5021045 (Security Update) | Important | Remote Code Execution | 5014164 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (GDR) | 5021037 (Security Update) | Important | Remote Code Execution | 5014165 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (CU 4) | 5021045 (Security Update) | Important | Remote Code Execution | 5014164 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (GDR) | 5021037 (Security Update) | Important | Remote Code Execution | 5014165 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR) | 5021129 (Security Update) | Important | Remote Code Execution | 5014355 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure Connectivity Pack | 5021128 (Security Update) | Important | Remote Code Execution | 5015371 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2017 for x64-based Systems (CU 31) | 5021126 (Security Update) | Important | Remote Code Execution | 5014553 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2017 for x64-based Systems (GDR) | 5021127 (Security Update) | Important | Remote Code Execution | 5014354 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2019 for x64-based Systems (CU 18) | 5021124 (Security Update) | Important | Remote Code Execution | 5014353 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2019 for x64-based Systems (GDR) | 5021125 (Security Update) | Important | Remote Code Execution | 5014356 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2022 for x64-based Systems (GDR) | 5021522 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
CVE ID | Acknowledgements |
CVE-2023-21704 | hexb1n |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
CVE-2023-21705 MITRE NVD |
CVE Title: Microsoft SQL Server Remote Code Execution Vulnerability
CVSS: CVSS:3.1 8.8/7.7
FAQ: According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges. According to the CVSS metric, the attack vector is network (AV:N), and privilege required is low (PR:L). What is the target used in the context of the remote code execution? The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call. The privilege requirement is low because the attacker needs to be authenticated as a normal user. There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?
Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product in order to apply this and future security updates.
What are the GDR and CU update designations and how do they differ? The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release.
For any given baseline, either the GDR or CU updates could be options (see below).
Note: You are allowed to make a change from GDR updates to CU updates ONE TIME. Once a SQL Server CU update is applied to a SQL Server installation, there is NO way to go back to the GDR update path. Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)? Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually. Mitigations: Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21705 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (CU 4) | 5021045 (Security Update) | Important | Remote Code Execution | 5014164 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (GDR) | 5021037 (Security Update) | Important | Remote Code Execution | 5014165 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (CU 4) | 5021045 (Security Update) | Important | Remote Code Execution | 5014164 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (GDR) | 5021037 (Security Update) | Important | Remote Code Execution | 5014165 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR) | 5021129 (Security Update) | Important | Remote Code Execution | 5014355 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure Connectivity Pack | 5021128 (Security Update) | Important | Remote Code Execution | 5015371 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2017 for x64-based Systems (CU 31) | 5021126 (Security Update) | Important | Remote Code Execution | 5014553 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2017 for x64-based Systems (GDR) | 5021127 (Security Update) | Important | Remote Code Execution | 5014354 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2019 for x64-based Systems (CU 18) | 5021124 (Security Update) | Important | Remote Code Execution | 5014353 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2019 for x64-based Systems (GDR) | 5021125 (Security Update) | Important | Remote Code Execution | 5014356 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2022 for x64-based Systems (GDR) | 5021522 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
CVE ID | Acknowledgements |
CVE-2023-21705 | Andrew Ruddick with Microsoft Security Response Center |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
CVE-2023-21706 MITRE NVD |
CVE Title: Microsoft Exchange Server Remote Code Execution Vulnerability
CVSS: CVSS:3.1 8.8/7.7
FAQ: According to the CVSS metric, privileges required is low (PR:L). Does the attacker need to be in an authenticated role on the Exchange Server? Yes, the attacker must be authenticated. According to the CVSS metric, the attack vector is network (AV:N) and the user interaction is none (UI:N). What is the target used in the context of the remote code execution? The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation More Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21706 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Microsoft Exchange Server 2013 Cumulative Update 23 | 5023038 (Security Update) | Important | Remote Code Execution | 5019758 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Microsoft Exchange Server 2016 Cumulative Update 23 | 5023038 (Security Update) | Important | Remote Code Execution | 5019758 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Microsoft Exchange Server 2019 Cumulative Update 11 | 5023038 (Security Update) | Important | Remote Code Execution | 5019758 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Microsoft Exchange Server 2019 Cumulative Update 12 | 5023038 (Security Update) | Important | Remote Code Execution | 5019758 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
CVE ID | Acknowledgements |
CVE-2023-21706 | zcgonvh with 360 noah lab |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
CVE-2023-21707 MITRE NVD |
CVE Title: Microsoft Exchange Server Remote Code Execution Vulnerability
CVSS: CVSS:3.1 8.8/7.7
FAQ: According to the CVSS metric, privileges required is low (PR:L). Does the attacker need to be in an authenticated role on the Exchange Server? Yes, the attacker must be authenticated. According to the CVSS metric, the attack vector is network (AV:N) and the user interaction is none (UI:N). What is the target used in the context of the remote code execution? The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation More Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21707 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Microsoft Exchange Server 2013 Cumulative Update 23 | 5023038 (Security Update) | Important | Remote Code Execution | 5019758 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Microsoft Exchange Server 2016 Cumulative Update 23 | 5023038 (Security Update) | Important | Remote Code Execution | 5019758 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Microsoft Exchange Server 2019 Cumulative Update 11 | 5023038 (Security Update) | Important | Remote Code Execution | 5019758 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Microsoft Exchange Server 2019 Cumulative Update 12 | 5023038 (Security Update) | Important | Remote Code Execution | 5019758 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
CVE ID | Acknowledgements |
CVE-2023-21707 | Nguyễn Tiến Giang (Jang) with STAR Labs SG Pte. Ltd. |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
CVE-2023-21718 MITRE NVD |
CVE Title: Microsoft SQL ODBC Driver Remote Code Execution Vulnerability
CVSS: CVSS:3.1 7.8/6.8
FAQ: There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?
Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product in order to apply this and future security updates.
What are the GDR and CU update designations and how do they differ? The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release.
For any given baseline, either the GDR or CU updates could be options (see below).
Note: You are allowed to make a change from GDR updates to CU updates ONE TIME. Once a SQL Server CU update is applied to a SQL Server installation, there is NO way to go back to the GDR update path. Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)? Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually. How could an attacker exploit this vulnerability? An attacker could exploit the vulnerability by tricking an un-authenticated user into attempting to connect to a malicious SQL server database via ODBC. This could result in the database returning malicious data that might cause arbitrary code execution on the client. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21718 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (CU 4) | 5021045 (Security Update) | Critical | Remote Code Execution | 5014164 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (GDR) | 5021037 (Security Update) | Critical | Remote Code Execution | 5014165 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (CU 4) | 5021045 (Security Update) | Critical | Remote Code Execution | 5014164 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (GDR) | 5021037 (Security Update) | Critical | Remote Code Execution | 5014165 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR) | 5021129 (Security Update) | Critical | Remote Code Execution | 5014355 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure Connectivity Pack | 5021128 (Security Update) | Critical | Remote Code Execution | 5015371 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2017 for x64-based Systems (CU 31) | 5021126 (Security Update) | Critical | Remote Code Execution | 5014553 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2017 for x64-based Systems (GDR) | 5021127 (Security Update) | Critical | Remote Code Execution | 5014354 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2019 for x64-based Systems (CU 18) | 5021124 (Security Update) | Critical | Remote Code Execution | 5014353 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2019 for x64-based Systems (GDR) | 5021125 (Security Update) | Critical | Remote Code Execution | 5014356 | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2022 for x64-based Systems (GDR) | 5021522 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
CVE ID | Acknowledgements |
CVE-2023-21718 | Anonymous |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
CVE-2023-21720 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Tampering Vulnerability
CVSS: CVSS:3.1 5.3/4.8
FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. Why is the severity for this CVE rated as Moderate, but the CVSS score is higher than normal? Per our severity guidelines, the amount of user interaction or preconditions required to allow this sort of exploitation downgraded the severity, specifically it says, "If a bug requires more than a click, a key press, or several preconditions, the severity will be downgraded". The CVSS scoring system doesn't allow for this type of nuance. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would have to click on a specially crafted URL to be compromised by the attacker. According to the CVSS metric, successful exploitation of this vulnerability could lead to loss of availability (A:H)? What does that mean for this vulnerability? Successful exploitation of this vulnerability requires the user to click on a malicious URL or an embedded link in an email message which could lead to denial of service (DOS) or the Browser to crash. Mitigations: None Workarounds: None Revision: 1.0    2023-02-03T08:00:00     Information published. |
Low | Tampering |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21720 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Low | Tampering | None | Base: 5.3 Temporal: 4.8 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
No |
CVE ID | Acknowledgements |
CVE-2023-21720 | William Brown with SUSE |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
CVE-2023-21721 MITRE NVD |
CVE Title: Microsoft OneNote Spoofing Vulnerability
CVSS: CVSS:3.1 6.5/5.7
FAQ: According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? Any authenticated user could trigger this vulnerability. It does not require admin or other elevated privileges. How do I get the update for a Windows App? The Microsoft Store will automatically update affected customers. It is possible for customers to disable automatic updates for the Microsoft Store. The Microsoft Store will not automatically install this update for those customers. You can get the update through the store by following this guide: Get updates for apps and games in Microsoft Store. Be sure to select the tab for the operating system installed on your device to search for updates. According to the CVSS metric, successful exploitation of this vulnerability could lead to total loss of integrity (I:H)? What does that mean for this vulnerability? An authenticated attacker could impersonate another user to perform actions. How do I get the update for OneNote for Android? Please reference How to update the Play Store & apps on Android - Google Play Help for guidance. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21721 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Microsoft OneNote for Android | Release Notes (Security Update) | Important | Spoofing | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
CVE ID | Acknowledgements |
CVE-2023-21721 | Dimitrios Valsamaras with Microsoft |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
CVE-2023-21566 MITRE NVD |
CVE Title: Visual Studio Elevation of Privilege Vulnerability
CVSS: CVSS:3.1 7.8/6.8
FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21566 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10) | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft Visual Studio 2022 version 17.0 | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft Visual Studio 2022 version 17.2 | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft Visual Studio 2022 version 17.4 | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
CVE ID | Acknowledgements |
CVE-2023-21566 | Filip Dragovic with Infigo IS |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
CVE-2023-21567 MITRE NVD |
CVE Title: Visual Studio Denial of Service Vulnerability
CVSS: CVSS:3.1 5.6/5.1
FAQ: According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? Exploitation of this vulnerability requires that a local user executes the Visual Studio installer According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability? An attacker who successfully exploited this vulnerability could affect the integrity by is replacing one file with another. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21567 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) | Release Notes (Security Update) | Important | Denial of Service | None | Base: 5.6 Temporal: 5.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H/E:P/RL:O/RC:C |
Maybe |
Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10) | Release Notes (Security Update) | Important | Denial of Service | None | Base: 5.6 Temporal: 5.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H/E:P/RL:O/RC:C |
Maybe |
Microsoft Visual Studio 2022 version 17.0 | Release Notes (Security Update) | Important | Denial of Service | None | Base: 5.6 Temporal: 5.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H/E:P/RL:O/RC:C |
Maybe |
Microsoft Visual Studio 2022 version 17.2 | Release Notes (Security Update) | Important | Denial of Service | None | Base: 5.6 Temporal: 5.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H/E:P/RL:O/RC:C |
Maybe |
Microsoft Visual Studio 2022 version 17.4 | Release Notes (Security Update) | Important | Denial of Service | None | Base: 5.6 Temporal: 5.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H/E:P/RL:O/RC:C |
Maybe |
CVE ID | Acknowledgements |
CVE-2023-21567 | ycdxsb with VARAS@IIE |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
CVE-2023-21568 MITRE NVD |
CVE Title: Microsoft SQL Server Integration Service (VS extension) Remote Code Execution Vulnerability
CVSS: CVSS:3.1 7.3/6.4
FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must convince the user to open a file on a malicious SQL server. There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?
Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product in order to apply this and future security updates.
What are the GDR and CU update designations and how do they differ? The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release.
For any given baseline, either the GDR or CU updates could be options (see below).
Note: You are allowed to make a change from GDR updates to CU updates ONE TIME. Once a SQL Server CU update is applied to a SQL Server installation, there is NO way to go back to the GDR update path. Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)? Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually. According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21568 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (CU 4) | 5021045 (Security Update) | Important | Remote Code Execution | 5014164 | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (GDR) | 5021037 (Security Update) | Important | Remote Code Execution | 5014165 | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (CU 4) | 5021045 (Security Update) | Important | Remote Code Execution | 5014164 | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (GDR) | 5021037 (Security Update) | Important | Remote Code Execution | 5014165 | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR) | 5021129 (Security Update) | Important | Remote Code Execution | 5014355 | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure Connectivity Pack | 5021128 (Security Update) | Important | Remote Code Execution | 5015371 | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2017 for x64-based Systems (CU 31) | 5021126 (Security Update) | Important | Remote Code Execution | 5014553 | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2017 for x64-based Systems (GDR) | 5021127 (Security Update) | Important | Remote Code Execution | 5014354 | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2019 for x64-based Systems (CU 18) | 5021124 (Security Update) | Important | Remote Code Execution | 5014353 | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2019 for x64-based Systems (GDR) | 5021125 (Security Update) | Important | Remote Code Execution | 5014356 | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
Microsoft SQL Server 2022 for x64-based Systems (GDR) | 5021522 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
CVE ID | Acknowledgements |
CVE-2023-21568 | Andrew Ruddick with Microsoft Security Response Center |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
CVE-2023-21570 MITRE NVD |
CVE Title: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
CVSS: CVSS:3.1 5.4/4.7
FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would have to click on a specially crafted URL to be compromised by the attacker. According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? A user could be tricked into entering credentials or responding to a pop up after opening a specially crafted file or clicking on a link, typically by way of an enticement in an email or URL. According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability? Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker. According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability? The user would need to access the URL of the malicious website, which could spoof the content of a legitimate website, and then click a popup displayed on that site. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21570 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Microsoft Dynamics 365 (on-premises) version 9.0 | 5022994 (Security Update) | Important | Spoofing | None | Base: 5.4 Temporal: 4.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
Microsoft Dynamics 365 (on-premises) version 9.1 | 5023001 (Security Update) | Important | Spoofing | None | Base: 5.4 Temporal: 4.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
CVE ID | Acknowledgements |
CVE-2023-21570 | batram |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
CVE-2023-21571 MITRE NVD |
CVE Title: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
CVSS: CVSS:3.1 5.4/4.7
FAQ: According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? Any authenticated user could trigger this vulnerability. It does not require admin or other elevated privileges. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? A user could be tricked into entering credentials or responding to a pop up after opening a specially crafted file or clicking on a link, typically by way of an enticement in an email or URL. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would need to click on a specially crafted URL that could present a popup box requesting additional user input. According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability? Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker. According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability? The user would need to access the URL of the malicious website, which could spoof the content of a legitimate website, and then click a popup displayed on that site. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21571 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Microsoft Dynamics 365 (on-premises) version 9.0 | 5022994 (Security Update) | Important | Spoofing | None | Base: 5.4 Temporal: 4.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
Microsoft Dynamics 365 (on-premises) version 9.1 | 5023001 (Security Update) | Important | Spoofing | None | Base: 5.4 Temporal: 4.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
CVE ID | Acknowledgements |
CVE-2023-21571 | batram |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
CVE-2023-21572 MITRE NVD |
CVE Title: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
CVSS: CVSS:3.1 6.5/5.7
FAQ: According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? A user could be tricked into entering credentials or responding to a pop up after opening a specially crafted file or clicking on a link, typically by way of an enticement in an email or URL. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would need to click on a specially crafted URL that could present a popup box requesting additional user input. According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability? Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker. According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability? The user would need to access the URL of the malicious website, which could spoof the content of a legitimate website, and then click a popup displayed on that site. According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of availability (A:L)? What does that mean for this vulnerability? The attacker cannot fully deny service availability across all infrastructure, hence low effect on availability. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21572 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Microsoft Dynamics 365 (on-premises) version 9.0 | 5022994 (Security Update) | Important | Spoofing | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C |
Maybe |
Microsoft Dynamics 365 (on-premises) version 9.1 | 5023001 (Security Update) | Important | Spoofing | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C |
Maybe |
CVE ID | Acknowledgements |
CVE-2023-21572 | batram |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
CVE-2023-21573 MITRE NVD |
CVE Title: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
CVSS: CVSS:3.1 5.4/4.7
FAQ: According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? A user could be tricked into entering credentials or responding to a pop up after opening a specially crafted file or clicking on a link, typically by way of an enticement in an email or URL. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would need to click on a specially crafted URL that could present a popup box requesting additional user input. According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability? Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker. According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability? The user would need to access the URL of the malicious website, which could spoof the content of a legitimate website, and then click a popup displayed on that site. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21573 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Microsoft Dynamics 365 (on-premises) version 9.0 | 5022994 (Security Update) | Important | Spoofing | None | Base: 5.4 Temporal: 4.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
Microsoft Dynamics 365 (on-premises) version 9.1 | 5023001 (Security Update) | Important | Spoofing | None | Base: 5.4 Temporal: 4.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
CVE ID | Acknowledgements |
CVE-2023-21573 | batram |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||||||||
CVE-2023-23374 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
CVSS: CVSS:3.1 8.3/7.2
FAQ: According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? This vulnerability could lead to a browser sandbox escape. According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. Why is the severity for this CVE rated as Moderate, but the CVSS score is 8.3? Per our severity guidelines, the amount of user interaction or preconditions required to allow this sort of exploitation downgraded the severity. The CVSS scoring system doesn't allow for this type of nuance. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would need to click on a specially crafted URL that could present a popup box requesting additional user input. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2023-02-09T08:00:00     Information published. |
Moderate | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-23374 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Microsoft Edge for Android | Release Notes (Security Update) | Moderate | Remote Code Execution | None | Base: 8.3 Temporal: 7.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
CVE ID | Acknowledgements |
CVE-2023-23374 | Anonymous |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
CVE-2023-23378 MITRE NVD |
CVE Title: Print 3D Remote Code Execution Vulnerability
CVSS: CVSS:3.1 7.8/7.1
FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send the user a malicious file and convince the user to open said file. Where do I find the update for Print 3D? Microsoft is not planning on fixing this vulnerability in Print 3D as the app has been deprecated along with Windows 10 version 1903. The deprecation was announced here: https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features Microsoft recommends upgrading to the 3D Builder app. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-23378 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Print 3D | More Information (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C |
Maybe |
CVE ID | Acknowledgements |
CVE-2023-23378 | Mat Powell of Trend Micro Zero Day Initiative |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
CVE-2023-23379 MITRE NVD |
CVE Title: Microsoft Defender for IoT Elevation of Privilege Vulnerability
CVSS: CVSS:3.1 6.4/5.6
FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain administrator privileges. What is the action required to take the update? You need to update to the latest Microsoft Defender for IoT software version. See the Update the software version section of Manage the on-premises management console. What is Microsoft Defender for IoT? Microsoft Defender for IoT is a unified security solution for identifying IoT/OT devices, vulnerabilities, and threats. It enables you to secure your entire IoT/OT environment, whether you need to protect existing IoT/OT devices or build security into new IoT innovations. See Microsoft Defender for IoT for more information. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-23379 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Microsoft Defender for IoT | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
CVE ID | Acknowledgements |
CVE-2023-23379 | Yiming Xiang with NSFOCUS TIANJI LAB |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
CVE-2023-23382 MITRE NVD |
CVE Title: Azure Machine Learning Compute Instance Information Disclosure Vulnerability
CVSS: CVSS:3.1 6.5/5.7
FAQ: How do I check my Azure Machine Learning Compute Instance runtime version? To determine your runtime version, make a GET compute rest API call for your compute instance, then check the response. You can find the runtime version from field *versions.runtime. * Please view additional details here: https://learn.microsoft.com/en-us/rest/api/azureml/2022-10-01/compute/get?tabs=HTTP How do I update my Azure Machine Learning Compute Instance runtime version? Please reference the guidacne provided here: https://learn.microsoft.com/en-us/rest/api/azureml/2022-10-01/compute/update?tabs=HTTP What type of information could be disclosed by this vulnerability? An attacker that successfully exploited this vulnerability could recover cleartext passwords from error logs. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-23382 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Azure Machine Learning | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
CVE ID | Acknowledgements |
CVE-2023-23382 | Nitesh Surana (@_niteshsurana) of Project Nebula Trend Micro Zero Day Initiative |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
CVE-2023-21529 MITRE NVD |
CVE Title: Microsoft Exchange Server Remote Code Execution Vulnerability
CVSS: CVSS:3.1 8.8/7.7
FAQ: According to the CVSS metric, privileges required is low (PR:L). Does the attacker need to be in an authenticated role on the Exchange Server? Yes, the attacker must be authenticated. According to the CVSS metric, the attack vector is network (AV:N) and the user interaction is none (UI:N). What is the target used in the context of the remote code execution? The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation More Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21529 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Microsoft Exchange Server 2013 Cumulative Update 23 | 5023038 (Security Update) | Important | Remote Code Execution | 5019758 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Microsoft Exchange Server 2016 Cumulative Update 23 | 5023038 (Security Update) | Important | Remote Code Execution | 5019758 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Microsoft Exchange Server 2019 Cumulative Update 11 | 5023038 (Security Update) | Important | Remote Code Execution | 5019758 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Microsoft Exchange Server 2019 Cumulative Update 12 | 5023038 (Security Update) | Important | Remote Code Execution | 5019758 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
CVE ID | Acknowledgements |
CVE-2023-21529 | Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative zcgonvh with 360 noah lab |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
CVE-2023-21553 MITRE NVD |
CVE Title: Azure DevOps Server Remote Code Execution Vulnerability
CVSS: CVSS:3.1 7.5/6.5
FAQ: According to the CVSS metric, the attack vector is network (AV:N), user interaction is none (UI:N), and privilege required is low (PR:L). What is the target used in the context of the remote code execution? The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call. The privilege requirement is low because the attack needs to have only Run access to the pipeline. Azure DevOps server is not bound to any network stack or protocol. Communication is on the TCP/IP level and this allows to communicate over the Internet. According to the CVSS metric, the attack complexity is high (AC:H). What does this mean for this vulnerability? Owning an affected domain is not enough to run the attack. For a successful attacker the appropriate variable must be used in the pipeline, and not every pipeline is vulnerable. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21553 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Azure DevOps Server 2020.1.2 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
CVE ID | Acknowledgements |
CVE-2023-21553 | Legit Security (LinkedIn) with Legit Security |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
CVE-2023-21797 MITRE NVD |
CVE Title: Microsoft ODBC Driver Remote Code Execution Vulnerability
CVSS: CVSS:3.1 8.8/7.7
FAQ: How could an attacker exploit this vulnerability? An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via ODBC, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21797 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Windows 10 for 32-bit Systems | 5022858 (Security Update) | Important | Remote Code Execution | 5022297 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 for x64-based Systems | 5022858 (Security Update) | Important | Remote Code Execution | 5022297 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 1607 for 32-bit Systems | 5022838 (Security Update) | Important | Remote Code Execution | 5022289 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 1607 for x64-based Systems | 5022838 (Security Update) | Important | Remote Code Execution | 5022289 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 1809 for 32-bit Systems | 5022840 (Security Update) | Important | Remote Code Execution | 5022286 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 1809 for ARM64-based Systems | 5022840 (Security Update) | Important | Remote Code Execution | 5022286 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 1809 for x64-based Systems | 5022840 (Security Update) | Important | Remote Code Execution | 5022286 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 20H2 for 32-bit Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 20H2 for ARM64-based Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 20H2 for x64-based Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 21H2 for 32-bit Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 21H2 for ARM64-based Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 21H2 for x64-based Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 22H2 for 32-bit Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 22H2 for ARM64-based Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 22H2 for x64-based Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 11 version 21H2 for ARM64-based Systems | 5022836 (Security Update) | Important | Remote Code Execution | 5022287 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 11 version 21H2 for x64-based Systems | 5022836 (Security Update) | Important | Remote Code Execution | 5022287 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 11 Version 22H2 for ARM64-based Systems | 5022845 (Security Update) | Important | Remote Code Execution | 5022303 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 11 Version 22H2 for x64-based Systems | 5022845 (Security Update) | Important | Remote Code Execution | 5022303 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2008 for 32-bit Systems Service Pack 2 | 5022890 (Monthly Rollup) 5022893 (Security Only) |
Important | Remote Code Execution | 5022340 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 5022890 (Monthly Rollup) 5022893 (Security Only) |
Important | Remote Code Execution | 5022340 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2008 for x64-based Systems Service Pack 2 | 5022890 (Monthly Rollup) 5022893 (Security Only) |
Important | Remote Code Execution | 5022340 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 5022890 (Monthly Rollup) 5022893 (Security Only) |
Important | Remote Code Execution | 5022340 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 5022872 (Monthly Rollup) 5022874 (Security Only) |
Important | Remote Code Execution | 5022338 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 5022872 (Monthly Rollup) 5022874 (Security Only) |
Important | Remote Code Execution | 5022338 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2012 | 5022903 (Monthly Rollup) 5022895 (Security Only) |
Important | Remote Code Execution | 5022348 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2012 (Server Core installation) | 5022903 (Monthly Rollup) 5022895 (Security Only) |
Important | Remote Code Execution | 5022348 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2012 R2 | 5022899 (Monthly Rollup) 5022894 (Security Only) |
Important | Remote Code Execution | 5022352 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2012 R2 (Server Core installation) | 5022899 (Monthly Rollup) 5022894 (Security Only) |
Important | Remote Code Execution | 5022352 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2016 | 5022838 (Security Update) | Important | Remote Code Execution | 5022289 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2016 (Server Core installation) | 5022838 (Security Update) | Important | Remote Code Execution | 5022289 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2019 | 5022840 (Security Update) | Important | Remote Code Execution | 5022286 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2019 (Server Core installation) | 5022840 (Security Update) | Important | Remote Code Execution | 5022286 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2022 | 5022842 (Security Update) | Important | Remote Code Execution | 5022291 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2022 (Server Core installation) | 5022842 (Security Update) | Important | Remote Code Execution | 5022291 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
CVE ID | Acknowledgements |
CVE-2023-21797 | Anonymous |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
CVE-2023-21798 MITRE NVD |
CVE Title: Microsoft ODBC Driver Remote Code Execution Vulnerability
CVSS: CVSS:3.1 8.8/7.7
FAQ: How could an attacker exploit this vulnerability? An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via ODBC, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21798 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Windows 10 for 32-bit Systems | 5022858 (Security Update) | Important | Remote Code Execution | 5022297 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 for x64-based Systems | 5022858 (Security Update) | Important | Remote Code Execution | 5022297 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 1607 for 32-bit Systems | 5022838 (Security Update) | Important | Remote Code Execution | 5022289 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 1607 for x64-based Systems | 5022838 (Security Update) | Important | Remote Code Execution | 5022289 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 1809 for 32-bit Systems | 5022840 (Security Update) | Important | Remote Code Execution | 5022286 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 1809 for ARM64-based Systems | 5022840 (Security Update) | Important | Remote Code Execution | 5022286 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 1809 for x64-based Systems | 5022840 (Security Update) | Important | Remote Code Execution | 5022286 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 20H2 for 32-bit Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 20H2 for ARM64-based Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 20H2 for x64-based Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 21H2 for 32-bit Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 21H2 for ARM64-based Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 21H2 for x64-based Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 22H2 for 32-bit Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 22H2 for ARM64-based Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 22H2 for x64-based Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 11 version 21H2 for ARM64-based Systems | 5022836 (Security Update) | Important | Remote Code Execution | 5022287 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 11 version 21H2 for x64-based Systems | 5022836 (Security Update) | Important | Remote Code Execution | 5022287 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 11 Version 22H2 for ARM64-based Systems | 5022845 (Security Update) | Important | Remote Code Execution | 5022303 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 11 Version 22H2 for x64-based Systems | 5022845 (Security Update) | Important | Remote Code Execution | 5022303 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2008 for 32-bit Systems Service Pack 2 | 5022890 (Monthly Rollup) 5022893 (Security Only) |
Important | Remote Code Execution | 5022340 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 5022890 (Monthly Rollup) 5022893 (Security Only) |
Important | Remote Code Execution | 5022340 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2008 for x64-based Systems Service Pack 2 | 5022890 (Monthly Rollup) 5022893 (Security Only) |
Important | Remote Code Execution | 5022340 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 5022890 (Monthly Rollup) 5022893 (Security Only) |
Important | Remote Code Execution | 5022340 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 5022872 (Monthly Rollup) 5022874 (Security Only) |
Important | Remote Code Execution | 5022338 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 5022872 (Monthly Rollup) 5022874 (Security Only) |
Important | Remote Code Execution | 5022338 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2012 | 5022903 (Monthly Rollup) 5022895 (Security Only) |
Important | Remote Code Execution | 5022348 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2012 (Server Core installation) | 5022903 (Monthly Rollup) 5022895 (Security Only) |
Important | Remote Code Execution | 5022348 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2012 R2 | 5022899 (Monthly Rollup) 5022894 (Security Only) |
Important | Remote Code Execution | 5022352 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2012 R2 (Server Core installation) | 5022899 (Monthly Rollup) 5022894 (Security Only) |
Important | Remote Code Execution | 5022352 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2016 | 5022838 (Security Update) | Important | Remote Code Execution | 5022289 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2016 (Server Core installation) | 5022838 (Security Update) | Important | Remote Code Execution | 5022289 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2019 | 5022840 (Security Update) | Important | Remote Code Execution | 5022286 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2019 (Server Core installation) | 5022840 (Security Update) | Important | Remote Code Execution | 5022286 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2022 | 5022842 (Security Update) | Important | Remote Code Execution | 5022291 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows Server 2022 (Server Core installation) | 5022842 (Security Update) | Important | Remote Code Execution | 5022291 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
CVE ID | Acknowledgements |
CVE-2023-21798 | Anonymous |
CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
CVE-2023-21799 MITRE NVD |
CVE Title: Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVSS: CVSS:3.1 8.8/7.7
FAQ: How could an attacker exploit this vulnerability? An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client. Mitigations: None Workarounds: None Revision: 1.0    2023-02-14T08:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
Exploitability Assessment | Publicly Disclosed | Exploited |
Exploitation Less Likely | No | No |
The following tables list the affected software details for the vulnerability.
CVE-2023-21799 | ||||||
Product | KB Article | Severity | Impact | Supercedence | CVSS Score Set | Restart Required |
Windows 10 for 32-bit Systems | 5022858 (Security Update) | Important | Remote Code Execution | 5022297 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 for x64-based Systems | 5022858 (Security Update) | Important | Remote Code Execution | 5022297 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 1607 for 32-bit Systems | 5022838 (Security Update) | Important | Remote Code Execution | 5022289 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 1607 for x64-based Systems | 5022838 (Security Update) | Important | Remote Code Execution | 5022289 | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 1809 for 32-bit Systems | 5022840 (Security Update) | Important | Remote Code Execution | 5022286 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 1809 for ARM64-based Systems | 5022840 (Security Update) | Important | Remote Code Execution | 5022286 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 1809 for x64-based Systems | 5022840 (Security Update) | Important | Remote Code Execution | 5022286 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 20H2 for 32-bit Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 20H2 for ARM64-based Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 20H2 for x64-based Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 21H2 for 32-bit Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 21H2 for ARM64-based Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 21H2 for x64-based Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 22H2 for 32-bit Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |
Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
Windows 10 Version 22H2 for ARM64-based Systems | 5022834 (Security Update) | Important | Remote Code Execution | 5022282 |