Описание
A vulnerability was found in Microsoft O365 and classified as critical. This issue affects the Conditional Access Policy which leads to improper access controls. By default the policy is not verified for every request. The attack may be initiated remotely. Exploit details have been disclosed to the public. It is recommended to change the configuration settings. NOTE: Vendor claims that pre-requisites are very high, the feature works as intended, and that configuration settings might mitigate the issue.
A vulnerability was found in Microsoft O365 and classified as critical. This issue affects the Conditional Access Policy which leads to improper access controls. By default the policy is not verified for every request. The attack may be initiated remotely. Exploit details have been disclosed to the public. It is recommended to change the configuration settings. NOTE: Vendor claims that pre-requisites are very high, the feature works as intended, and that configuration settings might mitigate the issue.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2022-2077
- https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation
- https://github.com/sixgroup-security/Advisories/tree/main/20211209_Conditional-Access-Bypass-via-Session-Hijacking-in-Microsoft-O365
- https://vuldb.com/?id.192029
- https://www.mandiant.com/resources/russian-targeting-gov-business
8.8 High
CVSS3
CVE ID
Связанные уязвимости
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none
Уязвимость пакета программ Microsoft Office 365, связанная недостатками контроля доступа, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
8.8 High
CVSS3