CVE-2023-36019

Меры по смягчению последствий

The following mitigation has been applied to address this vulnerability:

As of November 17, 2023, newly created custom connectors that use OAuth 2.0 to authenticate will automatically have a per connector redirect URI. Existing OAuth 2.0 connectors must be updated to use a per-connector redirect URI by February 19, 2024. Microsoft will start updating the custom connectors to use the per connector redirect URLs on February 19, 2024. Between February 19, 2024 - March 29, 2024, custom connectors without a per-connector redirect URI will gradually become deprecated. After March 29, 2024, users will no longer be able to create connections to or use existing OAuth 2.0 custom connectors that have not been updated. For more information see https://learn.microsoft.com/en-us/connectors/custom-connectors/#21-oauth-20.

FAQ

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user would have to click on a specially crafted URL to be compromised by the attacker.

According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

The vulnerability is in the web server, but the malicious scripts execute in the victim’s browser on their machine.

How do I know if my connector does not have a per-connector redirect URI?

Microsoft notified affected customers about this change in behavior via Microsoft 365 Admin Center (MC690931) or Service Health in the Azure Portal (3_SH-LTG) starting on November 17th, 2023. You will need to validate your custom connectors and follow the guidance to make the switch to the per-connector URI.

How do I know if a notification was sent to my organization?

Notifications were sent to customers via the Microsoft 365 Admin Center using a Data Privacy tag. This means that only users with a global administrator role or a Message center privacy reader role can view the notification. These roles are appointed by your organization. You can learn more about these roles and how to assign them at https://azure.microsoft.com/en-us/blog/understanding-service-health-communications-for-azure-vulnerabilities/. If you are a Logic Apps customer, a notification was sent via Service Health in the Azure Portal under tracking ID 3_SH-LTG.

What is the nature of the spoofing?

An attacker could manipulate a malicious link, application, or file to disguise it as a legitimate link or file to trick the victim.