Microsoft Power Platform Connector Spoofing Vulnerability — CVE-2023-36019

Zusammenfassung

Sicherheitshinweis CVE-2023-36019. Microsoft Power Platform Connector Spoofing Vulnerability Hersteller: Microsoft. Quelle: MSRC. Risiko: critical. CVSS 9.6. Details in der offiziellen Quelle.

Was tun?

Allgemeine, vorsichtige Schritte (bitte prüfe die offizielle Quelle für Details):

• Priorisiere sofort Patches oder Mitigations (hohes akutes Risiko).
• Identifiziere betroffene Produktversionen und prüfe, ob du betroffen bist.
• Spiele Hersteller-Updates/Patches ein oder setze empfohlene Mitigations um.
• Lies das offizielle Advisory für betroffene Versionen und konkrete Schritte.

Offizielles Advisory

Zur offiziellen Quelle

Mehr dazu

• In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0. CVE-2023-47100
• Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability CVE-2023-35618
• <vuln:Note Title="Mariner" Type="Tag" Ordinal="20">Mariner CVE-2022-26592
• An issue was discovered in the Linux kernel before 6.6.8. atalk_ioctl in net/appletalk/ddp.c has a use-after-free because of an atalk_recvmsg race condition. CVE-2023-51781
• An issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl in net/atm/ioctl.c has a use-after-free because of a vcc_recvmsg race condition. CVE-2023-51780
• An issue was discovered in the Linux kernel before 6.6.8. rose_ioctl in net/rose/af_rose.c has a use-after-free because of a rose_accept race condition. CVE-2023-51782
• Azure Connected Machine Agent Elevation of Privilege Vulnerability CVE-2023-35624
• Azure DevOps Server Spoofing Vulnerability CVE-2023-21751
• Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability CVE-2023-35625
• Before Go 1.20, the RSA based key exchange methods in crypto/tls may exhibit a timing side channel CVE-2023-45287
• Bytecode Alliance wasm-micro-runtime (aka WebAssembly Micro Runtime or WAMR) before 1.3.0 can have an "double free or corruption" error for a valid WebAssembly module because push_pop_frame_ref_offset is mishandled. CVE-2023-52284
• cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_InsertItemInArray at cJSON.c. CVE-2023-50471