cvelistv5 - CVE-2023-41763

CVE-2023-41763

Vulnerability from cvelistv5

Published

2023-10-10 17:07

Modified

2025-01-01 02:10

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

Summary

Skype for Business Elevation of Privilege Vulnerability

References

▼	URL	Tags
	secure@microsoft.com	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41763	Patch, Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41763	Patch, Vendor Advisory

Impacted products

Vendor

Product

Version

▼

Microsoft

Skype for Business Server 2015 CU13

Version: 9319.0 < 6.0.9319.869

Microsoft

Skype for Business Server 2019 CU7

Version: 2046.0 < 7.0.246.530

CISA Known exploited vulnerability

Data from the Known Exploited Vulnerabilities Catalog

Date added: 2023-10-10

Due date: 2023-10-31

Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Used in ransomware: Unknown

Notes: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-41763; https://nvd.nist.gov/vuln/detail/CVE-2023-41763

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-41763",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-16T20:26:59.238274Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2023-10-10",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2023-41763"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-16T20:27:33.393Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T19:09:47.991Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "Skype for Business Elevation of Privilege Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41763"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "Unknown"
          ],
          "product": "Skype for Business Server 2015 CU13",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.0.9319.869",
              "status": "affected",
              "version": "9319.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "Unknown"
          ],
          "product": "Skype for Business Server 2019 CU7",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "7.0.246.530",
              "status": "affected",
              "version": "2046.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:skype_for_business_server:*:cu13:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.9319.869",
                  "versionStartIncluding": "9319.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:skype_for_business_server:*:cu7:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.246.530",
                  "versionStartIncluding": "2046.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2023-10-10T07:00:00+00:00",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Skype for Business Elevation of Privilege Vulnerability"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-01T02:10:29.127Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Skype for Business Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41763"
        }
      ],
      "title": "Skype for Business Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2023-41763",
    "datePublished": "2023-10-10T17:07:24.950Z",
    "dateReserved": "2023-08-31T23:08:32.064Z",
    "dateUpdated": "2025-01-01T02:10:29.127Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2023-41763",
      "cwes": "[\"CWE-918\"]",
      "dateAdded": "2023-10-10",
      "dueDate": "2023-10-31",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-41763;   https://nvd.nist.gov/vuln/detail/CVE-2023-41763",
      "product": "Skype for Business",
      "requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
      "shortDescription": "Microsoft Skype for Business contains an unspecified vulnerability that allows for privilege escalation.",
      "vendorProject": "Microsoft",
      "vulnerabilityName": "Microsoft Skype for Business Privilege Escalation Vulnerability"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-41763\",\"sourceIdentifier\":\"secure@microsoft.com\",\"published\":\"2023-10-10T18:15:18.150\",\"lastModified\":\"2024-11-29T14:36:59.690\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Skype for Business Elevation of Privilege Vulnerability\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de elevaci\u00f3n de privilegios en Skype Empresarial\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secure@microsoft.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"cisaExploitAdd\":\"2023-10-10\",\"cisaActionDue\":\"2023-10-31\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"Microsoft Skype for Business Privilege Escalation Vulnerability\",\"weaknesses\":[{\"source\":\"secure@microsoft.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:skype_for_business_server:2015:cumulative_update_13:*:*:*:*:*:*\",\"matchCriteriaId\":\"590D1547-C998-4BDD-BE06-379099E2D9C7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:skype_for_business_server:2019:cumulative_update_7:*:*:*:*:*:*\",\"matchCriteriaId\":\"4172BD0D-5F18-4E0C-8BAF-72A052432B2B\"}]}]}],\"references\":[{\"url\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41763\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41763\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41763\", \"name\": \"Skype for Business Elevation of Privilege Vulnerability\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T19:09:47.991Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-41763\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-16T20:26:59.238274Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2023-10-10\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2023-41763\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-09T20:25:52.729Z\"}}], \"cna\": {\"title\": \"Skype for Business Elevation of Privilege Vulnerability\", \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C\"}, \"scenarios\": [{\"lang\": \"en-US\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Microsoft\", \"product\": \"Skype for Business Server 2015 CU13\", \"versions\": [{\"status\": \"affected\", \"version\": \"9319.0\", \"lessThan\": \"6.0.9319.869\", \"versionType\": \"custom\"}], \"platforms\": [\"Unknown\"]}, {\"vendor\": \"Microsoft\", \"product\": \"Skype for Business Server 2019 CU7\", \"versions\": [{\"status\": \"affected\", \"version\": \"2046.0\", \"lessThan\": \"7.0.246.530\", \"versionType\": \"custom\"}], \"platforms\": [\"Unknown\"]}], \"datePublic\": \"2023-10-10T07:00:00+00:00\", \"references\": [{\"url\": \"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41763\", \"name\": \"Skype for Business Elevation of Privilege Vulnerability\", \"tags\": [\"vendor-advisory\"]}], \"descriptions\": [{\"lang\": \"en-US\", \"value\": \"Skype for Business Elevation of Privilege Vulnerability\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en-US\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:microsoft:skype_for_business_server:*:cu13:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.0.9319.869\", \"versionStartIncluding\": \"9319.0\"}, {\"criteria\": \"cpe:2.3:a:microsoft:skype_for_business_server:*:cu7:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"7.0.246.530\", \"versionStartIncluding\": \"2046.0\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"f38d906d-7342-40ea-92c1-6c4a2c6478c8\", \"shortName\": \"microsoft\", \"dateUpdated\": \"2024-12-10T18:19:41.419Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-41763\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-10T18:19:41.419Z\", \"dateReserved\": \"2023-08-31T23:08:32.064Z\", \"assignerOrgId\": \"f38d906d-7342-40ea-92c1-6c4a2c6478c8\", \"datePublished\": \"2023-10-10T17:07:24.950Z\", \"assignerShortName\": \"microsoft\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

msrc_cve-2023-41763

Vulnerability from csaf_microsoft

Published

2023-10-10 07:00

Modified

2023-10-10 07:00

Summary

Skype for Business Elevation of Privilege Vulnerability

Notes

Additional Resources

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer

The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Customer Action

Required. The vulnerability documented by this CVE requires customer action to resolve.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Anonymous"
        ]
      },
      {
        "names": [
          "Dr. Florian Hauser (@frycos) with Code White GmbH"
        ]
      },
      {
        "names": [
          "Anonymous"
        ]
      },
      {
        "names": [
          "Anonymous"
        ]
      }
    ],
    "aggregate_severity": {
      "namespace": "https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      },
      {
        "category": "general",
        "text": "Required. The vulnerability documented by this CVE requires customer action to resolve.",
        "title": "Customer Action"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2023-41763 Skype for Business Elevation of Privilege Vulnerability - HTML",
        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41763"
      },
      {
        "category": "self",
        "summary": "CVE-2023-41763 Skype for Business Elevation of Privilege Vulnerability - CSAF",
        "url": "https://msrc.microsoft.com/csaf/2023/msrc_cve-2023-41763.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Exploitability Index",
        "url": "https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Skype for Business Elevation of Privilege Vulnerability",
    "tracking": {
      "current_release_date": "2023-10-10T07:00:00.000Z",
      "generator": {
        "date": "2025-01-01T02:10:24.763Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2023-41763",
      "initial_release_date": "2023-10-10T07:00:00.000Z",
      "revision_history": [
        {
          "date": "2023-10-10T07:00:00.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_version_range",
            "name": "\u003c6.0.9319.869",
            "product": {
              "name": "Skype for Business Server 2015 CU13 \u003c6.0.9319.869",
              "product_id": "1"
            }
          },
          {
            "category": "product_version",
            "name": "6.0.9319.869",
            "product": {
              "name": "Skype for Business Server 2015 CU13 6.0.9319.869",
              "product_id": "12224"
            }
          }
        ],
        "category": "product_name",
        "name": "Skype for Business Server 2015 CU13"
      },
      {
        "branches": [
          {
            "category": "product_version_range",
            "name": "\u003c7.0.246.530",
            "product": {
              "name": "Skype for Business Server 2019 CU7 \u003c7.0.246.530",
              "product_id": "2"
            }
          },
          {
            "category": "product_version",
            "name": "7.0.246.530",
            "product": {
              "name": "Skype for Business Server 2019 CU7 7.0.246.530",
              "product_id": "12223"
            }
          }
        ],
        "category": "product_name",
        "name": "Skype for Business Server 2019 CU7"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-41763",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "notes": [
        {
          "category": "general",
          "text": "Microsoft",
          "title": "Assigning CNA"
        },
        {
          "category": "faq",
          "text": "An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an http request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attacker.",
          "title": "How could an attacker exploit this vulnerability?"
        },
        {
          "category": "faq",
          "text": "An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality) but not all resources within the impacted component may be divulged to the attacker. The attacker cannot make changes to disclosed information (Integrity) or limit access to the resource (Availability).",
          "title": "According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L) but have no effect on integrity (I:N) or on availability (A:N). What does that mean for this vulnerability?"
        },
        {
          "category": "faq",
          "text": "In some cases, the exposed sensitive information could provide access to internal networks.",
          "title": "If the successful attacker only could view some sensitive information, how is this an elevation of privilege vulnerability?"
        }
      ],
      "product_status": {
        "fixed": [
          "12223",
          "12224"
        ],
        "known_affected": [
          "1",
          "2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2023-41763 Skype for Business Elevation of Privilege Vulnerability - HTML",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41763"
        },
        {
          "category": "self",
          "summary": "CVE-2023-41763 Skype for Business Elevation of Privilege Vulnerability - CSAF",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41763"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-10-10T07:00:00.000Z",
          "details": "6.0.9319.869:Security Update:https://support.microsoft.com/help/3061064",
          "product_ids": [
            "1"
          ],
          "url": "https://support.microsoft.com/help/3061064"
        },
        {
          "category": "vendor_fix",
          "date": "2023-10-10T07:00:00.000Z",
          "details": "7.0.246.530:Security Update:https://support.microsoft.com/help/4470124",
          "product_ids": [
            "2"
          ],
          "url": "https://support.microsoft.com/help/4470124"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "environmentalsScore": 0.0,
            "exploitCodeMaturity": "PROOF_OF_CONCEPT",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "remediationLevel": "OFFICIAL_FIX",
            "reportConfidence": "CONFIRMED",
            "scope": "UNCHANGED",
            "temporalScore": 4.8,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "1",
            "2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Elevation of Privilege"
        },
        {
          "category": "exploit_status",
          "details": "Exploited:Yes;Latest Software Release:Exploitation Detected"
        }
      ],
      "title": "Skype for Business Elevation of Privilege Vulnerability"
    }
  ]
}

gsd-2023-41763

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Skype for Business Elevation of Privilege Vulnerability

Aliases

CVE-2023-41763

Aliases

CVE-2023-41763

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-41763",
    "id": "GSD-2023-41763"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-41763"
      ],
      "details": "Skype for Business Elevation of Privilege Vulnerability",
      "id": "GSD-2023-41763",
      "modified": "2023-12-13T01:20:45.529212Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secure@microsoft.com",
        "ID": "CVE-2023-41763",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Skype for Business Server 2015 CU13",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "9319.0",
                          "version_value": "6.0.9319.869"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Skype for Business Server 2019 CU7",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "2046.0",
                          "version_value": "7.0.246.530"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Microsoft"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Skype for Business Elevation of Privilege Vulnerability"
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Elevation of Privilege"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41763",
            "refsource": "MISC",
            "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41763"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:microsoft:skype_for_business_server:2015:cumulative_update_13:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:microsoft:skype_for_business_server:2019:cumulative_update_7:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@microsoft.com",
          "ID": "CVE-2023-41763"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Skype for Business Elevation of Privilege Vulnerability"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-noinfo"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41763",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41763"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2023-10-12T22:18Z",
      "publishedDate": "2023-10-10T18:15Z"
    }
  }
}

ghsa-7997-4r78-h34m

Vulnerability from github

Published

2023-10-10 18:31

Modified

2024-04-04 08:32

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

Skype for Business Elevation of Privilege Vulnerability

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-41763"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-10T18:15:18Z",
    "severity": "MODERATE"
  },
  "details": "Skype for Business Elevation of Privilege Vulnerability",
  "id": "GHSA-7997-4r78-h34m",
  "modified": "2024-04-04T08:32:49Z",
  "published": "2023-10-10T18:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41763"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41763"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

WID-SEC-W-2023-2608

Vulnerability from csaf_certbund

Published

2023-10-10 22:00

Modified

2023-10-10 22:00

Summary

Microsoft Office: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Microsoft 365 Apps ist eine Office Suite für zahlreiche Büroanwendungen. Die Microsoft Office Suite beinhaltet zahlreiche Büroanwendungen wie Textverarbeitung, Tabellenkalkulation, Datenbank und weitere Applikationen. Skype ist ein Instant-Messaging-Dienst. Unterstützt werden Videokonferenzen, IP-Telefonie, Instant-Messaging, Dateiübertragung und Screen-Sharing.

Angriff

Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Microsoft Office ausnutzen, um seine Privilegien zu erhöhen und beliebigen Code auszuführen.

Betroffene Betriebssysteme

- Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Microsoft 365 Apps ist eine Office Suite f\u00fcr zahlreiche B\u00fcroanwendungen.\r\nDie Microsoft Office Suite beinhaltet zahlreiche B\u00fcroanwendungen wie Textverarbeitung, Tabellenkalkulation, Datenbank und weitere Applikationen.\r\nSkype ist ein Instant-Messaging-Dienst. Unterst\u00fctzt werden Videokonferenzen, IP-Telefonie, Instant-Messaging, Datei\u00fcbertragung und Screen-Sharing.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Microsoft Office ausnutzen, um seine Privilegien zu erh\u00f6hen und beliebigen Code auszuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-2608 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2608.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-2608 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2608"
      },
      {
        "category": "external",
        "summary": "Microsoft Leitfaden f\u00fcr Sicherheitsupdates vom 2023-10-10",
        "url": "https://msrc.microsoft.com/update-guide"
      }
    ],
    "source_lang": "en-US",
    "title": "Microsoft Office: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2023-10-10T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:59:39.815+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-2608",
      "initial_release_date": "2023-10-10T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-10-10T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Microsoft 365 Apps",
            "product": {
              "name": "Microsoft 365 Apps",
              "product_id": "T016910",
              "product_identification_helper": {
                "cpe": "cpe:/a:microsoft:365_apps:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Microsoft Office LTSC for Mac 2021",
                "product": {
                  "name": "Microsoft Office LTSC for Mac 2021",
                  "product_id": "T020985",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:office:ltsc_for_mac_2021"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Microsoft Office for Android",
                "product": {
                  "name": "Microsoft Office for Android",
                  "product_id": "T026296",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:office:for_android"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Microsoft Office for Universal",
                "product": {
                  "name": "Microsoft Office for Universal",
                  "product_id": "T026297",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:office:for_universal"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Microsoft Office LTSC 2021",
                "product": {
                  "name": "Microsoft Office LTSC 2021",
                  "product_id": "T029334",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:office:ltsc_2021"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Office"
          },
          {
            "category": "product_name",
            "name": "Microsoft Office 2019",
            "product": {
              "name": "Microsoft Office 2019",
              "product_id": "T014534",
              "product_identification_helper": {
                "cpe": "cpe:/a:microsoft:office_2019:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Microsoft Office 2019 for Mac",
            "product": {
              "name": "Microsoft Office 2019 for Mac",
              "product_id": "T014533",
              "product_identification_helper": {
                "cpe": "cpe:/a:microsoft:office_2019_for_mac:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Microsoft Skype for Business Server 2015 CU13",
                "product": {
                  "name": "Microsoft Skype for Business Server 2015 CU13",
                  "product_id": "T030376",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:skype:for_business_server_2015_cu13"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Microsoft Skype for Business Server 2019 CU7",
                "product": {
                  "name": "Microsoft Skype for Business Server 2019 CU7",
                  "product_id": "T030377",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:skype:for_business_server_2019_cu7"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Skype"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-41763",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in verschiedenen Microsoft Office Produkten. Die Fehler bestehen u.a. aufgrund einer Race Condition bei der Durchf\u00fchrung von Dateioperationen auf dem Rechner zu einem bestimmten Zeitpunkt, einem Netzwerkaufruf an den angreifenden Skype for Business Server, der das Parsen einer http-Anfrage an eine beliebige Adresse ausl\u00f6sen kann und einem Path-Traversal. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern und beliebigen Code auszuf\u00fchren. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert erh\u00f6hte Rechte."
        }
      ],
      "product_status": {
        "known_affected": [
          "T030376",
          "T026296",
          "T030377",
          "T020985",
          "T014533",
          "T016910",
          "T014534",
          "T026297",
          "T029334"
        ]
      },
      "release_date": "2023-10-10T22:00:00.000+00:00",
      "title": "CVE-2023-41763"
    },
    {
      "cve": "CVE-2023-36789",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in verschiedenen Microsoft Office Produkten. Die Fehler bestehen u.a. aufgrund einer Race Condition bei der Durchf\u00fchrung von Dateioperationen auf dem Rechner zu einem bestimmten Zeitpunkt, einem Netzwerkaufruf an den angreifenden Skype for Business Server, der das Parsen einer http-Anfrage an eine beliebige Adresse ausl\u00f6sen kann und einem Path-Traversal. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern und beliebigen Code auszuf\u00fchren. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert erh\u00f6hte Rechte."
        }
      ],
      "product_status": {
        "known_affected": [
          "T030376",
          "T026296",
          "T030377",
          "T020985",
          "T014533",
          "T016910",
          "T014534",
          "T026297",
          "T029334"
        ]
      },
      "release_date": "2023-10-10T22:00:00.000+00:00",
      "title": "CVE-2023-36789"
    },
    {
      "cve": "CVE-2023-36786",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in verschiedenen Microsoft Office Produkten. Die Fehler bestehen u.a. aufgrund einer Race Condition bei der Durchf\u00fchrung von Dateioperationen auf dem Rechner zu einem bestimmten Zeitpunkt, einem Netzwerkaufruf an den angreifenden Skype for Business Server, der das Parsen einer http-Anfrage an eine beliebige Adresse ausl\u00f6sen kann und einem Path-Traversal. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern und beliebigen Code auszuf\u00fchren. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert erh\u00f6hte Rechte."
        }
      ],
      "product_status": {
        "known_affected": [
          "T030376",
          "T026296",
          "T030377",
          "T020985",
          "T014533",
          "T016910",
          "T014534",
          "T026297",
          "T029334"
        ]
      },
      "release_date": "2023-10-10T22:00:00.000+00:00",
      "title": "CVE-2023-36786"
    },
    {
      "cve": "CVE-2023-36780",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in verschiedenen Microsoft Office Produkten. Die Fehler bestehen u.a. aufgrund einer Race Condition bei der Durchf\u00fchrung von Dateioperationen auf dem Rechner zu einem bestimmten Zeitpunkt, einem Netzwerkaufruf an den angreifenden Skype for Business Server, der das Parsen einer http-Anfrage an eine beliebige Adresse ausl\u00f6sen kann und einem Path-Traversal. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern und beliebigen Code auszuf\u00fchren. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert erh\u00f6hte Rechte."
        }
      ],
      "product_status": {
        "known_affected": [
          "T030376",
          "T026296",
          "T030377",
          "T020985",
          "T014533",
          "T016910",
          "T014534",
          "T026297",
          "T029334"
        ]
      },
      "release_date": "2023-10-10T22:00:00.000+00:00",
      "title": "CVE-2023-36780"
    },
    {
      "cve": "CVE-2023-36569",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in verschiedenen Microsoft Office Produkten. Die Fehler bestehen u.a. aufgrund einer Race Condition bei der Durchf\u00fchrung von Dateioperationen auf dem Rechner zu einem bestimmten Zeitpunkt, einem Netzwerkaufruf an den angreifenden Skype for Business Server, der das Parsen einer http-Anfrage an eine beliebige Adresse ausl\u00f6sen kann und einem Path-Traversal. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern und beliebigen Code auszuf\u00fchren. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert erh\u00f6hte Rechte."
        }
      ],
      "product_status": {
        "known_affected": [
          "T030376",
          "T026296",
          "T030377",
          "T020985",
          "T014533",
          "T016910",
          "T014534",
          "T026297",
          "T029334"
        ]
      },
      "release_date": "2023-10-10T22:00:00.000+00:00",
      "title": "CVE-2023-36569"
    },
    {
      "cve": "CVE-2023-36568",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in verschiedenen Microsoft Office Produkten. Die Fehler bestehen u.a. aufgrund einer Race Condition bei der Durchf\u00fchrung von Dateioperationen auf dem Rechner zu einem bestimmten Zeitpunkt, einem Netzwerkaufruf an den angreifenden Skype for Business Server, der das Parsen einer http-Anfrage an eine beliebige Adresse ausl\u00f6sen kann und einem Path-Traversal. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern und beliebigen Code auszuf\u00fchren. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert erh\u00f6hte Rechte."
        }
      ],
      "product_status": {
        "known_affected": [
          "T030376",
          "T026296",
          "T030377",
          "T020985",
          "T014533",
          "T016910",
          "T014534",
          "T026297",
          "T029334"
        ]
      },
      "release_date": "2023-10-10T22:00:00.000+00:00",
      "title": "CVE-2023-36568"
    },
    {
      "cve": "CVE-2023-36565",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in verschiedenen Microsoft Office Produkten. Die Fehler bestehen u.a. aufgrund einer Race Condition bei der Durchf\u00fchrung von Dateioperationen auf dem Rechner zu einem bestimmten Zeitpunkt, einem Netzwerkaufruf an den angreifenden Skype for Business Server, der das Parsen einer http-Anfrage an eine beliebige Adresse ausl\u00f6sen kann und einem Path-Traversal. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern und beliebigen Code auszuf\u00fchren. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert erh\u00f6hte Rechte."
        }
      ],
      "product_status": {
        "known_affected": [
          "T030376",
          "T026296",
          "T030377",
          "T020985",
          "T014533",
          "T016910",
          "T014534",
          "T026297",
          "T029334"
        ]
      },
      "release_date": "2023-10-10T22:00:00.000+00:00",
      "title": "CVE-2023-36565"
    }
  ]
}

wid-sec-w-2023-2608

Vulnerability from csaf_certbund

Published

2023-10-10 22:00

Modified

2023-10-10 22:00

Summary

Microsoft Office: Mehrere Schwachstellen

Notes

Produktbeschreibung

Angriff

Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Microsoft Office ausnutzen, um seine Privilegien zu erhöhen und beliebigen Code auszuführen.

Betroffene Betriebssysteme

- Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Microsoft 365 Apps ist eine Office Suite f\u00fcr zahlreiche B\u00fcroanwendungen.\r\nDie Microsoft Office Suite beinhaltet zahlreiche B\u00fcroanwendungen wie Textverarbeitung, Tabellenkalkulation, Datenbank und weitere Applikationen.\r\nSkype ist ein Instant-Messaging-Dienst. Unterst\u00fctzt werden Videokonferenzen, IP-Telefonie, Instant-Messaging, Datei\u00fcbertragung und Screen-Sharing.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Microsoft Office ausnutzen, um seine Privilegien zu erh\u00f6hen und beliebigen Code auszuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-2608 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2608.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-2608 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2608"
      },
      {
        "category": "external",
        "summary": "Microsoft Leitfaden f\u00fcr Sicherheitsupdates vom 2023-10-10",
        "url": "https://msrc.microsoft.com/update-guide"
      }
    ],
    "source_lang": "en-US",
    "title": "Microsoft Office: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2023-10-10T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:59:39.815+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-2608",
      "initial_release_date": "2023-10-10T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-10-10T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Microsoft 365 Apps",
            "product": {
              "name": "Microsoft 365 Apps",
              "product_id": "T016910",
              "product_identification_helper": {
                "cpe": "cpe:/a:microsoft:365_apps:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Microsoft Office LTSC for Mac 2021",
                "product": {
                  "name": "Microsoft Office LTSC for Mac 2021",
                  "product_id": "T020985",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:office:ltsc_for_mac_2021"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Microsoft Office for Android",
                "product": {
                  "name": "Microsoft Office for Android",
                  "product_id": "T026296",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:office:for_android"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Microsoft Office for Universal",
                "product": {
                  "name": "Microsoft Office for Universal",
                  "product_id": "T026297",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:office:for_universal"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Microsoft Office LTSC 2021",
                "product": {
                  "name": "Microsoft Office LTSC 2021",
                  "product_id": "T029334",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:office:ltsc_2021"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Office"
          },
          {
            "category": "product_name",
            "name": "Microsoft Office 2019",
            "product": {
              "name": "Microsoft Office 2019",
              "product_id": "T014534",
              "product_identification_helper": {
                "cpe": "cpe:/a:microsoft:office_2019:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Microsoft Office 2019 for Mac",
            "product": {
              "name": "Microsoft Office 2019 for Mac",
              "product_id": "T014533",
              "product_identification_helper": {
                "cpe": "cpe:/a:microsoft:office_2019_for_mac:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Microsoft Skype for Business Server 2015 CU13",
                "product": {
                  "name": "Microsoft Skype for Business Server 2015 CU13",
                  "product_id": "T030376",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:skype:for_business_server_2015_cu13"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Microsoft Skype for Business Server 2019 CU7",
                "product": {
                  "name": "Microsoft Skype for Business Server 2019 CU7",
                  "product_id": "T030377",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:skype:for_business_server_2019_cu7"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Skype"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-41763",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in verschiedenen Microsoft Office Produkten. Die Fehler bestehen u.a. aufgrund einer Race Condition bei der Durchf\u00fchrung von Dateioperationen auf dem Rechner zu einem bestimmten Zeitpunkt, einem Netzwerkaufruf an den angreifenden Skype for Business Server, der das Parsen einer http-Anfrage an eine beliebige Adresse ausl\u00f6sen kann und einem Path-Traversal. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern und beliebigen Code auszuf\u00fchren. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert erh\u00f6hte Rechte."
        }
      ],
      "product_status": {
        "known_affected": [
          "T030376",
          "T026296",
          "T030377",
          "T020985",
          "T014533",
          "T016910",
          "T014534",
          "T026297",
          "T029334"
        ]
      },
      "release_date": "2023-10-10T22:00:00.000+00:00",
      "title": "CVE-2023-41763"
    },
    {
      "cve": "CVE-2023-36789",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in verschiedenen Microsoft Office Produkten. Die Fehler bestehen u.a. aufgrund einer Race Condition bei der Durchf\u00fchrung von Dateioperationen auf dem Rechner zu einem bestimmten Zeitpunkt, einem Netzwerkaufruf an den angreifenden Skype for Business Server, der das Parsen einer http-Anfrage an eine beliebige Adresse ausl\u00f6sen kann und einem Path-Traversal. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern und beliebigen Code auszuf\u00fchren. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert erh\u00f6hte Rechte."
        }
      ],
      "product_status": {
        "known_affected": [
          "T030376",
          "T026296",
          "T030377",
          "T020985",
          "T014533",
          "T016910",
          "T014534",
          "T026297",
          "T029334"
        ]
      },
      "release_date": "2023-10-10T22:00:00.000+00:00",
      "title": "CVE-2023-36789"
    },
    {
      "cve": "CVE-2023-36786",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in verschiedenen Microsoft Office Produkten. Die Fehler bestehen u.a. aufgrund einer Race Condition bei der Durchf\u00fchrung von Dateioperationen auf dem Rechner zu einem bestimmten Zeitpunkt, einem Netzwerkaufruf an den angreifenden Skype for Business Server, der das Parsen einer http-Anfrage an eine beliebige Adresse ausl\u00f6sen kann und einem Path-Traversal. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern und beliebigen Code auszuf\u00fchren. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert erh\u00f6hte Rechte."
        }
      ],
      "product_status": {
        "known_affected": [
          "T030376",
          "T026296",
          "T030377",
          "T020985",
          "T014533",
          "T016910",
          "T014534",
          "T026297",
          "T029334"
        ]
      },
      "release_date": "2023-10-10T22:00:00.000+00:00",
      "title": "CVE-2023-36786"
    },
    {
      "cve": "CVE-2023-36780",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in verschiedenen Microsoft Office Produkten. Die Fehler bestehen u.a. aufgrund einer Race Condition bei der Durchf\u00fchrung von Dateioperationen auf dem Rechner zu einem bestimmten Zeitpunkt, einem Netzwerkaufruf an den angreifenden Skype for Business Server, der das Parsen einer http-Anfrage an eine beliebige Adresse ausl\u00f6sen kann und einem Path-Traversal. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern und beliebigen Code auszuf\u00fchren. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert erh\u00f6hte Rechte."
        }
      ],
      "product_status": {
        "known_affected": [
          "T030376",
          "T026296",
          "T030377",
          "T020985",
          "T014533",
          "T016910",
          "T014534",
          "T026297",
          "T029334"
        ]
      },
      "release_date": "2023-10-10T22:00:00.000+00:00",
      "title": "CVE-2023-36780"
    },
    {
      "cve": "CVE-2023-36569",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in verschiedenen Microsoft Office Produkten. Die Fehler bestehen u.a. aufgrund einer Race Condition bei der Durchf\u00fchrung von Dateioperationen auf dem Rechner zu einem bestimmten Zeitpunkt, einem Netzwerkaufruf an den angreifenden Skype for Business Server, der das Parsen einer http-Anfrage an eine beliebige Adresse ausl\u00f6sen kann und einem Path-Traversal. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern und beliebigen Code auszuf\u00fchren. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert erh\u00f6hte Rechte."
        }
      ],
      "product_status": {
        "known_affected": [
          "T030376",
          "T026296",
          "T030377",
          "T020985",
          "T014533",
          "T016910",
          "T014534",
          "T026297",
          "T029334"
        ]
      },
      "release_date": "2023-10-10T22:00:00.000+00:00",
      "title": "CVE-2023-36569"
    },
    {
      "cve": "CVE-2023-36568",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in verschiedenen Microsoft Office Produkten. Die Fehler bestehen u.a. aufgrund einer Race Condition bei der Durchf\u00fchrung von Dateioperationen auf dem Rechner zu einem bestimmten Zeitpunkt, einem Netzwerkaufruf an den angreifenden Skype for Business Server, der das Parsen einer http-Anfrage an eine beliebige Adresse ausl\u00f6sen kann und einem Path-Traversal. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern und beliebigen Code auszuf\u00fchren. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert erh\u00f6hte Rechte."
        }
      ],
      "product_status": {
        "known_affected": [
          "T030376",
          "T026296",
          "T030377",
          "T020985",
          "T014533",
          "T016910",
          "T014534",
          "T026297",
          "T029334"
        ]
      },
      "release_date": "2023-10-10T22:00:00.000+00:00",
      "title": "CVE-2023-36568"
    },
    {
      "cve": "CVE-2023-36565",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in verschiedenen Microsoft Office Produkten. Die Fehler bestehen u.a. aufgrund einer Race Condition bei der Durchf\u00fchrung von Dateioperationen auf dem Rechner zu einem bestimmten Zeitpunkt, einem Netzwerkaufruf an den angreifenden Skype for Business Server, der das Parsen einer http-Anfrage an eine beliebige Adresse ausl\u00f6sen kann und einem Path-Traversal. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern und beliebigen Code auszuf\u00fchren. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert erh\u00f6hte Rechte."
        }
      ],
      "product_status": {
        "known_affected": [
          "T030376",
          "T026296",
          "T030377",
          "T020985",
          "T014533",
          "T016910",
          "T014534",
          "T026297",
          "T029334"
        ]
      },
      "release_date": "2023-10-10T22:00:00.000+00:00",
      "title": "CVE-2023-36565"
    }
  ]
}

fkie_cve-2023-41763

Vulnerability from fkie_nvd

Published

2023-10-10 18:15

Modified

2024-11-29 14:36

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

Skype for Business Elevation of Privilege Vulnerability

References

▼	URL	Tags
	secure@microsoft.com	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41763	Patch, Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41763	Patch, Vendor Advisory

Impacted products

	Vendor	Product	Version
	microsoft	skype_for_business_server	2015
	microsoft	skype_for_business_server	2019

JSON

To clipboard

{
  "cisaActionDue": "2023-10-31",
  "cisaExploitAdd": "2023-10-10",
  "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
  "cisaVulnerabilityName": "Microsoft Skype for Business Privilege Escalation Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:microsoft:skype_for_business_server:2015:cumulative_update_13:*:*:*:*:*:*",
              "matchCriteriaId": "590D1547-C998-4BDD-BE06-379099E2D9C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:skype_for_business_server:2019:cumulative_update_7:*:*:*:*:*:*",
              "matchCriteriaId": "4172BD0D-5F18-4E0C-8BAF-72A052432B2B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Skype for Business Elevation of Privilege Vulnerability"
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de elevaci\u00f3n de privilegios en Skype Empresarial"
    }
  ],
  "id": "CVE-2023-41763",
  "lastModified": "2024-11-29T14:36:59.690",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "secure@microsoft.com",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-10-10T18:15:18.150",
  "references": [
    {
      "source": "secure@microsoft.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41763"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41763"
    }
  ],
  "sourceIdentifier": "secure@microsoft.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "secure@microsoft.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-41763

Vulnerability from cvelistv5

CISA Known exploited vulnerability

Data from the Known Exploited Vulnerabilities Catalog

msrc_cve-2023-41763

Vulnerability from csaf_microsoft

gsd-2023-41763

Vulnerability from gsd

ghsa-7997-4r78-h34m

Vulnerability from github

WID-SEC-W-2023-2608

Vulnerability from csaf_certbund

wid-sec-w-2023-2608

Vulnerability from csaf_certbund

fkie_cve-2023-41763

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature