June 2023 Microsoft Patch Tuesday
Today's Microsoft patch Tuesday addresses 94 vulnerabilities. This includes 14 Chromium vulnerabilities patched in Microsoft Edge, and five GitHub vulnerabilites. Six of these vulnerabilities are rated as critical.
Three critical vulnerabilities are remote code execution vulnerabilities related to the Windows Pragmatic Multicast (PGM) service. Past PGM vulnerabilities were related to the Microsoft Message Queue (MSMQ), for example, CVE-2023-28250, which was patched in April.
Two of the important vulnerabilities are caused by Microsoft Exchange. Exploitation requires authentication, so these remote code execution vulnerabilities are only regarded as important. But based on history with similar flaws, this issue is worth watching.
A critical vulnerability patched in Sharepoint allows the spoofing of JWT authentication tokens to gain access as an authenticated user.
This month, none of the vulnerabilities were made public before patch Tuesday, and none of them are already exploited.
Description | |||||||
---|---|---|---|---|---|---|---|
CVE | Disclosed | Exploited | Exploitability (old versions) | current version | Severity | CVSS Base (AVG) | CVSS Temporal (AVG) |
.NET Framework Remote Code Execution Vulnerability | |||||||
CVE-2023-29326 | No | No | - | - | Important | 7.8 | 6.8 |
.NET and Visual Studio Denial of Service Vulnerability | |||||||
CVE-2023-32030 | No | No | - | - | Important | 7.5 | 6.7 |
.NET and Visual Studio Elevation of Privilege Vulnerability | |||||||
CVE-2023-32032 | No | No | - | - | Important | 6.5 | 5.9 |
CVE-2023-33135 | No | No | - | - | Important | 7.3 | 6.6 |
.NET and Visual Studio Remote Code Execution Vulnerability | |||||||
CVE-2023-33126 | No | No | - | - | Important | 7.3 | 6.6 |
CVE-2023-33128 | No | No | - | - | Important | 7.3 | 6.6 |
.NET, .NET Framework, and Visual Studio Denial of Service Vulnerability | |||||||
CVE-2023-29331 | No | No | - | - | Important | 7.5 | 6.7 |
.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability | |||||||
CVE-2023-24936 | No | No | - | - | Moderate | 8.1 | 7.1 |
.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability | |||||||
CVE-2023-24897 | No | No | - | - | Critical | 7.8 | 6.8 |
CVE-2023-24895 | No | No | - | - | Important | 7.8 | 6.8 |
AutoDesk: CVE-2023-27909 Out-Of-Bounds Write Vulnerability in Autodesk FBX SDK 2020 or prior | |||||||
CVE-2023-27909 | No | No | - | - | Important | ||
AutoDesk: CVE-2023-27910 stack buffer overflow vulnerability in Autodesk FBX SDK 2020 or prior | |||||||
CVE-2023-27910 | No | No | - | - | Important | ||
AutoDesk: CVE-2023-27911 Heap buffer overflow vulnerability in Autodesk FBX SDK 2020 or prior | |||||||
CVE-2023-27911 | No | No | - | - | Important | ||
Azure DevOps Server Spoofing Vulnerability | |||||||
CVE-2023-21565 | No | No | - | - | Important | 7.1 | 6.2 |
CVE-2023-21569 | No | No | - | - | Important | 5.5 | 4.8 |
Chromium: CVE-2023-2929 Out of bounds write in Swiftshader | |||||||
CVE-2023-2929 | No | No | - | - | - | ||
Chromium: CVE-2023-2930 Use after free in Extensions | |||||||
CVE-2023-2930 | No | No | - | - | - | ||
Chromium: CVE-2023-2931 Use after free in PDF | |||||||
CVE-2023-2931 | No | No | - | - | - | ||
Chromium: CVE-2023-2932 Use after free in PDF | |||||||
CVE-2023-2932 | No | No | - | - | - | ||
Chromium: CVE-2023-2933 Use after free in PDF | |||||||
CVE-2023-2933 | No | No | - | - | - | ||
Chromium: CVE-2023-2934 Out of bounds memory access in Mojo | |||||||
CVE-2023-2934 | No | No | - | - | - | ||
Chromium: CVE-2023-2935 Type Confusion in V8 | |||||||
CVE-2023-2935 | No | No | - | - | - | ||
Chromium: CVE-2023-2936 Type Confusion in V8 | |||||||
CVE-2023-2936 | No | No | - | - | - | ||
Chromium: CVE-2023-2937 Inappropriate implementation in Picture In Picture | |||||||
CVE-2023-2937 | No | No | - | - | - | ||
Chromium: CVE-2023-2938 Inappropriate implementation in Picture In Picture | |||||||
CVE-2023-2938 | No | No | - | - | - | ||
Chromium: CVE-2023-2939 Insufficient data validation in Installer | |||||||
CVE-2023-2939 | No | No | - | - | - | ||
Chromium: CVE-2023-2940 Inappropriate implementation in Downloads | |||||||
CVE-2023-2940 | No | No | - | - | - | ||
Chromium: CVE-2023-2941 Inappropriate implementation in Extensions API | |||||||
CVE-2023-2941 | No | No | - | - | - | ||
Chromium: CVE-2023-3079 Type Confusion in V8 | |||||||
CVE-2023-3079 | No | No | - | - | - | ||
DHCP Server Service Information Disclosure Vulnerability | |||||||
CVE-2023-29355 | No | No | - | - | Important | 5.3 | 4.6 |
Dynamics 365 Finance Spoofing Vulnerability | |||||||
CVE-2023-24896 | No | No | - | - | Important | 5.4 | 4.7 |
GDI Elevation of Privilege Vulnerability | |||||||
CVE-2023-29359 | No | No | - | - | Important | 7.8 | 6.8 |
GitHub: CVE-2023-25652 "git apply --reject" partially-controlled arbitrary file write | |||||||
CVE-2023-25652 | No | No | - | - | Important | ||
GitHub: CVE-2023-25815 Git looks for localized messages in an unprivileged place | |||||||
CVE-2023-25815 | No | No | - | - | Important | ||
GitHub: CVE-2023-29007 Arbitrary configuration injection via `git submodule deinit` | |||||||
CVE-2023-29007 | No | No | - | - | Important | ||
GitHub: CVE-2023-29011 The config file of `connect.exe` is susceptible to malicious placing | |||||||
CVE-2023-29011 | No | No | - | - | Important | ||
GitHub: CVE-2023-29012 Git CMD erroneously executes `doskey.exe` in current directory, if it exists | |||||||
CVE-2023-29012 | No | No | - | - | Important | ||
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | |||||||
CVE-2023-33143 | No | No | Less Likely | Less Likely | Moderate | 7.5 | 6.5 |
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability | |||||||
CVE-2023-33145 | No | No | Less Likely | Less Likely | Important | 6.5 | 5.7 |
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | |||||||
CVE-2023-29345 | No | No | Less Likely | Less Likely | Low | 6.1 | 5.3 |
Microsoft Excel Remote Code Execution Vulnerability | |||||||
CVE-2023-32029 | No | No | - | - | Important | 7.8 | 6.8 |
CVE-2023-33137 | No | No | - | - | Important | 7.8 | 6.8 |
CVE-2023-33133 | No | No | - | - | Important | 7.8 | 6.8 |
Microsoft Exchange Server Remote Code Execution Vulnerability | |||||||
CVE-2023-28310 | No | No | - | - | Important | 8.0 | 7.0 |
CVE-2023-32031 | No | No | - | - | Important | 8.8 | 7.7 |
Microsoft ODBC Driver Remote Code Execution Vulnerability | |||||||
CVE-2023-29373 | No | No | - | - | Important | 8.8 | 7.7 |
Microsoft Office Remote Code Execution Vulnerability | |||||||
CVE-2023-33146 | No | No | - | - | Important | 7.8 | 6.8 |
Microsoft OneNote Spoofing Vulnerability | |||||||
CVE-2023-33140 | No | No | - | - | Important | 6.5 | 5.7 |
Microsoft Outlook Remote Code Execution Vulnerability | |||||||
CVE-2023-33131 | No | No | - | - | Important | 8.8 | 7.7 |
Microsoft PostScript Printer Driver Remote Code Execution Vulnerability | |||||||
CVE-2023-32017 | No | No | - | - | Important | 7.8 | 6.8 |
Microsoft Power Apps Spoofing Vulnerability | |||||||
CVE-2023-32024 | No | No | - | - | Important | 3.0 | 2.6 |
Microsoft SharePoint Denial of Service Vulnerability | |||||||
CVE-2023-33129 | No | No | - | - | Important | 6.5 | 5.7 |
Microsoft SharePoint Server Elevation of Privilege Vulnerability | |||||||
CVE-2023-29357 | No | No | - | - | Critical | 9.8 | 8.5 |
CVE-2023-33142 | No | No | - | - | Important | 6.5 | 5.7 |
Microsoft SharePoint Server Spoofing Vulnerability | |||||||
CVE-2023-33130 | No | No | - | - | Important | 7.3 | 6.4 |
CVE-2023-33132 | No | No | - | - | Important | 6.3 | 5.5 |
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | |||||||
CVE-2023-29372 | No | No | - | - | Important | 8.8 | 7.7 |
NTFS Elevation of Privilege Vulnerability | |||||||
CVE-2023-29346 | No | No | - | - | Important | 7.8 | 6.8 |
NuGet Client Remote Code Execution Vulnerability | |||||||
CVE-2023-29337 | No | No | - | - | Important | 7.1 | 6.2 |
Remote Desktop Client Remote Code Execution Vulnerability | |||||||
CVE-2023-29362 | No | No | - | - | Important | 8.8 | 7.7 |
Remote Procedure Call Runtime Denial of Service Vulnerability | |||||||
CVE-2023-29369 | No | No | - | - | Important | 6.5 | 5.7 |
Sysinternals Process Monitor for Windows Denial of Service Vulnerability | |||||||
CVE-2023-29353 | No | No | - | - | Low | 5.5 | 4.8 |
Visual Studio Code Spoofing Vulnerability | |||||||
CVE-2023-33144 | No | No | - | - | Important | 5.0 | 4.5 |
Visual Studio Information Disclosure Vulnerability | |||||||
CVE-2023-33139 | No | No | - | - | Important | 5.5 | 5.0 |
Windows Authentication Elevation of Privilege Vulnerability | |||||||
CVE-2023-29364 | No | No | - | - | Important | 7.0 | 6.3 |
Windows Bus Filter Driver Elevation of Privilege Vulnerability | |||||||
CVE-2023-32010 | No | No | - | - | Important | 7.0 | 6.1 |
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | |||||||
CVE-2023-29361 | No | No | - | - | Important | 7.0 | 6.1 |
Windows Collaborative Translation Framework Elevation of Privilege Vulnerability | |||||||
CVE-2023-32009 | No | No | - | - | Important | 8.8 | 7.7 |
Windows Container Manager Service Elevation of Privilege Vulnerability | |||||||
CVE-2023-32012 | No | No | - | - | Important | 6.3 | 5.5 |
Windows CryptoAPI Denial of Service Vulnerability | |||||||
CVE-2023-24937 | No | No | - | - | Important | 6.5 | 5.7 |
CVE-2023-24938 | No | No | - | - | Important | 6.5 | 5.7 |
Windows DNS Spoofing Vulnerability | |||||||
CVE-2023-32020 | No | No | - | - | Important | 3.7 | 3.2 |
Windows Filtering Platform Elevation of Privilege Vulnerability | |||||||
CVE-2023-29368 | No | No | - | - | Important | 7.0 | 6.1 |
Windows GDI Elevation of Privilege Vulnerability | |||||||
CVE-2023-29358 | No | No | - | - | Important | 7.8 | 6.8 |
CVE-2023-29371 | No | No | - | - | Important | 7.8 | 6.8 |
Windows Geolocation Service Remote Code Execution Vulnerability | |||||||
CVE-2023-29366 | No | No | - | - | Important | 7.8 | 6.8 |
Windows Group Policy Elevation of Privilege Vulnerability | |||||||
CVE-2023-29351 | No | No | - | - | Important | 8.1 | 7.1 |
Windows Hello Remote Code Execution Vulnerability | |||||||
CVE-2023-32018 | No | No | - | - | Important | 7.8 | 6.8 |
Windows Hyper-V Denial of Service Vulnerability | |||||||
CVE-2023-32013 | No | No | - | - | Critical | 6.5 | 5.7 |
Windows Installer Information Disclosure Vulnerability | |||||||
CVE-2023-32016 | No | No | - | - | Important | 5.5 | 4.8 |
Windows Kernel Information Disclosure Vulnerability | |||||||
CVE-2023-32019 | No | No | - | - | Important | 4.7 | 4.1 |
Windows Media Remote Code Execution Vulnerability | |||||||
CVE-2023-29365 | No | No | - | - | Important | 7.8 | 6.8 |
CVE-2023-29370 | No | No | - | - | Important | 7.8 | 6.8 |
Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability | |||||||
CVE-2023-29363 | No | No | - | - | Critical | 9.8 | 8.5 |
CVE-2023-32014 | No | No | - | - | Critical | 9.8 | 8.5 |
CVE-2023-32015 | No | No | - | - | Critical | 9.8 | 8.5 |
Windows Remote Desktop Security Feature Bypass Vulnerability | |||||||
CVE-2023-29352 | No | No | - | - | Important | 6.5 | 5.7 |
Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | |||||||
CVE-2023-32008 | No | No | - | - | Important | 7.8 | 6.8 |
Windows SMB Witness Service Security Feature Bypass Vulnerability | |||||||
CVE-2023-32021 | No | No | - | - | Important | 7.1 | 6.2 |
Windows Server Service Security Feature Bypass Vulnerability | |||||||
CVE-2023-32022 | No | No | - | - | Important | 7.6 | 6.6 |
Windows TPM Device Driver Elevation of Privilege Vulnerability | |||||||
CVE-2023-29360 | No | No | - | - | Important | 7.8 | 6.8 |
Windows iSCSI Discovery Service Denial of Service Vulnerability | |||||||
CVE-2023-32011 | No | No | - | - | Important | 7.5 | 6.5 |
Yet Another Reverse Proxy (YARP) Denial of Service Vulnerability | |||||||
CVE-2023-33141 | No | No | - | - | Important | 7.5 | 6.7 |
iSCSI Target WMI Provider Remote Code Execution Vulnerability | |||||||
CVE-2023-29367 | No | No | - | - | Important | 7.8 | 6.8 |
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments