June 2023 Microsoft Patch Tuesday

Published: 2023-06-13. Last Updated: 2023-06-13 18:30:28 UTC
by Johannes Ullrich (Version: 1)

Today's Microsoft patch Tuesday addresses 94 vulnerabilities. This includes 14 Chromium vulnerabilities patched in Microsoft Edge, and five GitHub vulnerabilites. Six of these vulnerabilities are rated as critical.

Three critical vulnerabilities are remote code execution vulnerabilities related to the Windows Pragmatic Multicast (PGM) service. Past PGM vulnerabilities were related to the Microsoft Message Queue (MSMQ), for example, CVE-2023-28250, which was patched in April.

Two of the important vulnerabilities are caused by Microsoft Exchange. Exploitation requires authentication, so these remote code execution vulnerabilities are only regarded as important. But based on history with similar flaws, this issue is worth watching.

A critical vulnerability patched in Sharepoint allows the spoofing of JWT authentication tokens to gain access as an authenticated user.

This month, none of the vulnerabilities were made public before patch Tuesday, and none of them are already exploited.

Description
CVE	Disclosed	Exploited	Exploitability (old versions)	current version	Severity	CVSS Base (AVG)	CVSS Temporal (AVG)
.NET Framework Remote Code Execution Vulnerability
CVE-2023-29326	No	No	-	-	Important	7.8	6.8
.NET and Visual Studio Denial of Service Vulnerability
CVE-2023-32030	No	No	-	-	Important	7.5	6.7
.NET and Visual Studio Elevation of Privilege Vulnerability
CVE-2023-32032	No	No	-	-	Important	6.5	5.9
CVE-2023-33135	No	No	-	-	Important	7.3	6.6
.NET and Visual Studio Remote Code Execution Vulnerability
CVE-2023-33126	No	No	-	-	Important	7.3	6.6
CVE-2023-33128	No	No	-	-	Important	7.3	6.6
.NET, .NET Framework, and Visual Studio Denial of Service Vulnerability
CVE-2023-29331	No	No	-	-	Important	7.5	6.7
.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability
CVE-2023-24936	No	No	-	-	Moderate	8.1	7.1
.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability
CVE-2023-24897	No	No	-	-	Critical	7.8	6.8
CVE-2023-24895	No	No	-	-	Important	7.8	6.8
AutoDesk: CVE-2023-27909 Out-Of-Bounds Write Vulnerability in Autodesk FBX SDK 2020 or prior
CVE-2023-27909	No	No	-	-	Important
AutoDesk: CVE-2023-27910 stack buffer overflow vulnerability in Autodesk FBX SDK 2020 or prior
CVE-2023-27910	No	No	-	-	Important
AutoDesk: CVE-2023-27911 Heap buffer overflow vulnerability in Autodesk FBX SDK 2020 or prior
CVE-2023-27911	No	No	-	-	Important
Azure DevOps Server Spoofing Vulnerability
CVE-2023-21565	No	No	-	-	Important	7.1	6.2
CVE-2023-21569	No	No	-	-	Important	5.5	4.8
Chromium: CVE-2023-2929 Out of bounds write in Swiftshader
CVE-2023-2929	No	No	-	-	-
Chromium: CVE-2023-2930 Use after free in Extensions
CVE-2023-2930	No	No	-	-	-
Chromium: CVE-2023-2931 Use after free in PDF
CVE-2023-2931	No	No	-	-	-
Chromium: CVE-2023-2932 Use after free in PDF
CVE-2023-2932	No	No	-	-	-
Chromium: CVE-2023-2933 Use after free in PDF
CVE-2023-2933	No	No	-	-	-
Chromium: CVE-2023-2934 Out of bounds memory access in Mojo
CVE-2023-2934	No	No	-	-	-
Chromium: CVE-2023-2935 Type Confusion in V8
CVE-2023-2935	No	No	-	-	-
Chromium: CVE-2023-2936 Type Confusion in V8
CVE-2023-2936	No	No	-	-	-
Chromium: CVE-2023-2937 Inappropriate implementation in Picture In Picture
CVE-2023-2937	No	No	-	-	-
Chromium: CVE-2023-2938 Inappropriate implementation in Picture In Picture
CVE-2023-2938	No	No	-	-	-
Chromium: CVE-2023-2939 Insufficient data validation in Installer
CVE-2023-2939	No	No	-	-	-
Chromium: CVE-2023-2940 Inappropriate implementation in Downloads
CVE-2023-2940	No	No	-	-	-
Chromium: CVE-2023-2941 Inappropriate implementation in Extensions API
CVE-2023-2941	No	No	-	-	-
Chromium: CVE-2023-3079 Type Confusion in V8
CVE-2023-3079	No	No	-	-	-
DHCP Server Service Information Disclosure Vulnerability
CVE-2023-29355	No	No	-	-	Important	5.3	4.6
Dynamics 365 Finance Spoofing Vulnerability
CVE-2023-24896	No	No	-	-	Important	5.4	4.7
GDI Elevation of Privilege Vulnerability
CVE-2023-29359	No	No	-	-	Important	7.8	6.8
GitHub: CVE-2023-25652 "git apply --reject" partially-controlled arbitrary file write
CVE-2023-25652	No	No	-	-	Important
GitHub: CVE-2023-25815 Git looks for localized messages in an unprivileged place
CVE-2023-25815	No	No	-	-	Important
GitHub: CVE-2023-29007 Arbitrary configuration injection via `git submodule deinit`
CVE-2023-29007	No	No	-	-	Important
GitHub: CVE-2023-29011 The config file of `connect.exe` is susceptible to malicious placing
CVE-2023-29011	No	No	-	-	Important
GitHub: CVE-2023-29012 Git CMD erroneously executes `doskey.exe` in current directory, if it exists
CVE-2023-29012	No	No	-	-	Important
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
CVE-2023-33143	No	No	Less Likely	Less Likely	Moderate	7.5	6.5
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
CVE-2023-33145	No	No	Less Likely	Less Likely	Important	6.5	5.7
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
CVE-2023-29345	No	No	Less Likely	Less Likely	Low	6.1	5.3
Microsoft Excel Remote Code Execution Vulnerability
CVE-2023-32029	No	No	-	-	Important	7.8	6.8
CVE-2023-33137	No	No	-	-	Important	7.8	6.8
CVE-2023-33133	No	No	-	-	Important	7.8	6.8
Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2023-28310	No	No	-	-	Important	8.0	7.0
CVE-2023-32031	No	No	-	-	Important	8.8	7.7
Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2023-29373	No	No	-	-	Important	8.8	7.7
Microsoft Office Remote Code Execution Vulnerability
CVE-2023-33146	No	No	-	-	Important	7.8	6.8
Microsoft OneNote Spoofing Vulnerability
CVE-2023-33140	No	No	-	-	Important	6.5	5.7
Microsoft Outlook Remote Code Execution Vulnerability
CVE-2023-33131	No	No	-	-	Important	8.8	7.7
Microsoft PostScript Printer Driver Remote Code Execution Vulnerability
CVE-2023-32017	No	No	-	-	Important	7.8	6.8
Microsoft Power Apps Spoofing Vulnerability
CVE-2023-32024	No	No	-	-	Important	3.0	2.6
Microsoft SharePoint Denial of Service Vulnerability
CVE-2023-33129	No	No	-	-	Important	6.5	5.7
Microsoft SharePoint Server Elevation of Privilege Vulnerability
CVE-2023-29357	No	No	-	-	Critical	9.8	8.5
CVE-2023-33142	No	No	-	-	Important	6.5	5.7
Microsoft SharePoint Server Spoofing Vulnerability
CVE-2023-33130	No	No	-	-	Important	7.3	6.4
CVE-2023-33132	No	No	-	-	Important	6.3	5.5
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2023-29372	No	No	-	-	Important	8.8	7.7
NTFS Elevation of Privilege Vulnerability
CVE-2023-29346	No	No	-	-	Important	7.8	6.8
NuGet Client Remote Code Execution Vulnerability
CVE-2023-29337	No	No	-	-	Important	7.1	6.2
Remote Desktop Client Remote Code Execution Vulnerability
CVE-2023-29362	No	No	-	-	Important	8.8	7.7
Remote Procedure Call Runtime Denial of Service Vulnerability
CVE-2023-29369	No	No	-	-	Important	6.5	5.7
Sysinternals Process Monitor for Windows Denial of Service Vulnerability
CVE-2023-29353	No	No	-	-	Low	5.5	4.8
Visual Studio Code Spoofing Vulnerability
CVE-2023-33144	No	No	-	-	Important	5.0	4.5
Visual Studio Information Disclosure Vulnerability
CVE-2023-33139	No	No	-	-	Important	5.5	5.0
Windows Authentication Elevation of Privilege Vulnerability
CVE-2023-29364	No	No	-	-	Important	7.0	6.3
Windows Bus Filter Driver Elevation of Privilege Vulnerability
CVE-2023-32010	No	No	-	-	Important	7.0	6.1
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2023-29361	No	No	-	-	Important	7.0	6.1
Windows Collaborative Translation Framework Elevation of Privilege Vulnerability
CVE-2023-32009	No	No	-	-	Important	8.8	7.7
Windows Container Manager Service Elevation of Privilege Vulnerability
CVE-2023-32012	No	No	-	-	Important	6.3	5.5
Windows CryptoAPI Denial of Service Vulnerability
CVE-2023-24937	No	No	-	-	Important	6.5	5.7
CVE-2023-24938	No	No	-	-	Important	6.5	5.7
Windows DNS Spoofing Vulnerability
CVE-2023-32020	No	No	-	-	Important	3.7	3.2
Windows Filtering Platform Elevation of Privilege Vulnerability
CVE-2023-29368	No	No	-	-	Important	7.0	6.1
Windows GDI Elevation of Privilege Vulnerability
CVE-2023-29358	No	No	-	-	Important	7.8	6.8
CVE-2023-29371	No	No	-	-	Important	7.8	6.8
Windows Geolocation Service Remote Code Execution Vulnerability
CVE-2023-29366	No	No	-	-	Important	7.8	6.8
Windows Group Policy Elevation of Privilege Vulnerability
CVE-2023-29351	No	No	-	-	Important	8.1	7.1
Windows Hello Remote Code Execution Vulnerability
CVE-2023-32018	No	No	-	-	Important	7.8	6.8
Windows Hyper-V Denial of Service Vulnerability
CVE-2023-32013	No	No	-	-	Critical	6.5	5.7
Windows Installer Information Disclosure Vulnerability
CVE-2023-32016	No	No	-	-	Important	5.5	4.8
Windows Kernel Information Disclosure Vulnerability
CVE-2023-32019	No	No	-	-	Important	4.7	4.1
Windows Media Remote Code Execution Vulnerability
CVE-2023-29365	No	No	-	-	Important	7.8	6.8
CVE-2023-29370	No	No	-	-	Important	7.8	6.8
Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
CVE-2023-29363	No	No	-	-	Critical	9.8	8.5
CVE-2023-32014	No	No	-	-	Critical	9.8	8.5
CVE-2023-32015	No	No	-	-	Critical	9.8	8.5
Windows Remote Desktop Security Feature Bypass Vulnerability
CVE-2023-29352	No	No	-	-	Important	6.5	5.7
Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
CVE-2023-32008	No	No	-	-	Important	7.8	6.8
Windows SMB Witness Service Security Feature Bypass Vulnerability
CVE-2023-32021	No	No	-	-	Important	7.1	6.2
Windows Server Service Security Feature Bypass Vulnerability
CVE-2023-32022	No	No	-	-	Important	7.6	6.6
Windows TPM Device Driver Elevation of Privilege Vulnerability
CVE-2023-29360	No	No	-	-	Important	7.8	6.8
Windows iSCSI Discovery Service Denial of Service Vulnerability
CVE-2023-32011	No	No	-	-	Important	7.5	6.5
Yet Another Reverse Proxy (YARP) Denial of Service Vulnerability
CVE-2023-33141	No	No	-	-	Important	7.5	6.7
iSCSI Target WMI Provider Remote Code Execution Vulnerability
CVE-2023-29367	No	No	-	-	Important	7.8	6.8

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords:

0 comment(s)

Internet Storm Center

June 2023 Microsoft Patch Tuesday

Comments