Vulnerability description
Microsoft Exchange Server is a mail server developed by Microsoft Corporation.
In the affected version of Microsoft Exchange Server, an attacker with ordinary user rights (Exchange user credentials) may attack Exchange services in the same intranet environment and execute arbitrary code remotely.
Due to issues with the August 2023 patch in non-English versions, it is recommended to fix the vulnerability by applying the provided script mitigation for CVE-2023-21709. (https://aka.ms/CVE-2023-21709ScriptDoc)
Vulnerability name | Microsoft Exchange Server Remote Code Execution Vulnerability |
---|---|
Vulnerability type | code injection |
Discovery time | 2023/8/9 |
Vulnerability Breadth | wide |
MPS number | MPS-8ld7-492x |
CVE number | CVE-2023-38182 |
CNVD number | - |
Sphere of influence
Microsoft Exchange Server 2019@[Cumulative Update 12, Cumulative Update 13]
Microsoft Exchange Server 2016@[Cumulative Update 23, Cumulative Update 23]
Repair plan
Officially released patches and mitigations: https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2023-38182、https://aka.ms/CVE-2023-21709ScriptDoc
Avoid exposing Exchange Server services to the outside world
reference link
https://www.oscs1024.com/hd/MPS-8ld7-492x
https://nvd.nist.gov/vuln/detail/CVE-2023-38182
https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2023-38182
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21709
About Murphy Security
Murphy Security is a technology company that provides you with professional software supply chain security management. The core team comes from Baidu, Huawei, Wuyun and other enterprises. The company provides customers with a complete software supply chain security management platform, and provides software with a full life cycle around SBOM Security management, platform capabilities include software component analysis, source security management, container image detection, vulnerability intelligence early warning and commercial software supply chain access assessment and other products. Provide customers with complete control capabilities from supply chain asset identification management, risk detection, security control, and one-key repair.
Open source project: https://github.com/murphysecurity/murphysec/?sf=qbyj
The product can be integrated with various tools in the existing development process at a very low cost, including seamless integration with dozens of tools such as IDE, Gitlab, Bitbucket, Jenkins, Harbor, and Nexus.
Free code security detection tool: https://www.murphysec.com/?sf=qbyj
Free intelligence subscription: https://www.oscs1024.com/cm/?sf=qbyj