NVD - CVE-2022-2076

Vulnerability Change Records for CVE-2022-2076

Change History

CVE Modified by VulDB 7/25/2022 2:23:08 PM

Action	Type	Old Value	New Value
Removed	CVSS V3.1	VulDB AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Removed	CVSS V3.1 Reason	A-No limiting factors
Removed	CVSS V3.1 Reason	C-No limiting factors
Removed	CVSS V3.1 Reason	I-No limiting factors
Removed	CWE	VulDB CWE-613
Changed	Description	DISPUTED A vulnerability has been found in Microsoft O365 and classified as critical. The session cookies introduce a session expiration issue as they might be used by two clients at the same time. The attack can be initiated remotely. Exploit details have been disclosed to the public. The real-world consequences of this vulnerability are still doubted at the moment. It is recommended to change the configuration settings. NOTE: Vendor claims that pre-requisites are very high, the feature works as intended, and that configuration settings might mitigate the issue.	REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Removed	Reference	https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation [Patch, Vendor Advisory]
Removed	Reference	https://github.com/sixgroup-security/Advisories/tree/main/20211209_Missing-Session-Hijacking-Protection-in-Microsoft-O365 [Exploit, Third Party Advisory]
Removed	Reference	https://vuldb.com/?id.192028 [Permissions Required, Third Party Advisory]
Removed	Reference	https://www.mandiant.com/resources/russian-targeting-gov-business [Third Party Advisory]