NVD - CVE-2022-2077

Vulnerability Change Records for CVE-2022-2077

Change History

CVE Modified by VulDB 7/25/2022 3:15:42 PM

Action	Type	Old Value	New Value
Removed	CVSS V3.1	VulDB AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Removed	CVSS V3.1 Reason	A-No limiting factors
Removed	CVSS V3.1 Reason	AC-No Race Condition
Removed	CVSS V3.1 Reason	C-No limiting factors
Removed	CVSS V3.1 Reason	I-No limiting factors
Removed	CWE	VulDB CWE-284
Removed	CWE Reason	CWE-284 / Outside of 1003
Changed	Description	DISPUTED A vulnerability was found in Microsoft O365 and classified as critical. This issue affects the Conditional Access Policy which leads to improper access controls. By default the policy is not verified for every request. The attack may be initiated remotely. Exploit details have been disclosed to the public. It is recommended to change the configuration settings. NOTE: Vendor claims that pre-requisites are very high, the feature works as intended, and that configuration settings might mitigate the issue.	REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Removed	Reference	https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation [Patch, Vendor Advisory]
Removed	Reference	https://github.com/sixgroup-security/Advisories/tree/main/20211209_Conditional-Access-Bypass-via-Session-Hijacking-in-Microsoft-O365 [Exploit, Third Party Advisory]
Removed	Reference	https://vuldb.com/?id.192029 [Third Party Advisory]
Removed	Reference	https://www.mandiant.com/resources/russian-targeting-gov-business [Third Party Advisory]