CVE-2023-24890: Microsoft OneDrive for iOS Security Feature Bypass Vulnerability

Overview

Severity

Medium (CVSS 6.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Category

Security Feature Bypass

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2023-Mar

Released

2023-03-14

EPSS Score

4.31% (percentile: 88.9%)

FAQ

According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges. What kind of security feature could be bypassed by successfully exploiting this vulnerability? An attacker who successfully exploited this vulnerability could gain access to files stored in a locked vault. Does this vulnerability affect all OneDrive for iOS customers? No. Only customers based in Australia are required to take action as the feature which was susceptible to this vulnerability was only deployed to that region.

Affected Products (1)

Apps

• OneDrive for iOS

Security Updates (1)

• App Store

Acknowledgments

Maxwell Swadling

Revision History

• 2023-03-14: Information published.