CVE-2023-38167: Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability

Overview

Severity

High (CVSS 7.2)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2023-Aug

Released

2023-08-08

Last Updated

2023-08-15

EPSS Score

0.70% (percentile: 72.1%)

FAQ

According to the CVSS metric, privileges required is high (PR:H). What privileges does an attacker require to exploit this vulnerability? Successful exploitation of this vulnerability requires an attacker to already have admin or high privilege access to a security group within the tenant. Is the update for Microsoft Dynamics 365 Business Central 2023 Release Wave 1 listed in this vulnerability currently available? The security update for Microsoft Dynamics 365 Business Central 2023 Release Wave 1 is not immediately available. The update will be released as soon as possible, and when it is available, customers will be notified via a revision to this CVE information. August 15. 2023 Update: The security update for Microsoft Dynamics 365 Business Central 2023 Release Wave 1 is now available. Customers running Microsoft Dynamics 365 Business Central 2023 Release Wave 1 should install the update to be protected from the vulnerability.

Affected Products (1)

Microsoft Dynamics

• Microsoft Dynamics 365 Business Central 2023 Release Wave 1

Security Updates (1)

• 5029765

Acknowledgments

Darrick Joo

Revision History

• 2023-08-08: Information published.
• 2023-08-15: In the Security Updates table, made the following revision: The security update for Microsoft Dynamics 365 Business Central 2023 Release Wave 1 is now available. Customers running this affected version of Microsoft Dynamics 365 Business Central 2023 should install the update to be protected from this vulnerability.