On May 9, 2023, Microsoft released a patch for a new information disclosure flaw in SharePoint Server—CVE-2023-24954. This vulnerability could allow attackers to access data they're not supposed to see. If your organization uses SharePoint Server, understanding this bug, how it works, and what to do about it is critical.
This post explains the vulnerability in simple terms, gives real code snippets, and links to key sources. Whether you're a security pro or an IT admin, here's what you need to know.
What is CVE-2023-24954?
CVE-2023-24954 is classified as an information disclosure vulnerability. What does that mean? It lets an attacker get access to information in SharePoint Server that should stay private.
Technical Impact:
An authenticated user could exploit this to read files or data they don't have permission to see.
Affected Products: SharePoint Server 2016, 2019, and Subscription Edition.
- Severity: Important, with a CVSS score of 5.4 (medium risk, but serious if it exposes sensitive internal company info).
Official Microsoft advisory: ADV230002 - Microsoft SharePoint Server Information Disclosure Vulnerability
The Core Issue
The heart of the vulnerability lies in improper handling of user-supplied input in certain SharePoint server-side operations. If a user can trick SharePoint into revealing more info through crafted requests, they might see the content of files or system information.
Key point:
You need to be authenticated (logged in), but you don't have to be an admin!
A regular user logs into SharePoint.
2. The user sends a special request crafted to exploit the vulnerable endpoint (like a web API or a document viewer).
3. The server, due to improper restriction or validation of the request, sends back information (files, error messages, or system configs) that the user shouldn't normally see.
Example: Simulated Exploit (Proof-of-Concept)
Below is an illustrative example of how such an exploit might look. Note: The specific endpoints and parameters may differ; Microsoft didn't publish the exact details (with good reason), but similar information disclosure vulnerabilities work like this.
Example HTTP Request
GET /_layouts/15/download.aspx?SourceUrl=/sites/sensitive_folder/secret.docx HTTP/1.1
Host: sharepoint.example.com
Cookie: [Auth_cookie_here]
If the endpoint doesn't check permissions properly due to the vulnerability, the attacker receives
HTTP/1.1 200 OK
Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
(Binary data of secret.docx)
In code (PowerShell example to automate download)
Invoke-WebRequest `
-Uri "https://sharepoint.example.com/_layouts/15/download.aspx?SourceUrl=/sites/finance/HR-payroll.xlsx"; `
-Headers @{ "Cookie" = "FedAuth=[cookie_value];" } `
-OutFile 'HR-payroll.xlsx'
If the vulnerability is present and the account used has low privilege, but still receives the file, the flaw exists and is exploitable.
References
- Microsoft Security Response Center (MSRC) Advisory for CVE-2023-24954
- NVD - CVE-2023-24954
- Microsoft Patch Tuesday May 2023 Overview (BleepingComputer)
Apply the relevant security update for SharePoint Server
- SharePoint Server 2016 update
- SharePoint Server 2019 update
- SharePoint Server Subscription Edition
Why It Matters
- Business Data at Risk: Unauthorized file access could lead to leaks of HR records, financial data, or IP.
Summary
CVE-2023-24954 is a reminder that information disclosure bugs are dangerous—even if they're not "remote code execution." With SharePoint, where companies store their most sensitive information, even a medium-severity flaw can be a big deal.
Patch now, review your access controls, and always keep an eye on Patch Tuesday updates.
*Thank you for reading. Share this with your IT and security teams to keep your company’s data safe!*
Timeline
Published on: 05/09/2023 18:15:00 UTC
Last modified on: 05/16/2023 16:10:00 UTC