Update Alert: CVE-2023-36019 and Power Platform Connectors
There's an update for Microsoft Power Platform users regarding CVE-2023-36019. This concerns a specific issue with custom connectors' redirect URIs, highlighted on December 12, 2023. It's an opportunity to strengthen the security and robustness of Power Platform connectors.
For detailed information and updates, visit the Microsoft Security Response Center.
Important Dates:
December 12, 2023: The vulnerability was officially disclosed, alerting users to the potential risks.
November 17, 2023: Microsoft proactively implemented mitigation by automatically assigning per-connector redirect URIs for new custom connectors.
Deadline - February 17, 2024: Users must update existing connectors to incorporate the new per-connector redirect URIs to maintain security compliance.
February 19 to March 29, 2024: A transition period during which non-compliant connectors will be gradually deprecated.
Post-March 29, 2024: Use of outdated OAuth 2.0 custom connectors without the updated URIs will be restricted.
Suggestion for Admins and Makers:
To safeguard your Power Platform environment against CVE-2023-36019, it's imperative to review and update your custom connectors before the February 17 deadline. This proactive approach not only enhances security but also ensures uninterrupted functionality of your connectors. For comprehensive guidance, refer to the Microsoft Security Response Center's advisory on this vulnerability.
How to update the custom connector’s redirect URL:
Open your custom connector in edit mode
Here you can see the notification, that you need to update the redirect URL
2. Go to the Security Tab and select the Edit checkbox
Was auch immer es ist – die Art und Weise, wie du deine Geschichte online vermittelst, kann einen gewaltigen Unterschied ausmachen.
3. Update your custom connector
In case that the update was successful, you will get a notification
4. Copy the new redirect URL
5. Change the redirect URL in the App Registration of the custom connector
Be aware that after changing the Redirect URL, you need to create a new connection and apply it (change the connector of your connection reference).