Update Alert: CVE-2023-36019 and Power Platform Connectors

23. Feb.

There's an update for Microsoft Power Platform users regarding CVE-2023-36019. This concerns a specific issue with custom connectors' redirect URIs, highlighted on December 12, 2023. It's an opportunity to strengthen the security and robustness of Power Platform connectors.
For detailed information and updates, visit the Microsoft Security Response Center.

Important Dates:

December 12, 2023: The vulnerability was officially disclosed, alerting users to the potential risks.
November 17, 2023: Microsoft proactively implemented mitigation by automatically assigning per-connector redirect URIs for new custom connectors.
Deadline - February 17, 2024: Users must update existing connectors to incorporate the new per-connector redirect URIs to maintain security compliance.
February 19 to March 29, 2024: A transition period during which non-compliant connectors will be gradually deprecated.
Post-March 29, 2024: Use of outdated OAuth 2.0 custom connectors without the updated URIs will be restricted.

Suggestion for Admins and Makers:

To safeguard your Power Platform environment against CVE-2023-36019, it's imperative to review and update your custom connectors before the February 17 deadline. This proactive approach not only enhances security but also ensures uninterrupted functionality of your connectors. For comprehensive guidance, refer to the Microsoft Security Response Center's advisory on this vulnerability.