CVE-2024-38190 Overview
CVE-2024-38190 is a missing authorization vulnerability in Microsoft Power Platform. The flaw allows an unauthenticated attacker to view sensitive information through a network attack vector. The weakness is classified under [CWE-862] (Missing Authorization), meaning the platform fails to enforce access controls on protected resources.
Microsoft published the advisory on October 15, 2024. The vulnerability carries a CVSS score of 8.6 and a scope-changed impact, indicating that exploitation affects resources beyond the vulnerable component itself. No authentication or user interaction is required to exploit the flaw.
Critical Impact
Unauthenticated network attackers can read sensitive information from Power Platform tenants without user interaction, breaching confidentiality across resource boundaries.
Affected Products
- Microsoft Power Platform (cloud service)
- Power Platform connectors and associated services exposed over the network
- Tenants relying on Power Platform for low-code application and workflow data
Discovery Timeline
- 2024-10-15 - CVE-2024-38190 published to the National Vulnerability Database
- 2024-10-15 - Microsoft Security Response Center publishes advisory for CVE-2024-38190
- 2024-11-08 - Last updated in NVD database
Technical Details for CVE-2024-38190
Vulnerability Analysis
The vulnerability stems from a missing authorization check within Microsoft Power Platform. An endpoint or service path does not validate whether the caller is permitted to access the requested resource. As a result, requests issued without credentials return data that should be restricted to authorized tenants or users.
The issue maps to [CWE-862], which covers software that does not perform an authorization check when an actor attempts to access a resource or perform an action. Because Power Platform is a multi-tenant cloud service, missing authorization can expose data belonging to other customers or to privileged internal components.
The scope-changed designation indicates that the vulnerable Power Platform component grants access to a resource managed by a different security authority. Exploitation therefore crosses a trust boundary inside the service. Microsoft mitigated the issue server-side, and no customer action is required for the cloud service itself.
Root Cause
The root cause is the absence of an authorization decision on a network-reachable Power Platform interface. The code path that returns sensitive data does not verify the caller's identity or permissions before responding. Confidentiality is the primary impact, while integrity and availability are not affected.
Attack Vector
The attack vector is network-based with low attack complexity. An attacker sends crafted requests to the exposed Power Platform endpoint and receives sensitive information in the response. No privileges are required, no user must interact, and the attacker does not need to be in the same trust zone as the victim tenant.
No public proof-of-concept or exploit code has been published. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability sits in the higher percentile band, suggesting elevated interest relative to the broader CVE population.
Detection Methods for CVE-2024-38190
Indicators of Compromise
- Anomalous unauthenticated HTTP requests to Power Platform API endpoints from external networks
- Outbound data transfers from Power Platform connectors to unrecognized destinations
- Unexpected access to Power Platform environments from IP addresses not associated with tenant administrators
- Spikes in 403 or 200 response codes on Power Platform telemetry where authorization should have rejected the request
Detection Strategies
- Review Microsoft Purview and Power Platform audit logs for read operations performed by unauthenticated or anonymous principals
- Correlate Microsoft Entra ID sign-in telemetry with Power Platform activity to identify access without a matching authentication event
- Hunt for enumeration patterns against Power Platform service URLs in network proxy or cloud-access security broker logs
Monitoring Recommendations
- Enable Power Platform activity logging and forward events to a centralized SIEM for long-term retention
- Alert on access to high-value Dataverse tables, connectors, and environments from sources outside expected network ranges
- Track Microsoft Security Response Center advisories and Microsoft 365 message center notifications for service-side fixes affecting Power Platform
How to Mitigate CVE-2024-38190
Immediate Actions Required
- Confirm that Microsoft has applied the server-side fix by reviewing the Microsoft Security Update CVE-2024-38190 advisory
- Audit Power Platform environments for sensitive data that may have been exposed prior to remediation
- Rotate any secrets, API keys, or connection strings stored in Power Platform connectors that handle regulated data
- Restrict Power Platform tenant isolation settings to limit cross-tenant access where supported
Patch Information
Microsoft addressed CVE-2024-38190 in the Power Platform cloud service. Because Power Platform is delivered as a managed service, the fix was deployed by Microsoft and does not require customers to install a binary patch. Refer to the Microsoft Security Update CVE-2024-38190 advisory for the official statement.
Workarounds
- Enforce conditional access policies that restrict Power Platform administrative endpoints to managed devices and known networks
- Apply Power Platform data loss prevention (DLP) policies to limit which connectors can transmit sensitive data
- Disable unused Power Platform environments and connectors to reduce exposed surface area
- Require multi-factor authentication on all Power Platform maker and administrator accounts to limit follow-on abuse
# Example: list Power Platform environments and review access using the Power Platform CLI
pac auth create --url https://orgname.crm.dynamics.com
pac admin list
pac admin list-app-users --environment <environment-id>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
