CVE-2021-41373: 
vulnerability analysis and mitigation

FSLogix Information Disclosure Vulnerability (CVE-2021-41373) was identified and disclosed in September 2021. The vulnerability affects Microsoft FSLogix software versions up to (excluding) 2.9.7979.62170. This security issue was assigned by Microsoft Corporation and was officially published in the National Vulnerability Database on November 9, 2021 (NVD, CVE Mitre).

The vulnerability has been assessed with multiple CVSS scores. According to Microsoft's evaluation, it received a CVSS 3.1 Base Score of 5.5 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The CVSS 2.0 assessment by NIST rated it with a Base Score of 2.1 (LOW) with the vector string (AV:L/AC:L/Au:N/C:P/I:N/A:N) (NVD).

The vulnerability is classified as an Information Disclosure issue that could potentially lead to unauthorized access to sensitive information. The CVSS scores indicate that while the vulnerability requires local access and low privileges, it could result in high confidentiality impact (NVD).

Microsoft released FSLogix version 2105 HF_01 (2.9.7979.62170) to address this vulnerability. The hotfix specifically mitigates the vulnerability disclosed in CVE-2021-41373 and also addresses an issue where FSLogix event logs could be malformed on Windows 11. Microsoft strongly recommended all customers running Cloud Cache or Windows 11 to update to this version (Microsoft Community).