CVE-2024-43466: 
vulnerability analysis and mitigation

Microsoft SharePoint Server has been identified with a Denial of Service vulnerability, tracked as CVE-2024-43466. The vulnerability was discovered and reported on June 26, 2024, and publicly disclosed on September 10, 2024. This security flaw affects multiple versions of SharePoint Server, including SharePoint Server 2016 Enterprise, SharePoint Server 2019, and SharePoint Server Subscription Edition (NVD).

The vulnerability exists within the SPAutoSerializingObject class and stems from improper validation of user-supplied data, which can lead to deserialization of untrusted data. The vulnerability has received a CVSS v3.1 base score of 7.5 (HIGH) from NIST and 6.5 (MEDIUM) from Microsoft, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The flaw has been classified under CWE-502 (Deserialization of Untrusted Data) (ZDI Advisory, NVD).

When successfully exploited, this vulnerability can result in a denial-of-service condition on the affected SharePoint Server installation. The impact is primarily focused on system availability, with no direct impact on confidentiality or integrity (ZDI Advisory).

Microsoft has released security updates to address this vulnerability. The fix is included in build 16.0.10414.20002 of the security update package for SharePoint Server 2019. System administrators are advised to apply the security update KB5002639 through Microsoft Update, Microsoft Update Catalog, or Microsoft Download Center (Microsoft Support).