Description of the security update for SharePoint Server Subscription Edition: May 9, 2023 (KB5002390)

Summary

This security update resolves a Microsoft SharePoint Server spoofing vulnerability, Microsoft SharePoint Server information disclosure vulnerability, and Microsoft SharePoint Server remote code execution vulnerability. To learn more about the vulnerabilities, see the following security advisories:​​​​

• Microsoft Common Vulnerabilities and Exposures CVE-2023-24950

• Microsoft Common Vulnerabilities and Exposures CVE-2023-24954

• Microsoft Common Vulnerabilities and Exposures CVE-2023-24955

Improvements and fixes

This security update contains improvements and fixes for the following nonsecurity issues in SharePoint Server Subscription Edition:

• Updates SharePoint search to be compatible with versions of the Hybrid Configuration Wizard and cloud hybrid search PowerShell configuration scripts that were released on or after May 9, 2023. Previous versions of the wizard and scripts used the Active Directory Authentication Library (ADAL) and Microsoft Online PowerShell module that will both reach the end of support on June 30, 2023. The new wizard and scripts use the Microsoft Authentication Library (MSAL) and Microsoft Graph PowerShell module that will remain in support after June 30, 2023. 

• Optimizes the logic of checking the Internet Information Services (IIS) application pool state in stop or start operations. 

• Increases BLOB cache performance counters.  

• Fixes issues in the SharePoint Distributed Cache service that were first introduced in the January 10, 2023, security update for SharePoint Server Subscription Edition (KB 5002331). Those issues include having difficulty connecting to the SharePoint Distributed Cache service if the service is running on servers that are assigned the custom server role, and having difficulty connecting to the Distributed Cache service if it's running on another server in a multi-server SharePoint farm.

• Fixes an issue in which you cannot create Search service applications successfully starting with the March 14, 2023, security update for SharePoint Server Subscription Edition (KB 5002355).

• Fixes an issue in which the search box isn't visible on communication sites starting with the March 14, 2023, security update for SharePoint Server Subscription Edition (KB 5002355). 

• Fixes an issue that affects reacquiring identity tokens. This could cause authorization failures in certain scenarios, such as opening and saving documents by using Office Online Server.

• Fixes an issue in which stub files are shown in the document library even though they should be hidden by default and never visible in the library. 

• Fixes an issue in which you cannot add the File viewer web part link from the root site. 

• Fixes an issue in which the "New Item" label isn't translated at the Modern list page. 

How to get and install the update

More information

Information about protection and security

Protect yourself online: Windows Security support

Learn how we guard against cyber threats: Microsoft Security