CVE-2019-1072

CWE-20 — Improper Input Validation4 documents4 sources

Severity

9.8CRITICAL

EPSS

24.1%

top 3.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Azure Devops Server Microsoft Team Foundation Server Microsoft Team Foundation Server 2010 +4 more

Timeline

PublishedJul 15

Latest updateMay 24

Description

A remote code execution vulnerability exists when Azure DevOps Server and Team Foundation Server (TFS) improperly handle user input, aka 'Azure DevOps Server and Team Foundation Server Remote Code Execution Vulnerability'.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages9 packages

▶CVEListV5microsoft/azure_devops_server2019.0.1

▶NVDmicrosoft/azure_devops_server2019.0.1

▶CVEListV5microsoft/team_foundation_server2017 Update 3.1

▶NVDmicrosoft/team_foundation_server6 versions+5

▶CVEListV5microsoft/team_foundation_server_2010SP1 (x64), SP1 (x86)+1

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-g5c6-v9ph-hmxh: A remote code execution vulnerability exists when Azure DevOps Server and Team Foundation Server (TFS) improperly handle user input, aka 'Azure DevOps↗2022-05-24

▶

CVEList

CVE-2019-1072: A remote code execution vulnerability exists when Azure DevOps Server and Team Foundation Server (TFS) improperly handle user input, aka 'Azure DevOps↗2019-07-15

▶

📋Vendor Advisories

Microsoft

Azure DevOps Server and Team Foundation Server Remote Code Execution Vulnerability↗2019-07-09

▶