cbcvebase.
CVE-2019-1072
published 2019-07-15

CVE-2019-1072: A remote code execution vulnerability exists when Azure DevOps Server and Team Foundation Server (TFS) improperly handle user input, aka 'Azure DevOps Server…

PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
12.44%
95.7th percentile
A remote code execution vulnerability exists when Azure DevOps Server and Team Foundation Server (TFS) improperly handle user input, aka 'Azure DevOps Server and Team Foundation Server Remote Code Execution Vulnerability'.

Affected

23 ranges
VendorProductVersion rangeFixed in
microsoftazure_devops_server
microsoftteam_foundation_server
microsoftteam_foundation_server
microsoftteam_foundation_server
microsoftteam_foundation_server
microsoftteam_foundation_server
microsoftteam_foundation_server
microsoftteam_foundation_server
microsoftteam_foundation_server_2010
microsoftteam_foundation_server_2010
microsoftteam_foundation_server_2012
microsoftteam_foundation_server_2013_update_5
microsoftteam_foundation_server_2015
microsoftteam_foundation_server_2018
microsoftteam_foundation_server_2018
msrcazure_devops_server_2019.0.1
msrcteam_foundation_server_2010_sp1
msrcteam_foundation_server_2012_update_4
msrcteam_foundation_server_2013_update_5
msrcteam_foundation_server_2015_update_4.2
msrcteam_foundation_server_2017_update_3.1
msrcteam_foundation_server_2018_update_1.2
msrcteam_foundation_server_2018_update_3.2

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit vector is a specially crafted file submitted to the server; monitor for unusual file uploads to Azure DevOps Server / TFS endpoints, especially from unauthenticated (anonymous) sources.
  • Successful exploitation results in code execution in the context of the DevOps or TFS service account; monitor for unexpected process spawning or command execution under the TFS/Azure DevOps service account.
  • The vulnerability is triggered by improper handling of user input (specific file types); consider inspecting and restricting file type uploads on TFS/Azure DevOps Server attachment or import endpoints.
  • ·Anonymous access to projects significantly lowers the attack bar to zero authentication required; audit and disable anonymous access on TFS/Azure DevOps Server instances where not strictly necessary.
  • ·Exploitation likelihood is rated 'Less Likely' for both latest and older software releases per Microsoft's assessment, and no public exploit or in-the-wild exploitation was confirmed at time of disclosure.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.