CVE-2019-1306

CWE-20 — Improper Input Validation6 documents5 sources

Severity

9.8CRITICAL

EPSS

26.0%

top 3.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Azure Devops Server Microsoft Azure Devops Server 2019 Update 1 Microsoft Team Foundation Server 2018 +1 more

Timeline

PublishedSep 11

Latest updateMay 24

Description

A remote code execution vulnerability exists when Azure DevOps Server (ADO) and Team Foundation Server (TFS) fail to validate input properly, aka 'Azure DevOps and Team Foundation Server Remote Code Execution Vulnerability'.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶CVEListV5microsoft/azure_devops_server2019.0.1

▶NVDmicrosoft/azure_devops_server2019, 2019.0.1+1

▶NVDmicrosoft/team_foundation_server2018

▶CVEListV5microsoft/team_foundation_server_2018Update 3.2

▶CVEListV5microsoft/azure_devops_server_2019_update_1unspecified

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-wvw6-4r49-h4g6: A remote code execution vulnerability exists when Azure DevOps Server (ADO) and Team Foundation Server (TFS) fail to validate input properly, aka 'Azu↗2022-05-24

▶

CVEList

CVE-2019-1306: A remote code execution vulnerability exists when Azure DevOps Server (ADO) and Team Foundation Server (TFS) fail to validate input properly, aka 'Azu↗2019-09-11

▶

📋Vendor Advisories

Microsoft

Azure DevOps and Team Foundation Server Remote Code Execution Vulnerability↗2019-09-10

▶

🕵️Threat Intelligence

Trendmicro

CVE-2019-1306: Are you my Index?↗2019-10-24

▶

Trendmicro

CVE-2019-1306: Are you my Index?↗2019-10-24

▶