CVE-2023-38155

CWE-502 — Deserialization of Untrusted Data4 documents4 sources

Severity

8.1HIGH

EPSS

0.3%

top 43.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

5

Microsoft Azure Devops Server Microsoft Azure Devops Server 2019.0.1 Microsoft Azure Devops Server 2020.0.2 +2 more

Timeline

PublishedSep 12

Description

Azure DevOps Server Remote Code Execution Vulnerability

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages6 packages

▶CVEListV5microsoft/azure_devops_server1.0.0 — 20230825.1

▶CVEListV5microsoft/azure_devops_server_2019.0.12019.0.0 — 20230601.3

▶CVEListV5microsoft/azure_devops_server_2020.0.22020.0.0 — 20230820.2

▶CVEListV5microsoft/azure_devops_server_2020.1.22020.1.0 — 20230823.1

▶CVEListV5microsoft/azure_devops_server_2022.0.12022.0.0 — 20230825.4

Patches

Patch: msrc.microsoft.com ↗Patch: msrc.microsoft.com ↗

🔴Vulnerability Details

2

CVEList

Azure DevOps Server Remote Code Execution Vulnerability↗2023-09-12

▶

GHSA

GHSA-jw6j-8p3q-xrff: Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability↗2023-09-12

▶

📋Vendor Advisories

1

Microsoft

Azure DevOps Server Remote Code Execution Vulnerability↗2023-09-12

▶

CVE-2023-38155 (HIGH CVSS 8.1) | Azure DevOps Server Remote Code Exe | cvebase.io