Msrc Microsoft Visual Studio 2022 Version 17.2 vulnerabilities

CVE-2024-0057 [CRITICAL] CWE-20 NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability FAQ: What kind of security feature could be bypassed by successfully exploiting this vulnerability? A security feature bypass vulnerability exists when Microsoft .NET Framework-based applications use X.509 chain building APIs but do not completely validate the X.509 certificate due to a logic flaw. An attacker c

CVE-2024-0056 [HIGH] CWE-319 Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? The attacker must inject themselves into the logical network path between the target and the resource requested by the victim to read or mo

CVE-2024-20656 [HIGH] CWE-59 Visual Studio Elevation of Privilege Vulnerability Visual Studio Elevation of Privilege Vulnerability FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Visual Studio: Visual Studio Microsoft: Microsoft Customer Action Required: Yes Impact: Elevation of Privilege Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Softwar

CVE-2024-21319 [MEDIUM] CWE-20 Microsoft Identity Denial of service vulnerability Microsoft Identity Denial of service vulnerability FAQ: According to the CVSS metric, privileges required is high (PR:H). What does that mean for this vulnerability? The attacker must have access to the public encrypt key registered with the IDP(Entra ID) for successful exploitation. FAQ: How could an attacker exploit this vulnerability? An attacker could exploit this vulnerability by crafting a malicious JSON We

CVE-2023-36049 [HIGH] CWE-20 .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability FAQ: How could an attacker exploit this vulnerability? To exploit this vulnerability an attacker would have to inject arbitrary commands to the FTP server. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited t

CVE-2023-36038 [HIGH] CWE-400 ASP.NET Core Denial of Service Vulnerability ASP.NET Core Denial of Service Vulnerability FAQ: How could an attacker exploit this vulnerability? This vulnerability could be exploited if http requests to .NET 8 RC 1 running on IIS InProcess hosting model are cancelled. Threads counts would increase and an OutOfMemoryException is possible. FAQ: According to the CVSS metric, successful exploitation of this vulnerability could lead to a total loss of availability (A:H

CVE-2023-36558 [MEDIUM] ASP.NET Core Security Feature Bypass Vulnerability ASP.NET Core Security Feature Bypass Vulnerability FAQ: What kind of security feature could be bypassed by successfully exploiting this vulnerability? An unauthenticated attacker could bypass validations on Blazor Server forms. FAQ: How could an attacker exploit this vulnerability? To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then trigger an event that could expl

CVE-2023-44487 [HIGH] CWE-400 MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack HTTP/2: HTTP/2 MITRE Corporation: MITRE Corporation Customer Action Required: Yes Impact: Denial of Service Exploit Status: Publicly Disclosed:No;Exploited:Yes;Latest Software Release:Exploitation Detected;DOS:N/A Reference: https://dotnet.microsoft.com/download/dotnet/6.0 Reference: https://support.microsoft.com/help/5032874 Remediation: Release Notes Reference:

CVE-2023-38171 [HIGH] CWE-476 Microsoft QUIC Denial of Service Vulnerability Microsoft QUIC Denial of Service Vulnerability FAQ: Where can I find more information? Please see the GitHub Advisory relating to this vulnerability here: https://github.com/microsoft/msquic/security/advisories/GHSA-xh5m-8qqp-c5x7#event-111621 Microsoft QUIC: Microsoft QUIC Microsoft: Microsoft Customer Action Required: Yes Impact: Denial of Service Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Softwar

CVE-2023-36794 [HIGH] CWE-191 Visual Studio Remote Code Execution Vulnerability Visual Studio Remote Code Execution Vulnerability FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? Exploitation of this vulnerability requires that an attacker convinces a user to open a maliciously crafted package file in Visual Studio. .NET and Visual Studio: .NET and Visual Studio Microsoft: Microsoft Customer Action Required: Yes Impact: Remo

CVE-2023-36793 [HIGH] CWE-122 Visual Studio Remote Code Execution Vulnerability Visual Studio Remote Code Execution Vulnerability FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim need

CVE-2023-36792 [HIGH] CWE-190 Visual Studio Remote Code Execution Vulnerability Visual Studio Remote Code Execution Vulnerability FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim need

CVE-2023-36796 [HIGH] CWE-191 Visual Studio Remote Code Execution Vulnerability Visual Studio Remote Code Execution Vulnerability FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim need

CVE-2023-36799 [MEDIUM] CWE-400 .NET Core and Visual Studio Denial of Service Vulnerability .NET Core and Visual Studio Denial of Service Vulnerability FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send the user a malicious request and convince them to open it. .NET Core & Visual Studio: .NET Core & Visual Studio Microsoft: Microsoft Customer Action Required: Yes Impact: Denial of Service Exploit Status:

CVE-2023-36759 [MEDIUM] CWE-822 Visual Studio Elevation of Privilege Vulnerability Visual Studio Elevation of Privilege Vulnerability FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? A domain user could use this vulnerability to elevate privileges to SYSTEM assigned integrity level. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability re

CVE-2023-38178 [HIGH] CWE-400 .NET Core and Visual Studio Denial of Service Vulnerability .NET Core and Visual Studio Denial of Service Vulnerability .NET Core: .NET Core Microsoft: Microsoft Customer Action Required: Yes Impact: Denial of Service Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;DOS:N/A Reference: https://dotnet.microsoft.com/download/dotnet/6.0 Reference: https://support.microsoft.com/help/5029688 Remediation: Release N

CVE-2023-38180 [HIGH] .NET and Visual Studio Denial of Service Vulnerability .NET and Visual Studio Denial of Service Vulnerability ASP.NET: ASP.NET Microsoft: Microsoft Customer Action Required: Yes Impact: Denial of Service Exploit Status: Publicly Disclosed:No;Exploited:Yes;Latest Software Release:Exploitation Detected;DOS:N/A Remediation: Release Notes Reference: https://github.com/dotnet/announcements/issues/269 Reference: https://dotnet.microsoft.com/download/dotnet/6.0 Reference:

CVE-2023-35390 [HIGH] CWE-77 .NET and Visual Studio Remote Code Execution Vulnerability .NET and Visual Studio Remote Code Execution Vulnerability FAQ: How could an attacker exploit this vulnerability? To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. Additionally, an attacker could convince a local user to open a malicious fi

CVE-2023-36897 [HIGH] CWE-20 Visual Studio Tools for Office Runtime Spoofing Vulnerability Visual Studio Tools for Office Runtime Spoofing Vulnerability FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would have to click on install to be compromised by the attacker. FAQ: How could an attacker exploit this vulnerability? An unauthenticated attacker could bypass validation as a trusted source through a crafted certifica

CVE-2023-35391 [MEDIUM] ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability FAQ: What type of information could be disclosed by this vulnerability? This vulnerability makes it possible to listen to any group or user with a specially crafted group/username. By exploiting this vulnerability, the attacker can now receive messages for group(s) that they are unauthorized to view. FAQ: According to th