Msrc Microsoft Visual Studio 2022 Version 17.4 vulnerabilities

CVE-2023-36759 [MEDIUM] CWE-822 Visual Studio Elevation of Privilege Vulnerability Visual Studio Elevation of Privilege Vulnerability FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? A domain user could use this vulnerability to elevate privileges to SYSTEM assigned integrity level. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability re

CVE-2023-38178 [HIGH] CWE-400 .NET Core and Visual Studio Denial of Service Vulnerability .NET Core and Visual Studio Denial of Service Vulnerability .NET Core: .NET Core Microsoft: Microsoft Customer Action Required: Yes Impact: Denial of Service Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;DOS:N/A Reference: https://dotnet.microsoft.com/download/dotnet/6.0 Reference: https://support.microsoft.com/help/5029688 Remediation: Release N

CVE-2023-38180 [HIGH] .NET and Visual Studio Denial of Service Vulnerability .NET and Visual Studio Denial of Service Vulnerability ASP.NET: ASP.NET Microsoft: Microsoft Customer Action Required: Yes Impact: Denial of Service Exploit Status: Publicly Disclosed:No;Exploited:Yes;Latest Software Release:Exploitation Detected;DOS:N/A Remediation: Release Notes Reference: https://github.com/dotnet/announcements/issues/269 Reference: https://dotnet.microsoft.com/download/dotnet/6.0 Reference:

CVE-2023-35390 [HIGH] CWE-77 .NET and Visual Studio Remote Code Execution Vulnerability .NET and Visual Studio Remote Code Execution Vulnerability FAQ: How could an attacker exploit this vulnerability? To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. Additionally, an attacker could convince a local user to open a malicious fi

CVE-2023-36897 [HIGH] CWE-20 Visual Studio Tools for Office Runtime Spoofing Vulnerability Visual Studio Tools for Office Runtime Spoofing Vulnerability FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would have to click on install to be compromised by the attacker. FAQ: How could an attacker exploit this vulnerability? An unauthenticated attacker could bypass validation as a trusted source through a crafted certifica

CVE-2023-35391 [MEDIUM] ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability FAQ: What type of information could be disclosed by this vulnerability? This vulnerability makes it possible to listen to any group or user with a specially crafted group/username. By exploiting this vulnerability, the attacker can now receive messages for group(s) that they are unauthorized to view. FAQ: According to th

CVE-2023-33170 [HIGH] CWE-362 ASP.NET and Visual Studio Security Feature Bypass Vulnerability ASP.NET and Visual Studio Security Feature Bypass Vulnerability FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition and also to take additional actions prior to exploitation to prepare the target environment. ASP.NET and Visual Studio: ASP.NET and

CVE-2023-33127 [HIGH] CWE-1220 .NET and Visual Studio Elevation of Privilege Vulnerability .NET and Visual Studio Elevation of Privilege Vulnerability FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? The attacker would gain the rights of the user that is running the affected application. FAQ: According to the CVSS metric, the attack vector is network (AV:N). How could an attacker exploit this vulnerability? An attacker could exploit this vulnera

CVE-2023-29331 [HIGH] CWE-400 .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability .NET Core: .NET Core Microsoft: Microsoft Customer Action Required: Yes Impact: Denial of Service Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely Reference: https://dotnet.microsoft.com/download/dotnet/6.0 Reference: https://support.microsoft.com/help/5027797 Refere

CVE-2023-33128 [HIGH] CWE-416 .NET and Visual Studio Remote Code Execution Vulnerability .NET and Visual Studio Remote Code Execution Vulnerability FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attac

CVE-2023-33126 [HIGH] .NET and Visual Studio Remote Code Execution Vulnerability .NET and Visual Studio Remote Code Execution Vulnerability FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or v

CVE-2023-29349 [HIGH] CWE-191 Microsoft ODBC and OLE DB Remote Code Execution Vulnerability Microsoft ODBC and OLE DB Remote Code Execution Vulnerability FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an

CVE-2023-24936 [HIGH] .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain administrator privileges. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful e

CVE-2023-29012 [HIGH] CWE-23 GitHub: CVE-2023-29012 Git CMD erroneously executes `doskey.exe` in current directory, if it exists GitHub: CVE-2023-29012 Git CMD erroneously executes `doskey.exe` in current directory, if it exists FAQ: Why is this GitHub CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Git for Windows software which is consumed by Microsoft Visual Studio. It is being documented in the Security Update Guide to announce that the latest builds

CVE-2023-32026 [HIGH] CWE-122 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out

CVE-2023-33135 [HIGH] .NET and Visual Studio Elevation of Privilege Vulnerability .NET and Visual Studio Elevation of Privilege Vulnerability FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send the user a malicious file and convince them to open it. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? Low-privilege attackers who successfully exploited the vulnerabi

CVE-2023-27911 [HIGH] CWE-122 AutoDesk: CVE-2023-27911 Heap buffer overflow vulnerability in Autodesk® FBX® SDK 2020 or prior AutoDesk: CVE-2023-27911 Heap buffer overflow vulnerability in Autodesk® FBX® SDK 2020 or prior FAQ: Why is this AutoDesk CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in AutoDesk software which is consumed by the Microsoft products listed in the Security Updates table. It is being documented in the Security Update Guide to announce

CVE-2023-29356 [HIGH] CWE-416 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out

CVE-2023-29007 [HIGH] CWE-77 GitHub: CVE-2023-29007 Arbitrary configuration injection via `git submodule deinit` GitHub: CVE-2023-29007 Arbitrary configuration injection via `git submodule deinit` FAQ: Why is this GitHub CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in MinGit software which is consumed by Microsoft Visual Studio. It is being documented in the Security Update Guide to announce that the latest builds of Visual Studio are no longer vulnerable

CVE-2023-32027 [HIGH] CWE-122 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out