| CVE Number | Vulnerability | Product | Severity | Date |
|---|---|---|---|---|
| CVE-2019-1072 | Azure DevOps Server and Team Foundation Server Remote Code Execution Vulnerability | Team Foundation | Critical | 10-07-2019 |
Technical Information
Brief overview of the risk:
A remote code execution vulnerability exists when Azure DevOps Server and Team Foundation Server (TFS) improperly handle user input. An attacker who successfully exploited the vulnerability could execute code on the target server in the context of the DevOps or TFS service account.
Detailed Information on the risk:
To exploit the vulnerability, an attacker could submit a specially crafted file to an affected server. If anonymous access is allowed to projects on an affected server, the attacker would not require authentication.
The update corrects the way that DevOps Server and TFS process certain file types.
Further information on this vulnerability is available at : CVE-2019-1072
Affected Software
Team Foundation Server 2012 Update 4
Team Foundation Server 2013 Update 5
Team Foundation Server 2018 Update 1.2
Team Foundation Server 2017 Update 3.1
Team Foundation Server 2018 Update 3.2
Team Foundation Server 2015 Update 4.2
Azure DevOps Server 2019.0.1
Team Foundation Server 2010 SP1 (x86)
Team Foundation Server 2010 SP1 (x64)