CVE Number | Vulnerability | Product | Severity | Date |
---|---|---|---|---|
CVE-2019-1306 | Azure DevOps and Team Foundation Server Remote Code Execution Vulnerability | Azure Devops | Critical | 10-09-2019 |
Technical Information
Brief overview of the risk:
A remote code execution vulnerability exists when Azure DevOps Server (ADO) and Team Foundation Server (TFS) fail to validate input properly. An attacker who successfully exploited this vulnerability could execute code on the server in the context of the TFS or ADO service account.
Detailed Information on the risk:
To exploit the vulnerability, an attacker would need to upload a specially-crafted file to a vulnerable ADO or TFS server repo and wait for the system to index the file.
The security update addresses the vulnerability by correcting how ADO and TFS index files.
Further information on this vulnerability is available at : CVE-2019-1306
Affected Software
Team Foundation Server 2018 Update 3.2Azure DevOps Server 2019.0.1
Azure DevOps Server 2019 Update 1