Technical Information

Brief overview of the risk:

A remote code execution vulnerability exists when Azure DevOps Server (ADO) and Team Foundation Server (TFS) fail to validate input properly. An attacker who successfully exploited this vulnerability could execute code on the server in the context of the TFS or ADO service account.

Detailed Information on the risk:

To exploit the vulnerability, an attacker would need to upload a specially-crafted file to a vulnerable ADO or TFS server repo and wait for the system to index the file.
The security update addresses the vulnerability by correcting how ADO and TFS index files.

Further information on this vulnerability is available at : CVE-2019-1306