<< Back
CVE Number Vulnerability Product Severity Date
CVE-2019-1306 Azure DevOps and Team Foundation Server Remote Code Execution Vulnerability Azure Devops Critical 10-09-2019

Technical Information

Brief overview of the risk:

A remote code execution vulnerability exists when Azure DevOps Server (ADO) and Team Foundation Server (TFS) fail to validate input properly. An attacker who successfully exploited this vulnerability could execute code on the server in the context of the TFS or ADO service account.

Detailed Information on the risk:

To exploit the vulnerability, an attacker would need to upload a specially-crafted file to a vulnerable ADO or TFS server repo and wait for the system to index the file.
The security update addresses the vulnerability by correcting how ADO and TFS index files.

Further information on this vulnerability is available at : CVE-2019-1306

Affected Software

Team Foundation Server 2018 Update 3.2
Azure DevOps Server 2019.0.1
Azure DevOps Server 2019 Update 1