Microsoft Azure DevOps Server and Team Foundation Server Remote Code Execution Vulnerability

Summary

A remote code execution vulnerability exists when Azure DevOps Server and Team Foundation Server (TFS) improperly handle user input.

Credit:

The information has been provided by Vendor

The original article can be found at:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1072

 


Details

An attacker who successfully exploited the vulnerability could execute code on the target server in the context of the DevOps or TFS service account.

Vulnerable Systems:

Microsoft Team Foundation Server 2018 Update 3.2
Microsoft Team Foundation Server 2018 Update 1.2
Microsoft Team Foundation Server 2017 Update 3.1
Microsoft Team Foundation Server 2015 Update 4.2
Microsoft Team Foundation Server 2013 Update 5
Microsoft Team Foundation Server 2012 Update 4
Microsoft Team Foundation Server 2010 SP1
Microsoft Azure DevOps Server 2019.0.1 

CVE Information:

CVE-2019-1072

Disclosure Timeline:
Published Date:07/16/2019