SB2019040933 - Multiple vulnerabilities in Microsoft Azure DevOps Server

Security Bulletin ID SB2019040933

Severity

Medium

Patch available

YES

Number of vulnerabilities 4

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Cross-site request forgery (CVE-ID: CVE-2019-0996)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

A spoofing vulnerability exists in Azure DevOps Server when it improperly handles requests to authorize applications, resulting in a cross-site request forgery, aka 'Azure DevOps Server Spoofing Vulnerability'.

2) Input validation error (CVE-ID: CVE-2019-0857)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

A spoofing vulnerability that could allow a security feature bypass exists in when Azure DevOps Server does not properly sanitize user provided input, aka 'Azure DevOps Server Spoofing Vulnerability'.

3) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2019-0869)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

A spoofing vulnerability exists in Microsoft Azure DevOps Server when it fails to properly handle web requests, aka 'Azure DevOps Server HTML Injection Vulnerability'.

4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-0875)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

An elevation of privilege vulnerability exists when Azure DevOps Server 2019 does not properly enforce project permissions, aka 'Azure DevOps Server Elevation of Privilege Vulnerability'.

Remediation

Install update from vendor's website.

SB2019040933 - Multiple vulnerabilities in Microsoft Azure DevOps Server

Breakdown by Severity

Description

Remediation

References

Please verify you're human