Security restrictions bypass in Microsoft Visual Studio



Published: 2022-11-09 | Updated: 2023-05-29
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-39253
CWE-ID CWE-20
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe 		Visual Studio
Universal components / Libraries / Software for developers

Vendor Microsoft

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Input validation error

EUVDB-ID: #VU68517

Risk: Low

CVSSv3.1: 2.8 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2022-39253

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to the way Git handles hardlinks when performing a local clone. A remote attacker can trick the victim into clocking a malicious repository and create or copy hardlinks to critical files on the system, which can result in sensitive information exposure.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Visual Studio: 15.0 26228.04 - 17.3.0 17.3.32804.467

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-39253


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###