Vulnerability identifier: #VU36015
Vulnerability risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Azure DevOps Server
Server applications /
Application servers
Vendor: Microsoft
Description
The vulnerability allows a remote non-authenticated attacker to manipulate data.
An elevation of privilege vulnerability exists when Azure DevOps Server 2019 does not properly enforce project permissions, aka 'Azure DevOps Server Elevation of Privilege Vulnerability'.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Azure DevOps Server: 2019
External links
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0875
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.