cve-2023-38155
Vulnerability from cvelistv5
Published
2023-09-12 16:58
Modified
2024-08-02 17:30
Severity
7.0 (High) - cvssV3_1 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Summary
Azure DevOps Server Remote Code Execution Vulnerability
References
SourceURLTags
secure@microsoft.comhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38155Patch, Vendor Advisory
Impacted products
VendorProduct
MicrosoftAzure DevOps Server 2019.0.1
MicrosoftAzure DevOps Server 2022.0.1
MicrosoftAzure DevOps Server 2020.1.2
MicrosoftAzure DevOps Server
MicrosoftAzure DevOps Server 2020.0.2
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T17:30:14.065Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38155"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:o:microsoft:azure_devops_server:2019.0.1:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure DevOps Server 2019.0.1",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "20230601.3",
              "status": "affected",
              "version": "2019.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:o:microsoft:azure_devops_server:2022.0.1:-:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure DevOps Server 2022.0.1",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "20230825.4",
              "status": "affected",
              "version": "2022.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:o:microsoft:azure_devops_server:2020:-:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure DevOps Server 2020.1.2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "20230823.1",
              "status": "affected",
              "version": "2020.1.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:o:microsoft:azure_devops_server:2019.1.2:-:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure DevOps Server",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "20230825.1",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:o:microsoft:azure_devops_server:2020.0.2:-:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure DevOps Server 2020.0.2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "20230820.2",
              "status": "affected",
              "version": "2020.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2023-09-12T07:00:00+00:00",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Azure DevOps Server Remote Code Execution Vulnerability"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-29T02:41:09.644Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38155"
        }
      ],
      "title": "Azure DevOps Server Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2023-38155",
    "datePublished": "2023-09-12T16:58:37.646Z",
    "dateReserved": "2023-07-12T23:41:45.861Z",
    "dateUpdated": "2024-08-02T17:30:14.065Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-38155\",\"sourceIdentifier\":\"secure@microsoft.com\",\"published\":\"2023-09-12T17:15:19.527\",\"lastModified\":\"2024-05-29T03:16:06.670\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Azure DevOps Server Remote Code Execution Vulnerability\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de Ejecuci\u00f3n Remota de C\u00f3digo del Servidor Azure DevOps\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9},{\"source\":\"secure@microsoft.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.0,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]},{\"source\":\"secure@microsoft.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:microsoft:azure_devops_server:2019.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CE7EFADB-24D4-4DB7-A9E5-9C93F1286232\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:microsoft:azure_devops_server:2019.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1562E6BE-3870-4238-A66A-20DA91A5F59F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:microsoft:azure_devops_server:2020.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AEB15A35-7006-4371-9094-274F57BE3DC0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:microsoft:azure_devops_server:2022.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2B722F81-74C8-4A5E-9F58-6549B5455637\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:microsoft:azure_devops_server:2022.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E635007D-5F48-4846-B100-80FB9FB643A3\"}]}]}],\"references\":[{\"url\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38155\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.