Microsoft Azure DevOps Server 2019 injection

Summaryinfo

A vulnerability was found in Microsoft Azure DevOps Server 2019. It has been classified as problematic. This affects an unknown function. The manipulation leads to injection. This vulnerability is traded as CVE-2019-0869. It is possible to initiate the attack remotely. There is no exploit available. Applying a patch is the recommended action to fix this issue.

Detailsinfo

A vulnerability, which was classified as problematic, has been found in Microsoft Azure DevOps Server 2019 (Cloud Software). This issue affects an unknown code block. The manipulation with an unknown input leads to a injection vulnerability. Using CWE to declare the problem leads to CWE-74. The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. Impacted is confidentiality, and integrity. The summary by CVE is:

A spoofing vulnerability exists in Microsoft Azure DevOps Server when it fails to properly handle web requests, aka 'Azure DevOps Server HTML Injection Vulnerability'.

The bug was discovered 04/03/2019. The weakness was shared 04/09/2019 by Mikhail as confirmed security update guide (Website). The advisory is shared at portal.msrc.microsoft.com. The vendor cooperated in the coordination of the public release. The identification of this vulnerability is CVE-2019-0869 since 11/26/2018. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1055 for this issue. The advisory points out:

A spoofing vulnerability exists in Microsoft Azure DevOps Server when it fails to properly handle web requests. An attacker who successfully exploited the vulnerability could perform script or content injection attacks, and attempt to trick the user into disclosing sensitive information. An attacker could also redirect the user to a malicious website that could spoof content or the vulnerability could be used as a pivot to chain an attack with other vulnerabilities in web services.

The vulnerability was handled as a non-public zero-day exploit for at least 6 days. During that time the estimated underground price was around $5k-$25k. The commercial vulnerability scanner Qualys is able to test this issue with plugin 91520 (Microsoft Team Foundation Server Update for April 2019).

Applying a patch is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The vulnerability is also documented in the vulnerability database at SecurityFocus (BID 107749†). The entries VDB-133223, VDB-133226, VDB-133227 and VDB-133228 are related to this item. If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• Cloud Software

Vendor

• Microsoft

Name

• Azure DevOps Server

Version

• 2019

License

• commercial

Website

• Vendor: https://www.microsoft.com/

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion