jeudi 28 mai 2020    || Inscription
BanniereAlertes
 
 

Notre sélection d'alertes et avis SSI.
Sources : US Cert, Cert EU, Cert FR, Cnil, VulDB.

mercredi 12 juin 2019

Microsoft Azure DevOps Server 2019 cross site request forgery

A vulnerability classified as problematic was found in Microsoft Azure DevOps Server 2019 (Cloud Software). This vulnerability affects an unknown code block. The manipulation with an unknown input leads to a cross site request forgery vulnerability. The CWE definition for the vulnerability is CWE-352. As an impact it is known to affect integrity. An attacker might be able force legitimate users to initiate unwanted actions within the web application.

The weakness was shared 06/11/2019 as confirmed security update guide (Website). The advisory is available at portal.msrc.microsoft.com. The vendor cooperated in the coordination of the public release. This vulnerability was named CVE-2019-0996 since 11/26/2018. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. The technical details are unknown and an exploit is not available. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment (estimation calculated on 06/12/2019). The advisory points out:

A spoofing vulnerability exists in Azure DevOps Server when it improperly handles requests to authorize applications, resulting in a cross-site request forgery. An attacker who successfully exploited this vulnerability could bypass OAuth protections and register an application on behalf of the targeted user.

Applying a patch is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability.

Product

Type

Vendor

Name

CPE 2.3

CPE 2.2

CVSSv3

VulDB Meta Base Score: 4.3
VulDB Meta Temp Score: 4.1

VulDB Base Score: 4.3
VulDB Temp Score: 4.1
VulDB Vector: 🔒
VulDB Reliability: 🔍

CVSSv2

VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍

Exploiting

Class: Cross site request forgery (CWE-352)
Local: No
Remote: Yes

Availability: 🔒
Status: Not defined

Price Prediction: 🔍
Current Price Estimation: 🔒

Threat Intelligence

Threat: 🔍
Adversaries: 🔍
Geopolitics: 🔍
Economy: 🔍
Predictions: 🔍
Remediation: 🔍

Countermeasures

Recommended: Patch
Status: 🔍

Reaction Time: 🔒
0-Day Time: 🔒
Exposure Time: 🔒

Timeline

11/26/2018 CVE assigned
06/11/2019 Advisory disclosed
06/11/2019 Countermeasure disclosed
06/12/2019 VulDB entry created
06/12/2019 VulDB last update

Sources

Vendor: microsoft.com

Advisory: portal.msrc.microsoft.com
Status: Confirmed
Coordinated: 🔒

CVE: CVE-2019-0996 (🔒)

Entry

Created: 06/12/2019 09:37 PM
Complete: 🔍

Lien vers l'article source

Auteur: VulDB

Catégories: VulDBNombre de vues: 96

x

Événements SSI