Azure Devops Server
CVE-2019-0996
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
A spoofing vulnerability exists in Azure DevOps Server when it improperly handles requests to authorize applications, resulting in a cross-site request forgery. An attacker who successfully exploited this vulnerability could bypass OAuth protections and register an application on behalf of the targeted user. To exploit this vulnerability, an attacker would need to create a page specifically designed to cause a cross-site request. The attacker would then need to convince a targeted user to click a link to the malicious page. The update addresses the vulnerability by modifying how Azure DevOps Server protects application registration requests.
AnalysisAI
A spoofing vulnerability exists in Azure DevOps Server when it improperly handles requests to authorize applications, resulting in a cross-site request forgery. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.
Technical ContextAI
This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. A spoofing vulnerability exists in Azure DevOps Server when it improperly handles requests to authorize applications, resulting in a cross-site request forgery. An attacker who successfully exploited this vulnerability could bypass OAuth protections and register an application on behalf of the targeted user. To exploit this vulnerability, an attacker would need to create a page specifically designed to cause a cross-site request. The attacker would then need to convince a targeted user to click a link to the malicious page. The update addresses the vulnerability by modifying how Azure DevOps Server protects application registration requests. Affected products include: Microsoft Azure Devops Server.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.
More in Azure Devops Server
View allAzure DevOps Server Spoofing Vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable
A remote code execution vulnerability exists when Azure DevOps Server (ADO) and Team Foundation Server (TFS) fail to val
A remote code execution vulnerability exists when Azure DevOps Server and Team Foundation Server (TFS) improperly handle
Azure DevOps Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely
Azure DevOps Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.1), this vulnerability is remotely
Azure DevOps Server Spoofing Vulnerability. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable,
Azure DevOps Server Spoofing Vulnerability. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable,
Azure DevOps Server Remote Code Execution Vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely
Azure DevOps Server Remote Code Execution Vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely
An elevation of privilege vulnerability exists when Azure DevOps Server and Team Foundation Services improperly handle p
An elevation of privilege vulnerability exists when Azure DevOps Server and Team Foundation Services improperly handle p
An elevation of privilege vulnerability exists when Azure DevOps Server 2019 does not properly enforce project permissio
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today