Description
### *Detect date*:
12/08/2020
### *Severity*:
High
### *Description*:
Multiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to spoof user interface, execute arbitrary code, bypass security restrictions.
### *Affected products*:
Visual Studio Code TS-Lint Extension
Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
Microsoft Visual Studio 2019 version 16.0
Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)
Team Foundation Server 2017 Update 3.1
Azure DevOps Server 2019 Update 1.1
Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6)
Azure DevOps Server 2020
Team Foundation Server 2018 Update 3.2
Team Foundation Server 2015 Update 4.2
C SDK for Azure IoT
Team Foundation Server 2018 Update 1.2
Azure DevOps Server 2019.0.1
Microsoft Visual Studio 2019 version 16.8
Visual Studio Code Remote - SSH Extension
Visual Studio Code Language Support for Java Extension
### *Solution*:
Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)
### *Original advisories*:
[CVE-2020-17135](<https://nvd.nist.gov/vuln/detail/CVE-2020-17135>)
[CVE-2020-17156](<https://nvd.nist.gov/vuln/detail/CVE-2020-17156>)
[CVE-2020-17148](<https://nvd.nist.gov/vuln/detail/CVE-2020-17148>)
[CVE-2020-17159](<https://nvd.nist.gov/vuln/detail/CVE-2020-17159>)
[CVE-2020-17145](<https://nvd.nist.gov/vuln/detail/CVE-2020-17145>)
[CVE-2020-17002](<https://nvd.nist.gov/vuln/detail/CVE-2020-17002>)
[CVE-2020-17150](<https://nvd.nist.gov/vuln/detail/CVE-2020-17150>)
### *Impacts*:
ACE
### *Related products*:
[Microsoft Visual Studio](<https://threats.kaspersky.com/en/product/Microsoft-Visual-Studio/>)
### *CVE-IDS*:
[CVE-2020-17135](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17135>)4.9Warning
[CVE-2020-17156](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17156>)6.8High
[CVE-2020-17148](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17148>)6.8High
[CVE-2020-17159](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17159>)6.8High
[CVE-2020-17145](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17145>)4.9Warning
[CVE-2020-17002](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17002>)9.4Critical
[CVE-2020-17150](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17150>)6.8High
### *Microsoft official advisories*:
Related
{"id": "KLA12020", "type": "kaspersky", "bulletinFamily": "info", "title": "KLA12020 Multiple vulnerabilities in Microsoft Developer Tools", "description": "### *Detect date*:\n12/08/2020\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to spoof user interface, execute arbitrary code, bypass security restrictions.\n\n### *Affected products*:\nVisual Studio Code TS-Lint Extension \nMicrosoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) \nMicrosoft Visual Studio 2019 version 16.0 \nMicrosoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3) \nTeam Foundation Server 2017 Update 3.1 \nAzure DevOps Server 2019 Update 1.1 \nMicrosoft Visual Studio 2019 version 16.7 (includes 16.0 \u2013 16.6) \nAzure DevOps Server 2020 \nTeam Foundation Server 2018 Update 3.2 \nTeam Foundation Server 2015 Update 4.2 \nC SDK for Azure IoT \nTeam Foundation Server 2018 Update 1.2 \nAzure DevOps Server 2019.0.1 \nMicrosoft Visual Studio 2019 version 16.8 \nVisual Studio Code Remote - SSH Extension \nVisual Studio Code Language Support for Java Extension\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-17135](<https://nvd.nist.gov/vuln/detail/CVE-2020-17135>) \n[CVE-2020-17156](<https://nvd.nist.gov/vuln/detail/CVE-2020-17156>) \n[CVE-2020-17148](<https://nvd.nist.gov/vuln/detail/CVE-2020-17148>) \n[CVE-2020-17159](<https://nvd.nist.gov/vuln/detail/CVE-2020-17159>) \n[CVE-2020-17145](<https://nvd.nist.gov/vuln/detail/CVE-2020-17145>) \n[CVE-2020-17002](<https://nvd.nist.gov/vuln/detail/CVE-2020-17002>) \n[CVE-2020-17150](<https://nvd.nist.gov/vuln/detail/CVE-2020-17150>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Visual Studio](<https://threats.kaspersky.com/en/product/Microsoft-Visual-Studio/>)\n\n### *CVE-IDS*:\n[CVE-2020-17135](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17135>)4.9Warning \n[CVE-2020-17156](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17156>)6.8High \n[CVE-2020-17148](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17148>)6.8High \n[CVE-2020-17159](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17159>)6.8High \n[CVE-2020-17145](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17145>)4.9Warning \n[CVE-2020-17002](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17002>)9.4Critical \n[CVE-2020-17150](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17150>)6.8High\n\n### *Microsoft official advisories*:", "published": "2020-12-08T00:00:00", "modified": "2020-12-16T00:00:00", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 9.4, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 9.2, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA12020/", "reporter": "Kaspersky Lab", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2020-17135", "https://nvd.nist.gov/vuln/detail/CVE-2020-17156", "https://nvd.nist.gov/vuln/detail/CVE-2020-17148", "https://nvd.nist.gov/vuln/detail/CVE-2020-17159", "https://nvd.nist.gov/vuln/detail/CVE-2020-17145", "https://nvd.nist.gov/vuln/detail/CVE-2020-17002", "https://nvd.nist.gov/vuln/detail/CVE-2020-17150", "https://threats.kaspersky.com/en/product/Microsoft-Visual-Studio/", "https://threats.kaspersky.com/en/product/Team-Foundation-Server/", "https://threats.kaspersky.com/en/product/Microsoft-Azure/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17135", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17156", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17148", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17159", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17145", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17002", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17150", "https://portal.msrc.microsoft.com/en-us/security-guidance", "https://statistics.securelist.com/vulnerability-scan/month"], "cvelist": ["CVE-2020-17002", "CVE-2020-17135", "CVE-2020-17145", "CVE-2020-17148", "CVE-2020-17150", "CVE-2020-17156", "CVE-2020-17159"], "immutableFields": [], "lastseen": "2021-08-18T10:59:24", "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-17002", "CVE-2020-17135", "CVE-2020-17145", "CVE-2020-17148", "CVE-2020-17150", "CVE-2020-17156", "CVE-2020-17159"]}, {"type": "mscve", "idList": ["MS:CVE-2020-17002", "MS:CVE-2020-17135", "MS:CVE-2020-17145", "MS:CVE-2020-17148", "MS:CVE-2020-17150", "MS:CVE-2020-17156", "MS:CVE-2020-17159", "MS:CVE-2020-17160"]}, {"type": "nessus", "idList": ["SMB_NT_MS20_DEC_TEAM_FOUNDATION_SERVER.NASL", "SMB_NT_MS20_DEC_VISUAL_STUDIO.NASL"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:99D9180FBF3F900ADB0CDC5EF79EC080"]}]}, "score": {"value": 1.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-17002", "CVE-2020-17135", "CVE-2020-17145", "CVE-2020-17148", "CVE-2020-17150", "CVE-2020-17156", "CVE-2020-17159"]}, {"type": "mscve", "idList": ["MS:CVE-2020-17002", "MS:CVE-2020-17135", "MS:CVE-2020-17145", "MS:CVE-2020-17148", "MS:CVE-2020-17150", "MS:CVE-2020-17156", "MS:CVE-2020-17159", "MS:CVE-2020-17160"]}, {"type": "nessus", "idList": ["SMB_NT_MS20_DEC_VISUAL_STUDIO.NASL"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:99D9180FBF3F900ADB0CDC5EF79EC080"]}]}, "exploitation": null, "vulnersScore": 1.4}, "_state": {"dependencies": 1647589307, "score": 1659753002}}
{"nessus": [{"lastseen": "2022-05-15T14:34:12", "description": "The Microsoft Team Foundation Server or Azure DevOps install is missing security updates. It is, therefore, affected by multiple spoofing vulnerabilities. An attacker can exploit these to perform actions with the privileges of another user.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 5.4, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}, "published": "2020-12-08T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Team Foundation Server and Azure DevOps Server (December 2020)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1325", "CVE-2020-17135", "CVE-2020-17145"], "modified": "2022-05-11T00:00:00", "cpe": ["cpe:/o:microsoft:azure_devops_server", "cpe:/a:microsoft:visual_studio_team_foundation_server"], "id": "SMB_NT_MS20_DEC_TEAM_FOUNDATION_SERVER.NASL", "href": "https://www.tenable.com/plugins/nessus/143568", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143568);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/11\");\n\n script_cve_id(\"CVE-2020-1325\", \"CVE-2020-17135\", \"CVE-2020-17145\");\n\n script_name(english:\"Security Updates for Microsoft Team Foundation Server and Azure DevOps Server (December 2020)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Team Foundation Server or Azure DevOps is affected by multiple spoofing vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Team Foundation Server or Azure DevOps install is missing security updates. It is, therefore, affected by\nmultiple spoofing vulnerabilities. An attacker can exploit these to perform actions with the privileges of another user.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://devblogs.microsoft.com/devops/december-patches-for-azure-devops-server-and-team-foundation-server/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?164aac14\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following updates to address these issues:\n - Team Foundation Server 2015 Update 4.2 with patch 7\n - Team Foundation Server 2017 Update 3.1 with patch 12\n - Team Foundation Server 2018 Update 1.2 with patch 9\n - Team Foundation Server 2018 Update 3.2 with patch 14\n - Azure DevOps Server 2019 Update 0.1 with patch 9\n - Azure DevOps Server 2019 Update 1.1 with patch 6\n - Azure DevOps Server 2020 with patch 1\n\nPlease refer to the vendor guidance to determine the version and patch to apply.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1325\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-17145\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:azure_devops_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:visual_studio_team_foundation_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_team_foundation_server_installed.nasl\");\n script_require_keys(\"installed_sw/Microsoft Team Foundation Server\");\n\n exit(0);\n}\n\ninclude('vcf_extras_microsoft.inc');\n\nvar app_info = vcf::microsoft::azure_devops_server::get_app_info();\n\nvar ado_constraints = [\n {\n 'release' : '2015',\n 'update_min_ver' : '0',\n 'update_max_ver' : '4.2',\n 'append_path' : 'Application Tier\\\\Web Services\\\\bin',\n 'file' : 'Microsoft.TeamFoundation.Framework.Server.dll',\n 'file_min_ver' : '14.0.0.0',\n 'file_fix_ver' : '14.114.30730.0',\n 'note' : 'Team Foundation Server 2015 prior to Update 4.2 patch 7 is vulnerable. Ensure\\n' +\n 'the installation is updated to Update 4.2 patch 7'\n },\n {\n 'release' : '2017',\n 'update_min_ver' : '0',\n 'update_max_ver' : '3.1',\n 'append_path' : 'Application Tier\\\\Web Services\\\\bin',\n 'file' : 'Microsoft.TeamFoundation.Server.WebAccess.Admin.dll',\n 'file_min_ver' : '15.0.0.0',\n 'file_fix_ver' : '15.117.30801.0',\n 'note' : 'Team Foundation Server 2017 prior to Update 3.1 patch 12 is vulnerable. Ensure\\n' +\n 'the installation is updated to Update 3.1 patch 12'\n },\n {\n 'release' : '2018',\n 'update_min_ver' : '0',\n 'update_max_ver' : '1.2',\n 'append_path' : 'Application Tier\\\\Web Services\\\\bin',\n 'file' : 'Microsoft.TeamFoundation.Server.WebAccess.Admin.dll',\n 'file_min_ver' : '16.0.0.0',\n 'file_fix_ver' : '16.122.30723.1',\n 'note' : 'Team Foundation Server 2018 prior to Update 1.2 patch 9 is vulnerable. Ensure\\n' +\n 'the installation is updated to Update 1.2 patch 9'\n },\n {\n 'release' : '2018',\n 'update_min_ver' : '2',\n 'update_max_ver' : '3.2',\n 'append_path' : 'Application Tier\\\\Web Services\\\\bin',\n 'file' : 'Microsoft.TeamFoundation.WorkItemTracking.Web.dll',\n 'file_min_ver' : '16.0.0.0',\n 'file_fix_ver' : '16.131.30724.3',\n 'note' : 'Team Foundation Server 2018 prior to Update 3.2 patch 14 is vulnerable. Ensure\\n' +\n 'the installation is updated to Update 3.2 patch 14',\n },\n {\n 'release' : '2019',\n 'update_min_ver' : '0',\n 'update_max_ver' : '0.1',\n 'append_path' : 'Application Tier\\\\Web Services\\\\bin',\n 'file' : 'Microsoft.TeamFoundation.Framework.Server.dll',\n 'file_min_ver' : '17.0.0.0',\n 'file_fix_ver' : '17.143.30723.4',\n 'note' : 'Azure DevOps Server 2019 prior to 2019.0.1 patch 9 is vulnerable. Ensure\\n' +\n 'the installation is updated to 2019.0.1 patch 9.'\n }, \n {\n 'release' : '2019',\n 'update_min_ver' : '1.0',\n 'update_max_ver' : '1.1',\n 'append_path' : 'Application Tier\\\\Web Services\\\\bin',\n 'file' : 'Microsoft.VisualStudio.Services.Feed.Server.dll',\n 'file_min_ver' : '17.0.0.0',\n 'file_fix_ver' : '17.153.30723.5',\n 'note' : 'Azure DevOps Server 2019 prior to 2019.1.1 patch 6 is vulnerable. Ensure\\n' +\n 'the installation is updated to 2019.1.1 patch 6.'\n },\n {\n 'release' : '2020',\n 'update_min_ver' : '0',\n 'update_max_ver' : '0',\n 'append_path' : 'Application Tier\\\\Web Services\\\\bin',\n 'file' : 'Microsoft.TeamFoundation.Framework.Server.dll',\n 'file_min_ver' : '18.0.0.0',\n 'file_fix_ver' : '18.170.30723.6',\n 'note' : 'Azure DevOps Server 2020 prior to 2020 patch 1 is vulnerable. Ensure\\n' +\n 'the installation is updated to 2020 patch 1.'\n }\n];\n\nvcf::microsoft::azure_devops_server::check_version_and_report\n(\n app_info:app_info, \n bulletin:'MS20-12',\n constraints:ado_constraints, \n severity:SECURITY_WARNING,\n flags:{'xss':TRUE}\n);\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2022-08-16T15:44:29", "description": "The Microsoft Visual Studio Products are missing security updates. It is, therefore, affected by the following vulnerability:\n\n - An unspecified remote code execution vulnerability exists in Visual Studio. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2020-17156)", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-12-08T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Visual Studio Products (December 2020)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17156"], "modified": "2022-06-27T00:00:00", "cpe": ["cpe:/a:microsoft:visual_studio"], "id": "SMB_NT_MS20_DEC_VISUAL_STUDIO.NASL", "href": "https://www.tenable.com/plugins/nessus/143573", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143573);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/27\");\n\n script_cve_id(\"CVE-2020-17156\");\n script_xref(name:\"IAVA\", value:\"2020-A-0553\");\n\n script_name(english:\"Security Updates for Microsoft Visual Studio Products (December 2020)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Visual Studio Products are missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Visual Studio Products are missing security\nupdates. It is, therefore, affected by the following\nvulnerability:\n\n - An unspecified remote code execution vulnerability\n exists in Visual Studio. An attacker can exploit\n this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2020-17156)\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue:\n - Update 15.9.30 for Visual Studio 2017\n - Update 16.0.21 for Visual Studio 2019\n - Update 16.4.16 for Visual Studio 2019\n - Update 16.7.9 for Visual Studio 2019\n - Update 16.8.3 for Visual Studio 2019\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17156\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:visual_studio\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_bulletin_checks_possible.nasl\", \"microsoft_visual_studio_installed.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\", \"installed_sw/Microsoft Visual Studio\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('install_func.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\n\nget_kb_item_or_exit('installed_sw/Microsoft Visual Studio');\n\nport = kb_smb_transport();\nappname = 'Microsoft Visual Studio';\n\ninstalls = get_installs(app_name:appname, exit_if_not_found:TRUE);\n\nreport = '';\n\nforeach install (installs[1])\n{\n version = install['version'];\n path = install['path'];\n prod = install['product_version'];\n\n fix = '';\n\n # https://docs.microsoft.com/en-us/visualstudio/install/visual-studio-build-numbers-and-release-dates?view=vs-2017\n #\n # VS 2017\n if (prod == '2017')\n {\n fix = '15.9.28307.1321';\n\n if (ver_compare(ver: version, fix: fix, strict:FALSE) < 0)\n {\n report +=\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n }\n }\n # https://docs.microsoft.com/en-us/visualstudio/install/visual-studio-build-numbers-and-release-dates?view=vs-2019\n #\n # VS 2019 Version 16.0\n else if (prod == '2019' && version =~ \"^16\\.0\\.\")\n {\n fix = '16.0.28803.902';\n if (ver_compare(ver: version, fix: fix, strict:FALSE) < 0)\n {\n report +=\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n }\n }\n # VS 2019 Version 16.4\n else if (prod == '2019' && version =~ \"^16\\.[1-4]\\.\")\n {\n fix = '16.4.30802.185';\n if (ver_compare(ver: version, fix: fix, strict:FALSE) < 0)\n {\n report +=\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n }\n }\n # VS 2019 Version 16.7\n else if (prod == '2019' && version =~ \"^16\\.[5-7]\\.\")\n {\n fix = '16.7.30802.117';\n if (ver_compare(ver: version, fix: fix, strict:FALSE) < 0)\n {\n report +=\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n }\n }\n # VS 2019 Version 16.8\n else if (prod == '2019' && version =~ \"^16\\.8\\.\")\n {\n fix = '16.8.30804.86';\n if (ver_compare(ver: version, fix: fix, strict:FALSE) < 0)\n {\n report +=\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n }\n }\n}\n\nhotfix_check_fversion_end();\n\nif (empty(report))\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n\nsecurity_report_v4(port:port, severity:SECURITY_WARNING, extra:report);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T14:35:36", "description": "Visual Studio Code Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-17150", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17150"], "modified": "2021-07-21T11:39:00", "cpe": [], "id": "CVE-2020-17150", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17150", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2022-03-23T14:35:14", "description": "Azure DevOps Server Spoofing Vulnerability", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-17135", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.9, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17135"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:azure_devops_server:2019.0.1", "cpe:/o:microsoft:azure_devops_server:2019"], "id": "CVE-2020-17135", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17135", "cvss": {"score": 4.9, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:azure_devops_server:2019.0.1:-:*:*:*:*:*:*", "cpe:2.3:o:microsoft:azure_devops_server:2019:update1.1:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:35:43", "description": "Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-17159", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17159"], "modified": "2021-07-21T11:39:00", "cpe": [], "id": "CVE-2020-17159", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17159", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2022-03-23T14:35:40", "description": "Visual Studio Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-17156", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17156"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/a:microsoft:visual_studio_2019:16.8", "cpe:/a:microsoft:visual_studio_2017:15.9"], "id": "CVE-2020-17156", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17156", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:visual_studio_2017:15.9:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:visual_studio_2019:16.8:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:35:34", "description": "Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-17148", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17148"], "modified": "2021-07-21T11:39:00", "cpe": [], "id": "CVE-2020-17148", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17148", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2022-03-23T14:35:31", "description": "Azure DevOps Server and Team Foundation Services Spoofing Vulnerability", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-17145", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.9, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17145"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/a:microsoft:team_foundation_server:2017", "cpe:/o:microsoft:azure_devops_server:2020", "cpe:/a:microsoft:team_foundation_server:2015", "cpe:/a:microsoft:team_foundation_server:2018", "cpe:/o:microsoft:azure_devops_server:2019.0.1", "cpe:/o:microsoft:azure_devops_server:2019"], "id": "CVE-2020-17145", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17145", "cvss": {"score": 4.9, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:microsoft:team_foundation_server:2017:3.1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:team_foundation_server:2018:3.2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:azure_devops_server:2019:update1.1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:team_foundation_server:2015:4.2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:team_foundation_server:2018:1.2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:azure_devops_server:2019.0.1:-:*:*:*:*:*:*", "cpe:2.3:o:microsoft:azure_devops_server:2020:-:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:29:03", "description": "Azure SDK for C Security Feature Bypass Vulnerability", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2020-12-10T00:15:00", "type": "cve", "title": "CVE-2020-17002", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "COMPLETE", "baseScore": 9.4, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17002"], "modified": "2021-03-03T21:33:00", "cpe": [], "id": "CVE-2020-17002", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17002", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:N"}, "cpe23": []}], "mscve": [{"lastseen": "2021-12-06T18:24:12", "description": "Visual Studio Code Remote Code Execution Vulnerability \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Visual Studio Code Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17150"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-17150", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17150", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-06T18:24:11", "description": "Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17159"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-17159", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17159", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-06T18:24:18", "description": "Azure DevOps Server Spoofing Vulnerability \n", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 5.4, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Azure DevOps Server Spoofing Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.9, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17135"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-17135", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17135", "cvss": {"score": 4.9, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2021-12-06T18:24:11", "description": "Visual Studio Remote Code Execution Vulnerability \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Visual Studio Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17156"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-17156", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17156", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-06T18:24:13", "description": "Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17148"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-17148", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17148", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-06T18:24:00", "description": "Azure DevOps Server and Team Foundation Services Spoofing Vulnerability \n", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 5.4, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Azure DevOps Server and Team Foundation Services Spoofing Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.9, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17145"], "modified": "2020-12-08T08:00:00", "id": "MS:CVE-2020-17145", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17145", "cvss": {"score": 4.9, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2021-12-06T18:24:07", "description": "Azure SDK for C Security Feature Bypass Vulnerability \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.2}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "Azure SDK for C Security Feature Bypass Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "COMPLETE", "baseScore": 9.4, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 9.2, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17002"], "modified": "2020-12-10T08:00:00", "id": "MS:CVE-2020-17002", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17002", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:N"}}, {"lastseen": "2021-12-06T18:24:11", "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.2}, "published": "2020-12-08T08:00:00", "type": "mscve", "title": "RETRACTED", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "COMPLETE", "baseScore": 9.4, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 9.2, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17002", "CVE-2020-17160"], "modified": "2020-12-09T08:00:00", "id": "MS:CVE-2020-17160", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17160", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:N"}}], "rapid7blog": [{"lastseen": "2020-12-12T10:47:13", "description": "\n\nWe close off our 2020 year of Patch Tuesdays with 58 vulnerabilities being addressed. While it's a higher count than our typical December months (high thirties), it's still a nice breath of fresh air given how the past year has been. We do, however, get to celebrate that none of the reported vulnerabilities covered this month has been publicly exploited nor previously publicly disclosed and only 9 of the 58 vulnerabilities have been marked as Critical by Microsoft.\n\nIn terms of actionables, standard procedures can be followed here in terms of how to prioritize which sets of patches to apply first with two exceptions.\n\n## Microsoft Office vulnerabilities\n\nA fair amount of remote code executions targeting Microsoft Excel are being patched up today and while none of them have the Preview Pane set as an attack vector, the volume of remote code execution vulnerabilities pertaining to Microsoft Office this month may suggest a slight re-jig of priorities. That's our first (minor) exception.\n\nThe next exception is likely the most notable piece behind this December 2020 Patch Tuesday: Microsoft Exchange Server.\n\n## Microsoft Exchange Server vulnerabilities\n\nWhile there are a total of six vulnerabilities from Microsoft Exchange Server this month, two of them garner a CVSS score of 9.1 ([CVE-2020-17132](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17132>), [CVE-2020-17142](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17142>)) and one is noted by Microsoft has having a higher chance of exploitability ([CVE-2020-17144](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17144>)). These three warrant an additional examination and may be grounds for prioritizing patching.\n\nThere is currently suspicion that [CVE-2020-17132](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17132>) helps address the patch bypass of [CVE-2020-16875](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16875>) (CVSS 8.4) from September 2020. As well, both [CVE-2020-17132](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17132>) and [CVE-2020-17142](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17142>) are remote code execution vulnerabilities occurring due to improper validation of cmdlet arguments that affect all supported (as of writing) versions of Microsoft Exchange. One important note to consider is while these vulnerabilities have received a CVSS score of 9.1 and do not require additional user interaction, an attacker must be in an authenticated role in order to exploit this vulnerability.\n\nIn contrast, [CVE-2020-17144](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17144>) which is another remote code execution vulnerability also stemming from improper validation for cmdlet arguments, this one only affects Exchange Server 2010 SP3 and does require additional user interaction to successfully execute. This is extra interesting as [Microsoft Exchange Server 2010 passed end of life back on October 22, 2020](<https://techcommunity.microsoft.com/t5/exchange-team-blog/microsoft-extending-end-of-support-for-exchange-server-2010-to/ba-p/753591>). The introduction of this post-EOL patch for Microsoft Exchange Server 2010 coupled with Microsoft noting this vulnerability to be more likely exploitable does suggest prioritizing this patch a bit earlier.\n\n## New Summary Tables\n\nIn an attempt to provide a bit more summarizing tables, here are this month's patched vulnerabilities split by the product family.\n\n### Azure Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17160](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17160>) | Azure Sphere Security Feature Bypass Vulnerability | False | False | 7.4 | True \n[CVE-2020-16971](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16971>) | Azure SDK for Java Security Feature Bypass Vulnerability | False | False | 7.4 | False \n \n### Browser Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17153](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17153>) | Microsoft Edge for Android Spoofing Vulnerability | False | False | 4.3 | True \n[CVE-2020-17131](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17131>) | Chakra Scripting Engine Memory Corruption Vulnerability | False | False | 4.2 | False \n \n### Developer Tools Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17148](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17148>) | Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17150](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17150>) | Visual Studio Code Remote Code Execution Vulnerability | False | False | 7.8 | False \n[CVE-2020-17156](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17156>) | Visual Studio Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17159](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17159>) | Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability | False | False | 7.8 | False \n[CVE-2020-17002](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17002>) | Azure SDK for C Security Feature Bypass Vulnerability | False | False | 7.4 | False \n[CVE-2020-17135](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17135>) | Azure DevOps Server Spoofing Vulnerability | False | False | 6.4 | False \n[CVE-2020-17145](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17145>) | Azure DevOps Server and Team Foundation Services Spoofing Vulnerability | False | False | 5.4 | False \n \n### ESU Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17140](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17140>) | Windows SMB Information Disclosure Vulnerability | False | False | 8.1 | True \n[CVE-2020-16958](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16958>) | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-16959](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16959>) | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-16960](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16960>) | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-16961](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16961>) | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-16962](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16962>) | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-16963](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16963>) | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-16964](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16964>) | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-17098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17098>) | Windows GDI+ Information Disclosure Vulnerability | False | False | 5.5 | True \n \n### Exchange Server Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17132](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17132>) | Microsoft Exchange Remote Code Execution Vulnerability | False | False | 9.1 | True \n[CVE-2020-17142](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17142>) | Microsoft Exchange Remote Code Execution Vulnerability | False | False | 9.1 | True \n[CVE-2020-17143](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17143>) | Microsoft Exchange Information Disclosure Vulnerability | False | False | 8.8 | True \n[CVE-2020-17141](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17141>) | Microsoft Exchange Remote Code Execution Vulnerability | False | False | 8.4 | True \n[CVE-2020-17144](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17144>) | Microsoft Exchange Remote Code Execution Vulnerability | False | False | 8.4 | True \n[CVE-2020-17117](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17117>) | Microsoft Exchange Remote Code Execution Vulnerability | False | False | 6.6 | False \n \n### Microsoft Dynamics Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17152](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17152>) | Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability | False | False | 8.8 | True \n[CVE-2020-17158](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17158>) | Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability | False | False | 8.8 | True \n[CVE-2020-17147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17147>) | Dynamics CRM Webclient Cross-site Scripting Vulnerability | False | False | 8.7 | True \n[CVE-2020-17133](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17133>) | Microsoft Dynamics Business Central/NAV Information Disclosure | False | False | 6.5 | True \n \n### Microsoft Office Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17121](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17121>) | Microsoft SharePoint Remote Code Execution Vulnerability | False | False | 8.8 | True \n[CVE-2020-17118](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17118>) | Microsoft SharePoint Remote Code Execution Vulnerability | False | False | 8.1 | False \n[CVE-2020-17115](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17115>) | Microsoft SharePoint Spoofing Vulnerability | False | False | 8 | True \n[CVE-2020-17122](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17122>) | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17123](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17123>) | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17124](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17124>) | Microsoft PowerPoint Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17125](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17125>) | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17127](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17127>) | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17128](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17128>) | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17129](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17129>) | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17089](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17089>) | Microsoft SharePoint Elevation of Privilege Vulnerability | False | False | 7.1 | False \n[CVE-2020-17119](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17119>) | Microsoft Outlook Information Disclosure Vulnerability | False | False | 6.5 | True \n[CVE-2020-17130](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17130>) | Microsoft Excel Security Feature Bypass Vulnerability | False | False | 6.5 | True \n[CVE-2020-17126](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17126>) | Microsoft Excel Information Disclosure Vulnerability | False | False | 5.5 | True \n[CVE-2020-17120](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17120>) | Microsoft SharePoint Information Disclosure Vulnerability | False | False | 5.3 | True \n \n### Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17095](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17095>) | Hyper-V Remote Code Execution Vulnerability | False | False | 8.5 | True \n[CVE-2020-17092](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17092>) | Windows Network Connections Service Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-17134](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17134>) | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-17136](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17136>) | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-17137](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17137>) | DirectX Graphics Kernel Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-17139](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17139>) | Windows Overlay Filter Security Feature Bypass Vulnerability | False | False | 7.8 | False \n[CVE-2020-17096](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17096>) | Windows NTFS Remote Code Execution Vulnerability | False | False | 7.5 | True \n[CVE-2020-17103](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17103>) | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | False | False | 7 | False \n[CVE-2020-17099](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17099>) | Windows Lock Screen Security Feature Bypass Vulnerability | False | False | 6.8 | True \n[CVE-2020-16996](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16996>) | Kerberos Security Feature Bypass Vulnerability | False | False | 6.5 | True \n[CVE-2020-17094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17094>) | Windows Error Reporting Information Disclosure Vulnerability | False | False | 5.5 | True \n[CVE-2020-17138](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17138>) | Windows Error Reporting Information Disclosure Vulnerability | False | False | 5.5 | True \n[CVE-2020-17097](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17097>) | Windows Digital Media Receiver Elevation of Privilege Vulnerability | False | False | 3.3 | False \n \n## Summary Graphs\n\n", "cvss3": {}, "published": "2020-12-08T21:36:27", "type": "rapid7blog", "title": "Patch Tuesday - December 2020", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-16875", "CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964", "CVE-2020-16971", "CVE-2020-16996", "CVE-2020-17002", "CVE-2020-17089", "CVE-2020-17092", "CVE-2020-17094", "CVE-2020-17095", "CVE-2020-17096", "CVE-2020-17097", "CVE-2020-17098", "CVE-2020-17099", "CVE-2020-17103", "CVE-2020-17115", "CVE-2020-17117", "CVE-2020-17118", "CVE-2020-17119", "CVE-2020-17120", "CVE-2020-17121", "CVE-2020-17122", "CVE-2020-17123", "CVE-2020-17124", "CVE-2020-17125", "CVE-2020-17126", "CVE-2020-17127", "CVE-2020-17128", "CVE-2020-17129", "CVE-2020-17130", "CVE-2020-17131", "CVE-2020-17132", "CVE-2020-17133", "CVE-2020-17134", "CVE-2020-17135", "CVE-2020-17136", "CVE-2020-17137", "CVE-2020-17138", "CVE-2020-17139", "CVE-2020-17140", "CVE-2020-17141", "CVE-2020-17142", "CVE-2020-17143", "CVE-2020-17144", "CVE-2020-17145", "CVE-2020-17147", "CVE-2020-17148", "CVE-2020-17150", "CVE-2020-17152", "CVE-2020-17153", "CVE-2020-17156", "CVE-2020-17158", "CVE-2020-17159", "CVE-2020-17160"], "modified": "2020-12-08T21:36:27", "id": "RAPID7BLOG:99D9180FBF3F900ADB0CDC5EF79EC080", "href": "https://blog.rapid7.com/2020/12/08/patch-tuesday-december-2020/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
KLA12020 Multiple vulnerabilities in Microsoft Developer Tools
