Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
kasperskyKaspersky LabKLA12020
HistoryDec 08, 2020 - 12:00 a.m.

KLA12020 Multiple vulnerabilities in Microsoft Developer Tools

2020-12-0800:00:00
Kaspersky Lab
threats.kaspersky.com
15

CVSS2

9.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.9

Confidence

High

EPSS

0.011

Percentile

84.7%

JSON

Multiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to spoof user interface, execute arbitrary code, bypass security restrictions.

Below is a complete list of vulnerabilities:

  1. A spoofing vulnerability in Azure DevOps Server can be exploited remotely to spoof user interface.
  2. A remote code execution vulnerability in Visual Studio can be exploited remotely to execute arbitrary code.
  3. A remote code execution vulnerability in Visual Studio Code Remote Development Extension can be exploited remotely to execute arbitrary code.
  4. A remote code execution vulnerability in Visual Studio Code Java Extension Pack can be exploited remotely to execute arbitrary code.
  5. A spoofing vulnerability in Azure DevOps Server and Team Foundation Services can be exploited remotely to spoof user interface.
  6. A security feature bypass vulnerability in Azure SDK for C can be exploited remotely to bypass security restrictions.
  7. A remote code execution vulnerability in Visual Studio Code can be exploited remotely to execute arbitrary code.

Original advisories

CVE-2020-17135

CVE-2020-17156

CVE-2020-17148

CVE-2020-17159

CVE-2020-17145

CVE-2020-17002

CVE-2020-17150

Related products

Microsoft-Visual-Studio

Team-Foundation-Server

Microsoft-Azure

CVE list

CVE-2020-17135 high

CVE-2020-17156 critical

CVE-2020-17148 critical

CVE-2020-17159 critical

CVE-2020-17145 high

CVE-2020-17002 high

CVE-2020-17150 critical

KB list

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Impacts

  • ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

  • SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

  • SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

  • Visual Studio Code TS-Lint ExtensionMicrosoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)Microsoft Visual Studio 2019 version 16.0Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)Team Foundation Server 2017 Update 3.1Azure DevOps Server 2019 Update 1.1Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6)Azure DevOps Server 2020Team Foundation Server 2018 Update 3.2Team Foundation Server 2015 Update 4.2C SDK for Azure IoTTeam Foundation Server 2018 Update 1.2Azure DevOps Server 2019.0.1Microsoft Visual Studio 2019 version 16.8Visual Studio Code Remote - SSH ExtensionVisual Studio Code Language Support for Java Extension

Related

nessus 2
cvelist 7
prion 7
mscve 8
nvd 7
osv 4
cve 7
cnvd 1
rapid7blog 1
nessus
nessus
Security Updates for Microsoft Team Foundation Server and Azure DevOps Server (December 2020)
2020-12-08 00:00:00
Security Updates for Microsoft Visual Studio Products (December 2020)
2020-12-08 00:00:00
cvelist
cvelist
CVE-2020-17156 Visual Studio Remote Code Execution Vulnerability
2020-12-09 23:36:59
CVE-2020-17159 Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability
2020-12-09 23:36:59
CVE-2020-17148 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability
2020-12-09 23:36:57
prion
prion
Spoofing
2020-12-10 00:15:00
Remote code execution
2020-12-10 00:15:00
Remote code execution
2020-12-10 00:15:00
mscve
mscve
Azure DevOps Server Spoofing Vulnerability
2020-12-08 08:00:00
CVE-2020-17150
2020-12-08 08:00:00
Azure DevOps Server and Team Foundation Services Spoofing Vulnerability
2020-12-08 08:00:00
nvd
nvd
CVE-2020-17002
2020-12-10 00:15:13
CVE-2020-17159
2020-12-10 00:15:16
CVE-2020-17156
2020-12-10 00:15:16
osv
osv
CVE-2020-17159
2020-12-10 00:15:16
CVE-2020-17148
2020-12-10 00:15:16
CVE-2020-17150
2020-12-10 00:15:16
cve
cve
CVE-2020-17156
2020-12-10 00:15:16
CVE-2020-17145
2020-12-10 00:15:16
CVE-2020-17159
2020-12-10 00:15:16
cnvd
cnvd
Microsoft Azure DevOps Server Input Validation Error Vulnerability
2020-12-10 00:00:00
rapid7blog
rapid7blog
Patch Tuesday - December 2020
2020-12-08 21:36:27

CVSS2

9.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.9

Confidence

High

EPSS

0.011

Percentile

84.7%

JSON
Related for KLA12020
nessus2cvelist7prion7mscve8nvd7osv4cve7cnvd1rapid7blog1