CVE-2022-24513: Visual Studio Elevation of Privilege Vulnerability

Overview

Severity

High (CVSS 7.8)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2022-Apr

Released

2022-04-12

Last Updated

2022-07-12

EPSS Score

0.38% (percentile: 59.4%)

Affected Products (8)

Developer Tools

• Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
• Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6)
• Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)
• Visual Studio 2019 for Mac version 8.10
• Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
• Microsoft Visual Studio 2022 version 17.0
• Microsoft Visual Studio 2022 version 17.1
• Visual Studio 2022 for Mac version 17.0

Security Updates (8)

• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes

Acknowledgments

Nils Ole  Timm (@firzen14) working with <a href="https://www.zerodayinitiative.com/">Trend Micro Zero Day Initiative</a>

Revision History

• 2022-04-12: Information published.
• 2022-05-10: To comprehensively address CVE-2022-24513, Microsoft has released May 2022 security updates for the following supported versions of Visual Studio: Visual Studio 2017 version 15.9, Visual Studio 2019 version 16.9, Visual Studio 2019 version 16.11, Microsoft Visual Studio 2022 version 17.0, and Microsoft Visual Studio 2022 version 17.1. Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability.
• 2022-06-14: Microsoft has released the June 2022 security updates to further address CVE-2022-24513 for the following supported versions of Visual Studio: Visual Studio 2017 version 15.9, Visual Studio 2019 version 16.9, Visual Studio 2019 version 16.11, Microsoft Visual Studio 2022 version 17.0, and Visual Studio 2019 for Mac version 8.10. In addition, Visual Studio 2022 for Mac version 17.0 has been added to the Security Updates table as it is also affected by this vulnerability. Microsoft strongly recommends that customers install these updates to be fully protected from the vulnerability.
• 2022-07-12: Microsoft has released July 2022 security updates to further address CVE-2022-24513 for Visual Studio 2019 version 16.9 and Microsoft Visual Studio 2022 version 17.0. Microsoft strongly recommends that customers install these updates to be fully protected from the vulnerability.