According to the CVSS metric, the attack complexity is high (AC:H). What does this mean for this vulnerability? Owning an affected domain is not enough to run the attack. For a successful attacker the appropriate variable must be used in the pipeline, and not every pipeline is vulnerable. According to the CVSS metric, the attack vector is network (AV:N), user interaction is none (UI:N), and privilege required is low (PR:L). What is the target used in the context of the remote code execution? The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call. The privilege requirement is low because the attack needs to have only Run access to the pipeline. Azure DevOps server is not bound to any network stack or protocol. Communication is on the TCP/IP level and this allows to communicate over the Internet.
<a href="https://www.linkedin.com/company/legitsecurity/">Legit Security (LinkedIn)</a> with <a href="https://www.legitsecurity.com/">Legit Security</a>