CVE-2023-21567: Visual Studio Denial of Service Vulnerability

Overview

Severity

Medium (CVSS 5.6)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H/E:P/RL:O/RC:C

Category

Denial of Service

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2023-Feb

Released

2023-02-14

EPSS Score

1.47% (percentile: 80.9%)

FAQ

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? Exploitation of this vulnerability requires that a local user executes the Visual Studio installer According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges. According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability? An attacker who successfully exploited this vulnerability could affect the integrity by is replacing one file with another.

Affected Products (5)

Developer Tools

• Microsoft Visual Studio 2022 version 17.2
• Microsoft Visual Studio 2022 version 17.0
• Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
• Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
• Microsoft Visual Studio 2022 version 17.4

Security Updates (5)

• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes

Acknowledgments

<a href="https://github.com/ycdxsb">ycdxsb</a> with <a href="https://www.iie.ac.cn/">VARAS@IIE</a>

Revision History

• 2023-02-14: Information published.