CVE-2023-36437: Azure DevOps Server Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 8.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2023-Nov

Released

2023-11-14

EPSS Score

0.50% (percentile: 66.0%)

FAQ

How could an attacker exploit this vulnerability? An attacker could exploit an integer overflow vulnerability that results in arbitrary heap writes, which could be used to perform arbitrary code execution. According to the CVSS metric, privileges required is low (PR:L). Does the attacker need to be in an authenticated role on ADO? Yes, the attacker needs to be authenticated to Azure DevOps server.

Affected Products (1)

Azure

• Azure Pipelines Agent

Security Updates (1)

• Pull Request

Acknowledgments

Anonymous

Revision History

• 2023-11-14: Information published.