Azure DevOps Server Remote Code Execution Vulnerability
CVE-2024-20667

7.5HIGH

Key Information:

Vendor: Microsoft
Status: Azure Devops Server 2022; Azure Devops Server; Azure Devops Server 2020.1.2
Vendor: CVE Published:; 13 February 2024

What is CVE-2024-20667?

A security vulnerability exists in Azure DevOps Server that permits remote code execution. This flaw can be exploited by an attacker to run arbitrary code within the context of the application, potentially leading to unauthorized access and severe impacts on the integrity and confidentiality of sensitive data. It is critical for organizations utilizing Azure DevOps Server to implement recommended security updates to mitigate this risk effectively. Detailed information and remediation guidance can be found in the Microsoft advisory.

Affected Version(s)

Azure DevOps Server 2020.1.2 Unknown 2020.1.0 < 20240126.2

Azure DevOps Server 2022 Unknown 20231128.1 < 20240126.4

Azure DevOps Server Unknown 1.0.0 < 20240126.6

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 13, 2024
Vulnerability Reserved
Nov 28, 2023