KLA11433
Multiple vulnerabilities in Microsoft Developer Tools
Обновлено: 22/07/2020
Дата обнаружения
12/03/2019
Уровень угрозы
High
Описание

Multiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to spoof user interface, execute arbitrary code.

Below is a complete list of vulnerabilities:

  1. A tampering vulnerability in NuGet Package Manager can be exploited remotely to spoof user interface.
  2. A remote code execution vulnerability in Visual Studio can be exploited remotely to execute arbitrary code.
  3. A cross-site-scripting (XSS) vulnerability Team Foundation Server can be exploited remotely via specially crafted payload to spoof user interface.
Пораженные продукты

Nuget 4.8.2
Nuget 4.4.2
Nuget 4.7.2
Mono Framework Version 5.18.0.223
.NET Core SDK 2.1.500
Nuget 4.3.1
Nuget 4.9.4
.NET Core SDK 1.1
Mono Framework Version 5.20.0
Nuget 4.6.3
Nuget 4.5.2
Visual Studio 2017 for Mac
.NET Core SDK 2.2.100
Team Foundation Server 2018 Update 3.2
Microsoft Visual Studio 2017 version 15.9 (includes 15.1 - 15.8)
Team Foundation Server 2018 Update 1.2
Team Foundation Server 2017 Update 3.1

Решение

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Первичный источник обнаружения
CVE-2019-0757
CVE-2019-0809
CVE-2019-0777
Оказываемое влияние
?
ACE 
[?]

SUI 
[?]
Связанные продукты
Microsoft Visual Studio
Team Foundation Server
CVE-IDS
CVE-2019-08090.0Unknown
CVE-2019-07770.0Unknown
CVE-2019-07570.0Unknown
Microsoft official advisories
Microsoft Security Update Guide