CVE-2019-0996

EPSS 8.13%
Published 12.06.2019 14:29:02
Last modified 20.05.2025 18:15:34
Source secure@microsoft.com
Teams watchlist Login
Open Login

A spoofing vulnerability exists in Azure DevOps Server when it improperly handles requests to authorize applications, resulting in a cross-site request forgery. An attacker who successfully exploited this vulnerability could bypass OAuth protections and register an application on behalf of the targeted user.
To exploit this vulnerability, an attacker would need to create a page specifically designed to cause a cross-site request. The attacker would then need to convince a targeted user to click a link to the malicious page.
The update addresses the vulnerability by modifying how Azure DevOps Server protects application registration requests.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Microsoft ≫ Azure Devops Server Version2019

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	8.13%	0.913

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0996

Patch

Vendor Advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0996

https://nvd.nist.gov/vuln/detail/CVE-2019-0996

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-0996

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-0996

EUVD