Lucene search

[email protected]NVD:CVE-2020-16874

HistorySep 11, 2020 - 5:15 p.m.

CVE-2020-16874

2020-09-1117:15:17

[email protected]

web.nvd.nist.gov

visual studio

remote code execution

memory handling

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.012

Percentile

85.1%

JSON

A remote code execution vulnerability exists in Visual Studio when it improperly handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
To exploit the vulnerability, an attacker would have to convince a user to open a specially crafted file with an affected version of Visual Studio.
The update addresses the vulnerability by correcting how Visual Studio handles objects in memory.

Affected configurations

Nvd

Node

microsoftvisual_studioMatch2012update_5

microsoftvisual_studioMatch2013update_5

microsoftvisual_studioMatch2015update_3

microsoftvisual_studio_2017Range15.0–15.8

microsoftvisual_studio_2019Range16.0–16.3

microsoftvisual_studio_2019Range16.5–16.6

VendorProductVersionCPE
microsoftvisual_studio2012cpe:2.3:a:microsoft:visual_studio:2012:update_5:*:*:*:*:*:*
microsoftvisual_studio2013cpe:2.3:a:microsoft:visual_studio:2013:update_5:*:*:*:*:*:*
microsoftvisual_studio2015cpe:2.3:a:microsoft:visual_studio:2015:update_3:*:*:*:*:*:*
microsoftvisual_studio_2017*cpe:2.3:a:microsoft:visual_studio_2017:*:*:*:*:*:*:*:*
microsoftvisual_studio_2019*cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
microsoft	visual_studio	2012	cpe:2.3:a:microsoft:visual_studio:2012:update_5::::::
microsoft	visual_studio	2013	cpe:2.3:a:microsoft:visual_studio:2013:update_5::::::
microsoft	visual_studio	2015	cpe:2.3:a:microsoft:visual_studio:2015:update_3::::::
microsoft	visual_studio_2017	*	cpe:2.3:a:microsoft:visual_studio_2017::::::::
microsoft	visual_studio_2019	*	cpe:2.3:a:microsoft:visual_studio_2019::::::::