Lucene search
Mikhail Shcherbakov (@yu5k3)ZDI-23-1403HistorySep 12, 2023 - 12:00 a.m.
Microsoft Azure DevOps Server MachinePropertyBag Deserialization of Untrusted Data Local Privilege Escalation Vulnerability
2023-09-1200:00:00
Mikhail Shcherbakov (@yu5k3)
www.zerodayinitiative.com
10
vulnerability
local attackers
privilege escalation
microsoft azure devops server
machinepropertybag class
untrusted data
validation
deserialization
0.021 Low
EPSS
Percentile
89.2%
This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Azure DevOps Server. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the MachinePropertyBag class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account.
Related
nvd
nvd
CVE-2023-38155
2023-09-12 17:15:19
prion
prion
Remote code execution
2023-09-12 17:15:00
mscve
mscve
Azure DevOps Server Remote Code Execution Vulnerability
2023-09-12 07:00:00
cve
cve
CVE-2023-38155
2023-09-12 17:15:19
cvelist
cvelist
CVE-2023-38155 Azure DevOps Server Remote Code Execution Vulnerability
2023-09-12 16:58:37
nessus
nessus
kaspersky
kaspersky
KLA60565 Multiple vulnerabilities in Microsoft Azure
2023-09-12 00:00:00
KLA60561 Multiple vulnerabilities in Microsoft Developer Tools
2023-09-12 00:00:00
rapid7blog
rapid7blog
Patch Tuesday - September 2023
2023-09-12 22:55:55