Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
120 vulnerabilities found for azure_devops_server by microsoft
FKIE_CVE-2026-21512
Vulnerability from fkie_nvd - Published: 2026-02-10 18:16 - Updated: 2026-02-11 21:39
Severity ?
Summary
Server-side request forgery (ssrf) in Azure DevOps Server allows an authorized attacker to perform spoofing over a network.
References
| URL | Tags | ||
|---|---|---|---|
| secure@microsoft.com | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21512 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| microsoft | azure_devops_server | * | |
| microsoft | azure_devops_server | 2022.2.0 | |
| microsoft | azure_devops_server | 2022.2.0 | |
| microsoft | azure_devops_server | 2022.2.0 | |
| microsoft | azure_devops_server | 2022.2.0 | |
| microsoft | azure_devops_server | 2022.2.0 | |
| microsoft | azure_devops_server | 2022.2.0 | |
| microsoft | azure_devops_server | 2022.2.0 | |
| microsoft | azure_devops_server | 2022.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "648338CD-C36A-41F0-8790-713928111BC7",
"versionEndExcluding": "2022.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.2.0:-:*:*:*:*:*:*",
"matchCriteriaId": "BCE17387-5AB3-4EED-BBAD-C0BFFC106C98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.2.0:patch2:*:*:*:*:*:*",
"matchCriteriaId": "F74AA6F1-F3A6-4F78-BD49-4907E487BEA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.2.0:patch3:*:*:*:*:*:*",
"matchCriteriaId": "FEBE376F-E4B1-4A28-A1C1-D35F1A50B592",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.2.0:patch4:*:*:*:*:*:*",
"matchCriteriaId": "7D4189D3-8BF8-439A-99BE-FF9A3787C14F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.2.0:patch5:*:*:*:*:*:*",
"matchCriteriaId": "9755C061-2382-48B9-8556-71C7B8BEF93C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.2.0:patch6:*:*:*:*:*:*",
"matchCriteriaId": "3BBA3E1F-F60B-4FAB-85B3-AB9A311A9CA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.2.0:patch7:*:*:*:*:*:*",
"matchCriteriaId": "241CF9B3-92B7-42BF-AD86-4B34459EDBD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.2.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "30FDFC54-1791-4224-9270-10E96C437C93",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Server-side request forgery (ssrf) in Azure DevOps Server allows an authorized attacker to perform spoofing over a network."
},
{
"lang": "es",
"value": "Falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en Azure DevOps Server permite a un atacante autorizado realizar suplantaci\u00f3n a trav\u00e9s de una red."
}
],
"id": "CVE-2026-21512",
"lastModified": "2026-02-11T21:39:50.107",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "secure@microsoft.com",
"type": "Primary"
}
]
},
"published": "2026-02-10T18:16:33.493",
"references": [
{
"source": "secure@microsoft.com",
"tags": [
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21512"
}
],
"sourceIdentifier": "secure@microsoft.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "secure@microsoft.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-35266
Vulnerability from fkie_nvd - Published: 2024-07-09 17:15 - Updated: 2024-11-21 09:20
Severity ?
Summary
Azure DevOps Server Spoofing Vulnerability
References
| URL | Tags | ||
|---|---|---|---|
| secure@microsoft.com | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35266 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35266 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| microsoft | azure_devops_server | 2022.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1B8B832B-91ED-4283-91EB-DD3D29D58669",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Azure DevOps Server Spoofing Vulnerability"
},
{
"lang": "es",
"value": "Vulnerabilidad de suplantaci\u00f3n de identidad del servidor Azure DevOps"
}
],
"id": "CVE-2024-35266",
"lastModified": "2024-11-21T09:20:03.053",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.5,
"source": "secure@microsoft.com",
"type": "Secondary"
}
]
},
"published": "2024-07-09T17:15:18.413",
"references": [
{
"source": "secure@microsoft.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35266"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35266"
}
],
"sourceIdentifier": "secure@microsoft.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "secure@microsoft.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-35267
Vulnerability from fkie_nvd - Published: 2024-07-09 17:15 - Updated: 2024-11-21 09:20
Severity ?
Summary
Azure DevOps Server Spoofing Vulnerability
References
| URL | Tags | ||
|---|---|---|---|
| secure@microsoft.com | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35267 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35267 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| microsoft | azure_devops_server | 2022.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1B8B832B-91ED-4283-91EB-DD3D29D58669",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Azure DevOps Server Spoofing Vulnerability"
},
{
"lang": "es",
"value": "Vulnerabilidad de suplantaci\u00f3n de identidad del servidor Azure DevOps"
}
],
"id": "CVE-2024-35267",
"lastModified": "2024-11-21T09:20:03.217",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.5,
"source": "secure@microsoft.com",
"type": "Secondary"
}
]
},
"published": "2024-07-09T17:15:18.630",
"references": [
{
"source": "secure@microsoft.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35267"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35267"
}
],
"sourceIdentifier": "secure@microsoft.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "secure@microsoft.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-20667
Vulnerability from fkie_nvd - Published: 2024-02-13 18:15 - Updated: 2024-11-21 08:52
Severity ?
Summary
Azure DevOps Server Remote Code Execution Vulnerability
References
| URL | Tags | ||
|---|---|---|---|
| secure@microsoft.com | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20667 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20667 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| microsoft | azure_devops_server | 2019.1.2 | |
| microsoft | azure_devops_server | 2020.1.2 | |
| microsoft | azure_devops_server | 2022.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2019.1.2:-:*:*:*:*:*:*",
"matchCriteriaId": "E47C8F7E-E085-4C8C-A522-687F9B2C7B34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2020.1.2:-:*:*:*:*:*:*",
"matchCriteriaId": "A8F7E9F3-B3DC-4161-AA99-DF4E17599868",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.1:-:*:*:*:*:*:*",
"matchCriteriaId": "B96825FF-D464-4430-A5FC-751500FB49F7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Azure DevOps Server Remote Code Execution Vulnerability"
},
{
"lang": "es",
"value": "Vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo del servidor Azure DevOps"
}
],
"id": "CVE-2024-20667",
"lastModified": "2024-11-21T08:52:52.857",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "secure@microsoft.com",
"type": "Secondary"
}
]
},
"published": "2024-02-13T18:15:47.377",
"references": [
{
"source": "secure@microsoft.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20667"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20667"
}
],
"sourceIdentifier": "secure@microsoft.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "secure@microsoft.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-21751
Vulnerability from fkie_nvd - Published: 2023-12-14 00:15 - Updated: 2024-11-21 07:43
Severity ?
Summary
Azure DevOps Server Spoofing Vulnerability
References
| URL | Tags | ||
|---|---|---|---|
| secure@microsoft.com | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21751 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21751 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| microsoft | azure_devops_server | 2020.1.2 | |
| microsoft | azure_devops_server | 2022.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2020.1.2:-:*:*:*:*:*:*",
"matchCriteriaId": "A8F7E9F3-B3DC-4161-AA99-DF4E17599868",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1B8B832B-91ED-4283-91EB-DD3D29D58669",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Azure DevOps Server Spoofing Vulnerability"
},
{
"lang": "es",
"value": "Vulnerabilidad de suplantaci\u00f3n de identidad del servidor Azure DevOps"
}
],
"id": "CVE-2023-21751",
"lastModified": "2024-11-21T07:43:34.450",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "secure@microsoft.com",
"type": "Secondary"
}
]
},
"published": "2023-12-14T00:15:42.863",
"references": [
{
"source": "secure@microsoft.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21751"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21751"
}
],
"sourceIdentifier": "secure@microsoft.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "secure@microsoft.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-36561
Vulnerability from fkie_nvd - Published: 2023-10-10 18:15 - Updated: 2024-11-21 08:09
Severity ?
Summary
Azure DevOps Server Elevation of Privilege Vulnerability
References
| URL | Tags | ||
|---|---|---|---|
| secure@microsoft.com | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36561 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36561 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| microsoft | azure_devops_server | 2020.0.2 | |
| microsoft | azure_devops_server | 2020.1.2 | |
| microsoft | azure_devops_server | 2022.0.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2020.0.2:-:*:*:*:*:*:*",
"matchCriteriaId": "ABF9F2EE-7A4F-4FEC-BF7A-6574B173F3D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2020.1.2:-:*:*:*:*:*:*",
"matchCriteriaId": "A8F7E9F3-B3DC-4161-AA99-DF4E17599868",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.0.1:-:*:*:*:*:*:*",
"matchCriteriaId": "890F7135-DCF3-40A6-9FFE-F048EE7E1565",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Azure DevOps Server Elevation of Privilege Vulnerability"
},
{
"lang": "es",
"value": "Vulnerabilidad de elevaci\u00f3n de privilegios en Azure DevOps Server"
}
],
"id": "CVE-2023-36561",
"lastModified": "2024-11-21T08:09:56.273",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "secure@microsoft.com",
"type": "Secondary"
}
]
},
"published": "2023-10-10T18:15:12.930",
"references": [
{
"source": "secure@microsoft.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36561"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36561"
}
],
"sourceIdentifier": "secure@microsoft.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "secure@microsoft.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-38155
Vulnerability from fkie_nvd - Published: 2023-09-12 17:15 - Updated: 2024-11-21 08:12
Severity ?
7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Azure DevOps Server Remote Code Execution Vulnerability
References
| URL | Tags | ||
|---|---|---|---|
| secure@microsoft.com | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38155 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38155 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| microsoft | azure_devops_server | 2019.0.1 | |
| microsoft | azure_devops_server | 2019.1.2 | |
| microsoft | azure_devops_server | 2020.1.2 | |
| microsoft | azure_devops_server | 2022.0.1 | |
| microsoft | azure_devops_server | 2022.0.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2019.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CE7EFADB-24D4-4DB7-A9E5-9C93F1286232",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2019.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1562E6BE-3870-4238-A66A-20DA91A5F59F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2020.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AEB15A35-7006-4371-9094-274F57BE3DC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2B722F81-74C8-4A5E-9F58-6549B5455637",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E635007D-5F48-4846-B100-80FB9FB643A3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Azure DevOps Server Remote Code Execution Vulnerability"
},
{
"lang": "es",
"value": "Vulnerabilidad de Ejecuci\u00f3n Remota de C\u00f3digo del Servidor Azure DevOps"
}
],
"id": "CVE-2023-38155",
"lastModified": "2024-11-21T08:12:58.437",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 5.9,
"source": "secure@microsoft.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-12T17:15:19.527",
"references": [
{
"source": "secure@microsoft.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38155"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38155"
}
],
"sourceIdentifier": "secure@microsoft.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "secure@microsoft.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-33136
Vulnerability from fkie_nvd - Published: 2023-09-12 17:15 - Updated: 2024-11-21 08:04
Severity ?
Summary
Azure DevOps Server Remote Code Execution Vulnerability
References
| URL | Tags | ||
|---|---|---|---|
| secure@microsoft.com | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33136 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33136 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| microsoft | azure_devops_server | 2019.0.1 | |
| microsoft | azure_devops_server | 2019.1.2 | |
| microsoft | azure_devops_server | 2020.0.2 | |
| microsoft | azure_devops_server | 2020.1.2 | |
| microsoft | azure_devops_server | 2022.0.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2019.0.1:-:*:*:*:*:*:*",
"matchCriteriaId": "FD677E75-F110-4C20-A408-0F0620D468BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2019.1.2:-:*:*:*:*:*:*",
"matchCriteriaId": "E47C8F7E-E085-4C8C-A522-687F9B2C7B34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2020.0.2:-:*:*:*:*:*:*",
"matchCriteriaId": "ABF9F2EE-7A4F-4FEC-BF7A-6574B173F3D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2020.1.2:-:*:*:*:*:*:*",
"matchCriteriaId": "A8F7E9F3-B3DC-4161-AA99-DF4E17599868",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.0.1:-:*:*:*:*:*:*",
"matchCriteriaId": "890F7135-DCF3-40A6-9FFE-F048EE7E1565",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Azure DevOps Server Remote Code Execution Vulnerability"
},
{
"lang": "es",
"value": "Vulnerabilidad de Ejecuci\u00f3n Remota de C\u00f3digo del Servidor Azure DevOps"
}
],
"id": "CVE-2023-33136",
"lastModified": "2024-11-21T08:04:57.833",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "secure@microsoft.com",
"type": "Secondary"
}
]
},
"published": "2023-09-12T17:15:09.353",
"references": [
{
"source": "secure@microsoft.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33136"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33136"
}
],
"sourceIdentifier": "secure@microsoft.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "secure@microsoft.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-36869
Vulnerability from fkie_nvd - Published: 2023-08-08 18:15 - Updated: 2024-11-21 08:10
Severity ?
Summary
Azure DevOps Server Spoofing Vulnerability
References
| URL | Tags | ||
|---|---|---|---|
| secure@microsoft.com | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36869 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36869 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| microsoft | azure_devops_server | 2019.0.1 | |
| microsoft | azure_devops_server | 2019.1.2 | |
| microsoft | azure_devops_server | 2020.1.2 | |
| microsoft | azure_devops_server | 2022.0.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2019.0.1:-:*:*:*:*:*:*",
"matchCriteriaId": "FD677E75-F110-4C20-A408-0F0620D468BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2019.1.2:-:*:*:*:*:*:*",
"matchCriteriaId": "E47C8F7E-E085-4C8C-A522-687F9B2C7B34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2020.1.2:-:*:*:*:*:*:*",
"matchCriteriaId": "A8F7E9F3-B3DC-4161-AA99-DF4E17599868",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.0.1:-:*:*:*:*:*:*",
"matchCriteriaId": "890F7135-DCF3-40A6-9FFE-F048EE7E1565",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Azure DevOps Server Spoofing Vulnerability"
}
],
"id": "CVE-2023-36869",
"lastModified": "2024-11-21T08:10:48.833",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "secure@microsoft.com",
"type": "Secondary"
}
]
},
"published": "2023-08-08T18:15:14.613",
"references": [
{
"source": "secure@microsoft.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36869"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36869"
}
],
"sourceIdentifier": "secure@microsoft.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "secure@microsoft.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-21569
Vulnerability from fkie_nvd - Published: 2023-06-14 00:15 - Updated: 2024-11-21 07:43
Severity ?
Summary
Azure DevOps Server Spoofing Vulnerability
References
| URL | Tags | ||
|---|---|---|---|
| secure@microsoft.com | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21569 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21569 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| microsoft | azure_devops_server | 2020.1.2 | |
| microsoft | azure_devops_server | 2022 | |
| microsoft | azure_devops_server | 2022.0.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2020.1.2:-:*:*:*:*:*:*",
"matchCriteriaId": "A8F7E9F3-B3DC-4161-AA99-DF4E17599868",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022:-:*:*:*:*:*:*",
"matchCriteriaId": "17B4B344-7600-4E89-B2ED-F97792D5746B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.0.1:-:*:*:*:*:*:*",
"matchCriteriaId": "890F7135-DCF3-40A6-9FFE-F048EE7E1565",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Azure DevOps Server Spoofing Vulnerability"
}
],
"id": "CVE-2023-21569",
"lastModified": "2024-11-21T07:43:06.307",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.4,
"source": "secure@microsoft.com",
"type": "Secondary"
}
]
},
"published": "2023-06-14T00:15:09.497",
"references": [
{
"source": "secure@microsoft.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21569"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21569"
}
],
"sourceIdentifier": "secure@microsoft.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "secure@microsoft.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-21565
Vulnerability from fkie_nvd - Published: 2023-06-14 00:15 - Updated: 2024-11-21 07:43
Severity ?
Summary
Azure DevOps Server Spoofing Vulnerability
References
| URL | Tags | ||
|---|---|---|---|
| secure@microsoft.com | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21565 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21565 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| microsoft | azure_devops_server | 2020.1.2 | |
| microsoft | azure_devops_server | 2022 | |
| microsoft | azure_devops_server | 2022.0.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2020.1.2:-:*:*:*:*:*:*",
"matchCriteriaId": "A8F7E9F3-B3DC-4161-AA99-DF4E17599868",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022:-:*:*:*:*:*:*",
"matchCriteriaId": "17B4B344-7600-4E89-B2ED-F97792D5746B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.0.1:-:*:*:*:*:*:*",
"matchCriteriaId": "890F7135-DCF3-40A6-9FFE-F048EE7E1565",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Azure DevOps Server Spoofing Vulnerability"
}
],
"id": "CVE-2023-21565",
"lastModified": "2024-11-21T07:43:05.803",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "secure@microsoft.com",
"type": "Secondary"
}
]
},
"published": "2023-06-14T00:15:09.433",
"references": [
{
"source": "secure@microsoft.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21565"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21565"
}
],
"sourceIdentifier": "secure@microsoft.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "secure@microsoft.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2026-21512 (GCVE-0-2026-21512)
Vulnerability from cvelistv5 – Published: 2026-02-10 17:51 – Updated: 2026-04-10 13:21
VLAI?
Title
Azure DevOps Server Cross-Site Scripting Vulnerability
Summary
Server-side request forgery (ssrf) in Azure DevOps Server allows an authorized attacker to perform spoofing over a network.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2022 |
Affected:
20230131.0 , < 20260204.3
(custom)
|
Date Public ?
2026-02-10 16:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21512",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-11T15:23:49.008178Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-11T15:24:04.134Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Azure DevOps Server 2022",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20260204.3",
"status": "affected",
"version": "20230131.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:azure_devops_server_2022:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20260204.3",
"versionStartIncluding": "20230131.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2026-02-10T16:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Server-side request forgery (ssrf) in Azure DevOps Server allows an authorized attacker to perform spoofing over a network."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T13:21:02.551Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Cross-Site Scripting Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21512"
}
],
"title": "Azure DevOps Server Cross-Site Scripting Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2026-21512",
"datePublished": "2026-02-10T17:51:16.670Z",
"dateReserved": "2025-12-30T18:10:54.845Z",
"dateUpdated": "2026-04-10T13:21:02.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-35267 (GCVE-0-2024-35267)
Vulnerability from cvelistv5 – Published: 2024-07-09 17:02 – Updated: 2025-12-09 23:46
VLAI?
Title
Azure DevOps Server Spoofing Vulnerability
Summary
Azure DevOps Server Spoofing Vulnerability
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2022 |
Affected:
20231128.1 , < 20240702.1
(custom)
|
Date Public ?
2024-07-09 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35267",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-23T19:01:43.343006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T19:01:55.482Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.862Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35267"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20240702.1",
"status": "affected",
"version": "20231128.1",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20240702.1",
"versionStartIncluding": "20231128.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2024-07-09T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Spoofing Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T23:46:58.359Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35267"
}
],
"title": "Azure DevOps Server Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2024-35267",
"datePublished": "2024-07-09T17:02:43.425Z",
"dateReserved": "2024-05-14T20:14:47.413Z",
"dateUpdated": "2025-12-09T23:46:58.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-35266 (GCVE-0-2024-35266)
Vulnerability from cvelistv5 – Published: 2024-07-09 17:02 – Updated: 2025-12-09 23:46
VLAI?
Title
Azure DevOps Server Spoofing Vulnerability
Summary
Azure DevOps Server Spoofing Vulnerability
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2022 |
Affected:
20231128.1 , < 20240702.1
(custom)
|
Date Public ?
2024-07-09 07:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:47.175Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35266"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35266",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T13:02:17.828361Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T10:25:10.758Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20240702.1",
"status": "affected",
"version": "20231128.1",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20240702.1",
"versionStartIncluding": "20231128.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2024-07-09T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Spoofing Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T23:46:57.713Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35266"
}
],
"title": "Azure DevOps Server Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2024-35266",
"datePublished": "2024-07-09T17:02:42.873Z",
"dateReserved": "2024-05-14T20:14:47.413Z",
"dateUpdated": "2025-12-09T23:46:57.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-20667 (GCVE-0-2024-20667)
Vulnerability from cvelistv5 – Published: 2024-02-13 18:02 – Updated: 2025-05-09 18:18
VLAI?
Title
Azure DevOps Server Remote Code Execution Vulnerability
Summary
Azure DevOps Server Remote Code Execution Vulnerability
Severity ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2022 |
Affected:
20231128.1 , < 20240126.4
(custom)
|
||||||||||||
|
||||||||||||||
Date Public ?
2024-02-13 08:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:59:42.231Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Remote Code Execution Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20667"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-20667",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T18:44:48.382661Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-09T18:18:56.932Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20240126.4",
"status": "affected",
"version": "20231128.1",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20240126.6",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20240126.2",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20240126.4",
"versionStartIncluding": "20231128.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20240126.6",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20240126.2",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2024-02-13T08:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Remote Code Execution Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-03T01:37:24.014Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Remote Code Execution Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20667"
}
],
"title": "Azure DevOps Server Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2024-20667",
"datePublished": "2024-02-13T18:02:07.424Z",
"dateReserved": "2023-11-28T22:58:12.115Z",
"dateUpdated": "2025-05-09T18:18:56.932Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-21751 (GCVE-0-2023-21751)
Vulnerability from cvelistv5 – Published: 2023-12-13 23:14 – Updated: 2025-01-01 02:18
VLAI?
Title
Azure DevOps Server Spoofing Vulnerability
Summary
Azure DevOps Server Spoofing Vulnerability
Severity ?
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2022 |
Affected:
20231128.1 , < 20231128.1
(custom)
|
|||||||
|
|||||||||
Date Public ?
2023-12-13 08:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T09:51:49.806Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21751"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20231128.1",
"status": "affected",
"version": "20231128.1",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20231127.4",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20231128.1",
"versionStartIncluding": "20231128.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20231127.4",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-12-13T08:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Spoofing Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-01T02:18:47.376Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21751"
}
],
"title": "Azure DevOps Server Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-21751",
"datePublished": "2023-12-13T23:14:37.461Z",
"dateReserved": "2022-12-13T20:22:00.846Z",
"dateUpdated": "2025-01-01T02:18:47.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36561 (GCVE-0-2023-36561)
Vulnerability from cvelistv5 – Published: 2023-10-10 17:08 – Updated: 2025-04-14 22:46
VLAI?
Title
Azure DevOps Server Elevation of Privilege Vulnerability
Summary
Azure DevOps Server Elevation of Privilege Vulnerability
Severity ?
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2022.0.1 |
Affected:
2022.0.0 , < 20230926.1
(custom)
|
||||||||||||
|
||||||||||||||
Date Public ?
2023-10-10 07:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:52:53.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36561"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230926.1",
"status": "affected",
"version": "2022.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.0.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230927.1",
"status": "affected",
"version": "2020.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230926.2",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230926.1",
"versionStartIncluding": "2022.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230927.1",
"versionStartIncluding": "2020.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230926.2",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-10-10T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Elevation of Privilege Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T22:46:33.530Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36561"
}
],
"title": "Azure DevOps Server Elevation of Privilege Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-36561",
"datePublished": "2023-10-10T17:08:01.950Z",
"dateReserved": "2023-06-23T20:11:38.789Z",
"dateUpdated": "2025-04-14T22:46:33.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38155 (GCVE-0-2023-38155)
Vulnerability from cvelistv5 – Published: 2023-09-12 16:58 – Updated: 2025-10-30 18:18
VLAI?
Title
Azure DevOps Server Remote Code Execution Vulnerability
Summary
Azure DevOps Server Remote Code Execution Vulnerability
Severity ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2019.0.1 |
Affected:
2019.0.0 , < 20230601.3
(custom)
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
Date Public ?
2023-09-12 07:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:30:14.065Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38155"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2019.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230601.3",
"status": "affected",
"version": "2019.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230825.4",
"status": "affected",
"version": "2022.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230823.1",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230825.1",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.0.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230820.2",
"status": "affected",
"version": "2020.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20230601.3",
"versionStartIncluding": "2019.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230825.4",
"versionStartIncluding": "2022.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230823.1",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230825.1",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230820.2",
"versionStartIncluding": "2020.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-09-12T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Remote Code Execution Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T18:18:06.568Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Remote Code Execution Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38155"
}
],
"title": "Azure DevOps Server Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-38155",
"datePublished": "2023-09-12T16:58:37.646Z",
"dateReserved": "2023-07-12T23:41:45.861Z",
"dateUpdated": "2025-10-30T18:18:06.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-33136 (GCVE-0-2023-33136)
Vulnerability from cvelistv5 – Published: 2023-09-12 16:58 – Updated: 2025-10-30 18:17
VLAI?
Title
Azure DevOps Server Remote Code Execution Vulnerability
Summary
Azure DevOps Server Remote Code Execution Vulnerability
Severity ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2020.0.2 |
Affected:
2020.0.0 , < 20230820.2
(custom)
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
Date Public ?
2023-09-12 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33136",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-22T20:13:06.923996Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T20:13:09.656Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:39:35.005Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Remote Code Execution Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33136"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.0.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230820.2",
"status": "affected",
"version": "2020.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230825.1",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230823.1",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230825.4",
"status": "affected",
"version": "2022.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2019.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230601.3",
"status": "affected",
"version": "2019.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230820.2",
"versionStartIncluding": "2020.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230825.1",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230823.1",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230825.4",
"versionStartIncluding": "2022.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20230601.3",
"versionStartIncluding": "2019.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-09-12T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Remote Code Execution Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:T/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T18:17:40.891Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Remote Code Execution Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33136"
}
],
"title": "Azure DevOps Server Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-33136",
"datePublished": "2023-09-12T16:58:34.967Z",
"dateReserved": "2023-05-17T21:16:44.896Z",
"dateUpdated": "2025-10-30T18:17:40.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-36869 (GCVE-0-2023-36869)
Vulnerability from cvelistv5 – Published: 2023-08-08 17:08 – Updated: 2025-01-01 01:59
VLAI?
Title
Azure DevOps Server Spoofing Vulnerability
Summary
Azure DevOps Server Spoofing Vulnerability
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server |
Affected:
1.0.0 , < 20230601.1
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Date Public ?
2023-08-08 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36869",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T17:06:43.487941Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T17:07:00.868Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:01:09.841Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36869"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230601.1",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230601.3",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230602.5",
"status": "affected",
"version": "2022.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2019.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230721.6",
"status": "affected",
"version": "2019.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230601.1",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230601.3",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230602.5",
"versionStartIncluding": "2022.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20230721.6",
"versionStartIncluding": "2019.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-08-08T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Spoofing Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-01T01:59:07.427Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36869"
}
],
"title": "Azure DevOps Server Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-36869",
"datePublished": "2023-08-08T17:08:19.962Z",
"dateReserved": "2023-06-27T20:26:38.144Z",
"dateUpdated": "2025-01-01T01:59:07.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-21565 (GCVE-0-2023-21565)
Vulnerability from cvelistv5 – Published: 2023-06-13 23:25 – Updated: 2025-01-01 01:43
VLAI?
Title
Azure DevOps Server Spoofing Vulnerability
Summary
Azure DevOps Server Spoofing Vulnerability
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2022 |
Affected:
20230131.0 , < 20230602.4
(custom)
|
||||||||||||
|
||||||||||||||
Date Public ?
2023-06-13 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-21565",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T18:38:46.631479Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T18:38:53.200Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T09:44:01.540Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21565"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230602.4",
"status": "affected",
"version": "20230131.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230601.3",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230602.5",
"status": "affected",
"version": "2022.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230602.4",
"versionStartIncluding": "20230131.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230601.3",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230602.5",
"versionStartIncluding": "2022.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-06-13T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Spoofing Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-01T01:43:36.030Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21565"
}
],
"title": "Azure DevOps Server Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-21565",
"datePublished": "2023-06-13T23:25:57.118Z",
"dateReserved": "2022-12-01T14:00:11.204Z",
"dateUpdated": "2025-01-01T01:43:36.030Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-21512 (GCVE-0-2026-21512)
Vulnerability from nvd – Published: 2026-02-10 17:51 – Updated: 2026-04-10 13:21
VLAI?
Title
Azure DevOps Server Cross-Site Scripting Vulnerability
Summary
Server-side request forgery (ssrf) in Azure DevOps Server allows an authorized attacker to perform spoofing over a network.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2022 |
Affected:
20230131.0 , < 20260204.3
(custom)
|
Date Public ?
2026-02-10 16:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21512",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-11T15:23:49.008178Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-11T15:24:04.134Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Azure DevOps Server 2022",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20260204.3",
"status": "affected",
"version": "20230131.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:azure_devops_server_2022:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20260204.3",
"versionStartIncluding": "20230131.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2026-02-10T16:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Server-side request forgery (ssrf) in Azure DevOps Server allows an authorized attacker to perform spoofing over a network."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T13:21:02.551Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Cross-Site Scripting Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21512"
}
],
"title": "Azure DevOps Server Cross-Site Scripting Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2026-21512",
"datePublished": "2026-02-10T17:51:16.670Z",
"dateReserved": "2025-12-30T18:10:54.845Z",
"dateUpdated": "2026-04-10T13:21:02.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-35267 (GCVE-0-2024-35267)
Vulnerability from nvd – Published: 2024-07-09 17:02 – Updated: 2025-12-09 23:46
VLAI?
Title
Azure DevOps Server Spoofing Vulnerability
Summary
Azure DevOps Server Spoofing Vulnerability
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2022 |
Affected:
20231128.1 , < 20240702.1
(custom)
|
Date Public ?
2024-07-09 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35267",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-23T19:01:43.343006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T19:01:55.482Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.862Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35267"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20240702.1",
"status": "affected",
"version": "20231128.1",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20240702.1",
"versionStartIncluding": "20231128.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2024-07-09T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Spoofing Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T23:46:58.359Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35267"
}
],
"title": "Azure DevOps Server Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2024-35267",
"datePublished": "2024-07-09T17:02:43.425Z",
"dateReserved": "2024-05-14T20:14:47.413Z",
"dateUpdated": "2025-12-09T23:46:58.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-35266 (GCVE-0-2024-35266)
Vulnerability from nvd – Published: 2024-07-09 17:02 – Updated: 2025-12-09 23:46
VLAI?
Title
Azure DevOps Server Spoofing Vulnerability
Summary
Azure DevOps Server Spoofing Vulnerability
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2022 |
Affected:
20231128.1 , < 20240702.1
(custom)
|
Date Public ?
2024-07-09 07:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:47.175Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35266"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35266",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T13:02:17.828361Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T10:25:10.758Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20240702.1",
"status": "affected",
"version": "20231128.1",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20240702.1",
"versionStartIncluding": "20231128.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2024-07-09T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Spoofing Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T23:46:57.713Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35266"
}
],
"title": "Azure DevOps Server Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2024-35266",
"datePublished": "2024-07-09T17:02:42.873Z",
"dateReserved": "2024-05-14T20:14:47.413Z",
"dateUpdated": "2025-12-09T23:46:57.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-20667 (GCVE-0-2024-20667)
Vulnerability from nvd – Published: 2024-02-13 18:02 – Updated: 2025-05-09 18:18
VLAI?
Title
Azure DevOps Server Remote Code Execution Vulnerability
Summary
Azure DevOps Server Remote Code Execution Vulnerability
Severity ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2022 |
Affected:
20231128.1 , < 20240126.4
(custom)
|
||||||||||||
|
||||||||||||||
Date Public ?
2024-02-13 08:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:59:42.231Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Remote Code Execution Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20667"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-20667",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T18:44:48.382661Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-09T18:18:56.932Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20240126.4",
"status": "affected",
"version": "20231128.1",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20240126.6",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20240126.2",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20240126.4",
"versionStartIncluding": "20231128.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20240126.6",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20240126.2",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2024-02-13T08:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Remote Code Execution Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-03T01:37:24.014Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Remote Code Execution Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20667"
}
],
"title": "Azure DevOps Server Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2024-20667",
"datePublished": "2024-02-13T18:02:07.424Z",
"dateReserved": "2023-11-28T22:58:12.115Z",
"dateUpdated": "2025-05-09T18:18:56.932Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-21751 (GCVE-0-2023-21751)
Vulnerability from nvd – Published: 2023-12-13 23:14 – Updated: 2025-01-01 02:18
VLAI?
Title
Azure DevOps Server Spoofing Vulnerability
Summary
Azure DevOps Server Spoofing Vulnerability
Severity ?
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2022 |
Affected:
20231128.1 , < 20231128.1
(custom)
|
|||||||
|
|||||||||
Date Public ?
2023-12-13 08:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T09:51:49.806Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21751"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20231128.1",
"status": "affected",
"version": "20231128.1",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20231127.4",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20231128.1",
"versionStartIncluding": "20231128.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20231127.4",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-12-13T08:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Spoofing Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-01T02:18:47.376Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21751"
}
],
"title": "Azure DevOps Server Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-21751",
"datePublished": "2023-12-13T23:14:37.461Z",
"dateReserved": "2022-12-13T20:22:00.846Z",
"dateUpdated": "2025-01-01T02:18:47.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36561 (GCVE-0-2023-36561)
Vulnerability from nvd – Published: 2023-10-10 17:08 – Updated: 2025-04-14 22:46
VLAI?
Title
Azure DevOps Server Elevation of Privilege Vulnerability
Summary
Azure DevOps Server Elevation of Privilege Vulnerability
Severity ?
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2022.0.1 |
Affected:
2022.0.0 , < 20230926.1
(custom)
|
||||||||||||
|
||||||||||||||
Date Public ?
2023-10-10 07:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:52:53.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36561"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230926.1",
"status": "affected",
"version": "2022.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.0.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230927.1",
"status": "affected",
"version": "2020.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230926.2",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230926.1",
"versionStartIncluding": "2022.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230927.1",
"versionStartIncluding": "2020.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230926.2",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-10-10T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Elevation of Privilege Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T22:46:33.530Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36561"
}
],
"title": "Azure DevOps Server Elevation of Privilege Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-36561",
"datePublished": "2023-10-10T17:08:01.950Z",
"dateReserved": "2023-06-23T20:11:38.789Z",
"dateUpdated": "2025-04-14T22:46:33.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38155 (GCVE-0-2023-38155)
Vulnerability from nvd – Published: 2023-09-12 16:58 – Updated: 2025-10-30 18:18
VLAI?
Title
Azure DevOps Server Remote Code Execution Vulnerability
Summary
Azure DevOps Server Remote Code Execution Vulnerability
Severity ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2019.0.1 |
Affected:
2019.0.0 , < 20230601.3
(custom)
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
Date Public ?
2023-09-12 07:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:30:14.065Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38155"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2019.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230601.3",
"status": "affected",
"version": "2019.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230825.4",
"status": "affected",
"version": "2022.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230823.1",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230825.1",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.0.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230820.2",
"status": "affected",
"version": "2020.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20230601.3",
"versionStartIncluding": "2019.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230825.4",
"versionStartIncluding": "2022.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230823.1",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230825.1",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230820.2",
"versionStartIncluding": "2020.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-09-12T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Remote Code Execution Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T18:18:06.568Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Remote Code Execution Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38155"
}
],
"title": "Azure DevOps Server Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-38155",
"datePublished": "2023-09-12T16:58:37.646Z",
"dateReserved": "2023-07-12T23:41:45.861Z",
"dateUpdated": "2025-10-30T18:18:06.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-33136 (GCVE-0-2023-33136)
Vulnerability from nvd – Published: 2023-09-12 16:58 – Updated: 2025-10-30 18:17
VLAI?
Title
Azure DevOps Server Remote Code Execution Vulnerability
Summary
Azure DevOps Server Remote Code Execution Vulnerability
Severity ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2020.0.2 |
Affected:
2020.0.0 , < 20230820.2
(custom)
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
Date Public ?
2023-09-12 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33136",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-22T20:13:06.923996Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T20:13:09.656Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:39:35.005Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Remote Code Execution Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33136"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.0.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230820.2",
"status": "affected",
"version": "2020.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230825.1",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230823.1",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230825.4",
"status": "affected",
"version": "2022.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2019.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230601.3",
"status": "affected",
"version": "2019.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230820.2",
"versionStartIncluding": "2020.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230825.1",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230823.1",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230825.4",
"versionStartIncluding": "2022.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20230601.3",
"versionStartIncluding": "2019.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-09-12T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Remote Code Execution Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:T/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T18:17:40.891Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Remote Code Execution Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33136"
}
],
"title": "Azure DevOps Server Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-33136",
"datePublished": "2023-09-12T16:58:34.967Z",
"dateReserved": "2023-05-17T21:16:44.896Z",
"dateUpdated": "2025-10-30T18:17:40.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-36869 (GCVE-0-2023-36869)
Vulnerability from nvd – Published: 2023-08-08 17:08 – Updated: 2025-01-01 01:59
VLAI?
Title
Azure DevOps Server Spoofing Vulnerability
Summary
Azure DevOps Server Spoofing Vulnerability
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server |
Affected:
1.0.0 , < 20230601.1
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Date Public ?
2023-08-08 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36869",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T17:06:43.487941Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T17:07:00.868Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:01:09.841Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36869"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230601.1",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230601.3",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230602.5",
"status": "affected",
"version": "2022.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2019.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230721.6",
"status": "affected",
"version": "2019.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230601.1",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230601.3",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230602.5",
"versionStartIncluding": "2022.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20230721.6",
"versionStartIncluding": "2019.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-08-08T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Spoofing Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-01T01:59:07.427Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36869"
}
],
"title": "Azure DevOps Server Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-36869",
"datePublished": "2023-08-08T17:08:19.962Z",
"dateReserved": "2023-06-27T20:26:38.144Z",
"dateUpdated": "2025-01-01T01:59:07.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}