cnvd - cnvd-2021-01041

cnvd-2021-01041

Vulnerability from cnvd

Title: Microsoft Visual Studio远程代码执行漏洞（CNVD-2021-01041）

Description:

Microsoft Visual Studio是一个集成的开发环境，用于开发计算机程序、网站、Web应用程序、Web服务和移动应用程序。

Microsoft Visual Studio存在远程代码执行漏洞。攻击者可利用该漏洞在当前用户的上下文中执行任意代码。

Severity: 高

Patch Name: Microsoft Visual Studio远程代码执行漏洞（CNVD-2021-01041）的补丁

Patch Description:

Microsoft Visual Studio是一个集成的开发环境，用于开发计算机程序、网站、Web应用程序、Web服务和移动应用程序。

Microsoft Visual Studio存在远程代码执行漏洞。攻击者可利用该漏洞在当前用户的上下文中执行任意代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16874

Reference: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16874

Impacted products

Name
['Microsoft Visual Studio 2017', 'Microsoft Visual Studio 2012 Update 5', 'Microsoft Visual Studio 2013 Update 5']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-16874",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-16874"
    }
  },
  "description": "Microsoft Visual Studio\u662f\u4e00\u4e2a\u96c6\u6210\u7684\u5f00\u53d1\u73af\u5883\uff0c\u7528\u4e8e\u5f00\u53d1\u8ba1\u7b97\u673a\u7a0b\u5e8f\u3001\u7f51\u7ad9\u3001Web\u5e94\u7528\u7a0b\u5e8f\u3001Web\u670d\u52a1\u548c\u79fb\u52a8\u5e94\u7528\u7a0b\u5e8f\u3002\n\nMicrosoft Visual Studio\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u5f53\u524d\u7528\u6237\u7684\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16874",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-01041",
  "openTime": "2021-01-07",
  "patchDescription": "Microsoft Visual Studio\u662f\u4e00\u4e2a\u96c6\u6210\u7684\u5f00\u53d1\u73af\u5883\uff0c\u7528\u4e8e\u5f00\u53d1\u8ba1\u7b97\u673a\u7a0b\u5e8f\u3001\u7f51\u7ad9\u3001Web\u5e94\u7528\u7a0b\u5e8f\u3001Web\u670d\u52a1\u548c\u79fb\u52a8\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nMicrosoft Visual Studio\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u5f53\u524d\u7528\u6237\u7684\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Microsoft Visual Studio\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CNVD-2021-01041\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Microsoft Visual Studio 2017",
      "Microsoft Visual Studio 2012 Update 5",
      "Microsoft Visual Studio 2013 Update 5"
    ]
  },
  "referenceLink": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16874",
  "serverity": "\u9ad8",
  "submitTime": "2020-09-10",
  "title": "Microsoft Visual Studio\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CNVD-2021-01041\uff09"
}

CVE-2020-16874 (GCVE-0-2020-16874)

Vulnerability from cvelistv5

Published

2020-09-11 17:08

Modified

2024-08-04 13:45

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

CWE

Remote Code Execution

Summary

A remote code execution vulnerability exists in Visual Studio when it improperly handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerability, an attacker would have to convince a user to open a specially crafted file with an affected version of Visual Studio. The update addresses the vulnerability by correcting how Visual Studio handles objects in memory.

References

▼	URL	Tags
	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16874	x_refsource_MISC

Impacted products

Vendor

Product

Version

▼

Microsoft

Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6)

Version: 16.0.0 < publication
cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:*

Microsoft	Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)	Version: 15.9.0 < publication cpe:2.3:a:microsoft:visual_studio_2017::::::::
Microsoft	Microsoft Visual Studio 2019 version 16.0	Version: 16.0 < publication cpe:2.3:a:microsoft:visual_studio_2019::::::::
Microsoft	Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)	Version: 16.0 < publication cpe:2.3:a:microsoft:visual_studio_2019::::::::
Microsoft	Microsoft Visual Studio 2012 Update 5	Version: 11.0.0 < publication cpe:2.3:a:microsoft:visual_studio:2012:update_5::::::
Microsoft	Microsoft Visual Studio 2013 Update 5	Version: 12.0.0 < publication cpe:2.3:a:microsoft:visual_studio:2013:update_5::::::
Microsoft	Microsoft Visual Studio 2015 Update 3	Version: 14.0.0 < publication cpe:2.3:a:microsoft:visual_studio:2015:update3::::::

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T13:45:34.227Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16874"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Microsoft Visual Studio 2019 version 16.7 (includes 16.0 \u2013 16.6)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "publication",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:visual_studio_2017:*:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "publication",
              "status": "affected",
              "version": "15.9.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Microsoft Visual Studio 2019 version 16.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "publication",
              "status": "affected",
              "version": "16.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "publication",
              "status": "affected",
              "version": "16.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:visual_studio:2012:update_5:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Microsoft Visual Studio 2012 Update 5",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "publication",
              "status": "affected",
              "version": "11.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:visual_studio:2013:update_5:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Microsoft Visual Studio 2013 Update 5",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "publication",
              "status": "affected",
              "version": "12.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:visual_studio:2015:update3:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Microsoft Visual Studio 2015 Update 3",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "publication",
              "status": "affected",
              "version": "14.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2020-09-08T07:00:00+00:00",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "\u003cp\u003eA remote code execution vulnerability exists in Visual Studio when it improperly handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\u003c/p\u003e\n\u003cp\u003eTo exploit the vulnerability, an attacker would have to convince a user to open a specially crafted file with an affected version of Visual Studio.\u003c/p\u003e\n\u003cp\u003eThe update addresses the vulnerability by correcting how Visual Studio handles objects in memory.\u003c/p\u003e\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Remote Code Execution",
              "lang": "en-US",
              "type": "Impact"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-31T21:35:05.625Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16874"
        }
      ],
      "title": "Visual Studio Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2020-16874",
    "datePublished": "2020-09-11T17:08:47",
    "dateReserved": "2020-08-04T00:00:00",
    "dateUpdated": "2024-08-04T13:45:34.227Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted