CVE-2024-35266

FAQ

According to the CVSS metric, user interaction is required (UI:R) and privileges required  is low (PR:L). What does that mean for this vulnerability?

An authorized attacker must send the user a malicious file and convince the user to open it.

According to the CVSS metrics, successful exploitation of this vulnerability could lead to a high loss of confidentiality (C:H), and integrity (I:H) and some loss of availability (A:L). What does that mean for this vulnerability?

An attacker who successfully exploited this vulnerability could view sensitive information, a token in this scenario (Confidentiality) and make changes to disclosed information (Integrity), and they might be able to force a crash within the server (Availability).

What actions do customers need to take to protect themselves from this vulnerability?

Customers using Azure DevOps 2022.1 must update to Azure DevOps Server 2022.2 released on 09 July, 2024 to be protected. For more information on this recent Azure DevOps release, see here: Azure DevOps Server 2022 Update 2 Release Notes.

Im having trouble downloading the update linked in the Security Updates table, what should I do?

The link in the Security Updates table has been fixed and customers should retry downloading if it previously failed. This was due to Azure DevOps re-releasing Azure DevOps Server 2022.2 to fix a technical issue.

Customers who installed the version of Azure DevOps Server 2022.2 released on July 9, can install Patch 1 for Azure DevOps Server 2022.2. Patch 1 is not required if you are installing Azure DevOps Server 2022.2 for the first time since the download links were updated to include the fix.

For more information reference the Azure DevOps Server 2022.2 Release Notes here: Azure DevOps Server 2022.2 RTW Release Date: July 9, 2024.