Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
12 vulnerabilities found for Azure DevOps Server 2022.0.1 by Microsoft
CVE-2023-36561 (GCVE-0-2023-36561)
Vulnerability from nvd – Published: 2023-10-10 17:08 – Updated: 2025-04-14 22:46
VLAI?
Title
Azure DevOps Server Elevation of Privilege Vulnerability
Summary
Azure DevOps Server Elevation of Privilege Vulnerability
Severity ?
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2022.0.1 |
Affected:
2022.0.0 , < 20230926.1
(custom)
|
||||||||||||
|
||||||||||||||
Date Public ?
2023-10-10 07:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:52:53.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36561"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230926.1",
"status": "affected",
"version": "2022.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.0.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230927.1",
"status": "affected",
"version": "2020.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230926.2",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230926.1",
"versionStartIncluding": "2022.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230927.1",
"versionStartIncluding": "2020.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230926.2",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-10-10T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Elevation of Privilege Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T22:46:33.530Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36561"
}
],
"title": "Azure DevOps Server Elevation of Privilege Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-36561",
"datePublished": "2023-10-10T17:08:01.950Z",
"dateReserved": "2023-06-23T20:11:38.789Z",
"dateUpdated": "2025-04-14T22:46:33.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38155 (GCVE-0-2023-38155)
Vulnerability from nvd – Published: 2023-09-12 16:58 – Updated: 2025-10-30 18:18
VLAI?
Title
Azure DevOps Server Remote Code Execution Vulnerability
Summary
Azure DevOps Server Remote Code Execution Vulnerability
Severity ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2019.0.1 |
Affected:
2019.0.0 , < 20230601.3
(custom)
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
Date Public ?
2023-09-12 07:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:30:14.065Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38155"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2019.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230601.3",
"status": "affected",
"version": "2019.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230825.4",
"status": "affected",
"version": "2022.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230823.1",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230825.1",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.0.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230820.2",
"status": "affected",
"version": "2020.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20230601.3",
"versionStartIncluding": "2019.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230825.4",
"versionStartIncluding": "2022.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230823.1",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230825.1",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230820.2",
"versionStartIncluding": "2020.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-09-12T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Remote Code Execution Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T18:18:06.568Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Remote Code Execution Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38155"
}
],
"title": "Azure DevOps Server Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-38155",
"datePublished": "2023-09-12T16:58:37.646Z",
"dateReserved": "2023-07-12T23:41:45.861Z",
"dateUpdated": "2025-10-30T18:18:06.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-33136 (GCVE-0-2023-33136)
Vulnerability from nvd – Published: 2023-09-12 16:58 – Updated: 2025-10-30 18:17
VLAI?
Title
Azure DevOps Server Remote Code Execution Vulnerability
Summary
Azure DevOps Server Remote Code Execution Vulnerability
Severity ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2020.0.2 |
Affected:
2020.0.0 , < 20230820.2
(custom)
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
Date Public ?
2023-09-12 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33136",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-22T20:13:06.923996Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T20:13:09.656Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:39:35.005Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Remote Code Execution Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33136"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.0.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230820.2",
"status": "affected",
"version": "2020.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230825.1",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230823.1",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230825.4",
"status": "affected",
"version": "2022.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2019.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230601.3",
"status": "affected",
"version": "2019.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230820.2",
"versionStartIncluding": "2020.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230825.1",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230823.1",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230825.4",
"versionStartIncluding": "2022.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20230601.3",
"versionStartIncluding": "2019.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-09-12T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Remote Code Execution Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:T/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T18:17:40.891Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Remote Code Execution Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33136"
}
],
"title": "Azure DevOps Server Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-33136",
"datePublished": "2023-09-12T16:58:34.967Z",
"dateReserved": "2023-05-17T21:16:44.896Z",
"dateUpdated": "2025-10-30T18:17:40.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-36869 (GCVE-0-2023-36869)
Vulnerability from nvd – Published: 2023-08-08 17:08 – Updated: 2025-01-01 01:59
VLAI?
Title
Azure DevOps Server Spoofing Vulnerability
Summary
Azure DevOps Server Spoofing Vulnerability
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server |
Affected:
1.0.0 , < 20230601.1
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Date Public ?
2023-08-08 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36869",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T17:06:43.487941Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T17:07:00.868Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:01:09.841Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36869"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230601.1",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230601.3",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230602.5",
"status": "affected",
"version": "2022.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2019.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230721.6",
"status": "affected",
"version": "2019.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230601.1",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230601.3",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230602.5",
"versionStartIncluding": "2022.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20230721.6",
"versionStartIncluding": "2019.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-08-08T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Spoofing Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-01T01:59:07.427Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36869"
}
],
"title": "Azure DevOps Server Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-36869",
"datePublished": "2023-08-08T17:08:19.962Z",
"dateReserved": "2023-06-27T20:26:38.144Z",
"dateUpdated": "2025-01-01T01:59:07.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-21569 (GCVE-0-2023-21569)
Vulnerability from nvd – Published: 2023-06-13 23:25 – Updated: 2025-01-01 01:43
VLAI?
Title
Azure DevOps Server Spoofing Vulnerability
Summary
Azure DevOps Server Spoofing Vulnerability
Severity ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2020.1.2 |
Affected:
2020.1.0 , < 20230601.3
(custom)
|
||||||||||||
|
||||||||||||||
Date Public ?
2023-06-13 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-21569",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T14:04:10.459586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T17:50:05.698Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T09:44:01.189Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21569"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230601.3",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230602.4",
"status": "affected",
"version": "20230131.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230602.5",
"status": "affected",
"version": "2022.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230601.3",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230602.4",
"versionStartIncluding": "20230131.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230602.5",
"versionStartIncluding": "2022.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-06-13T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Spoofing Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-01T01:43:35.391Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21569"
}
],
"title": "Azure DevOps Server Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-21569",
"datePublished": "2023-06-13T23:25:57.688Z",
"dateReserved": "2022-12-01T14:00:11.204Z",
"dateUpdated": "2025-01-01T01:43:35.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-21565 (GCVE-0-2023-21565)
Vulnerability from nvd – Published: 2023-06-13 23:25 – Updated: 2025-01-01 01:43
VLAI?
Title
Azure DevOps Server Spoofing Vulnerability
Summary
Azure DevOps Server Spoofing Vulnerability
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2022 |
Affected:
20230131.0 , < 20230602.4
(custom)
|
||||||||||||
|
||||||||||||||
Date Public ?
2023-06-13 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-21565",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T18:38:46.631479Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T18:38:53.200Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T09:44:01.540Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21565"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230602.4",
"status": "affected",
"version": "20230131.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230601.3",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230602.5",
"status": "affected",
"version": "2022.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230602.4",
"versionStartIncluding": "20230131.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230601.3",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230602.5",
"versionStartIncluding": "2022.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-06-13T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Spoofing Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-01T01:43:36.030Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21565"
}
],
"title": "Azure DevOps Server Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-21565",
"datePublished": "2023-06-13T23:25:57.118Z",
"dateReserved": "2022-12-01T14:00:11.204Z",
"dateUpdated": "2025-01-01T01:43:36.030Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36561 (GCVE-0-2023-36561)
Vulnerability from cvelistv5 – Published: 2023-10-10 17:08 – Updated: 2025-04-14 22:46
VLAI?
Title
Azure DevOps Server Elevation of Privilege Vulnerability
Summary
Azure DevOps Server Elevation of Privilege Vulnerability
Severity ?
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2022.0.1 |
Affected:
2022.0.0 , < 20230926.1
(custom)
|
||||||||||||
|
||||||||||||||
Date Public ?
2023-10-10 07:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:52:53.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36561"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230926.1",
"status": "affected",
"version": "2022.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.0.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230927.1",
"status": "affected",
"version": "2020.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230926.2",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230926.1",
"versionStartIncluding": "2022.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230927.1",
"versionStartIncluding": "2020.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230926.2",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-10-10T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Elevation of Privilege Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T22:46:33.530Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36561"
}
],
"title": "Azure DevOps Server Elevation of Privilege Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-36561",
"datePublished": "2023-10-10T17:08:01.950Z",
"dateReserved": "2023-06-23T20:11:38.789Z",
"dateUpdated": "2025-04-14T22:46:33.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38155 (GCVE-0-2023-38155)
Vulnerability from cvelistv5 – Published: 2023-09-12 16:58 – Updated: 2025-10-30 18:18
VLAI?
Title
Azure DevOps Server Remote Code Execution Vulnerability
Summary
Azure DevOps Server Remote Code Execution Vulnerability
Severity ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2019.0.1 |
Affected:
2019.0.0 , < 20230601.3
(custom)
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
Date Public ?
2023-09-12 07:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:30:14.065Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38155"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2019.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230601.3",
"status": "affected",
"version": "2019.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230825.4",
"status": "affected",
"version": "2022.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230823.1",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230825.1",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.0.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230820.2",
"status": "affected",
"version": "2020.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20230601.3",
"versionStartIncluding": "2019.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230825.4",
"versionStartIncluding": "2022.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230823.1",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230825.1",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230820.2",
"versionStartIncluding": "2020.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-09-12T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Remote Code Execution Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T18:18:06.568Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Remote Code Execution Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38155"
}
],
"title": "Azure DevOps Server Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-38155",
"datePublished": "2023-09-12T16:58:37.646Z",
"dateReserved": "2023-07-12T23:41:45.861Z",
"dateUpdated": "2025-10-30T18:18:06.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-33136 (GCVE-0-2023-33136)
Vulnerability from cvelistv5 – Published: 2023-09-12 16:58 – Updated: 2025-10-30 18:17
VLAI?
Title
Azure DevOps Server Remote Code Execution Vulnerability
Summary
Azure DevOps Server Remote Code Execution Vulnerability
Severity ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2020.0.2 |
Affected:
2020.0.0 , < 20230820.2
(custom)
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
Date Public ?
2023-09-12 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33136",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-22T20:13:06.923996Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T20:13:09.656Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:39:35.005Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Remote Code Execution Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33136"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.0.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230820.2",
"status": "affected",
"version": "2020.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230825.1",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230823.1",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230825.4",
"status": "affected",
"version": "2022.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2019.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230601.3",
"status": "affected",
"version": "2019.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230820.2",
"versionStartIncluding": "2020.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230825.1",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230823.1",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230825.4",
"versionStartIncluding": "2022.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20230601.3",
"versionStartIncluding": "2019.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-09-12T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Remote Code Execution Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:T/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T18:17:40.891Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Remote Code Execution Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33136"
}
],
"title": "Azure DevOps Server Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-33136",
"datePublished": "2023-09-12T16:58:34.967Z",
"dateReserved": "2023-05-17T21:16:44.896Z",
"dateUpdated": "2025-10-30T18:17:40.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-36869 (GCVE-0-2023-36869)
Vulnerability from cvelistv5 – Published: 2023-08-08 17:08 – Updated: 2025-01-01 01:59
VLAI?
Title
Azure DevOps Server Spoofing Vulnerability
Summary
Azure DevOps Server Spoofing Vulnerability
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server |
Affected:
1.0.0 , < 20230601.1
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Date Public ?
2023-08-08 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36869",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T17:06:43.487941Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T17:07:00.868Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:01:09.841Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36869"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230601.1",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230601.3",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230602.5",
"status": "affected",
"version": "2022.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2019.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230721.6",
"status": "affected",
"version": "2019.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230601.1",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230601.3",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230602.5",
"versionStartIncluding": "2022.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20230721.6",
"versionStartIncluding": "2019.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-08-08T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Spoofing Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-01T01:59:07.427Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36869"
}
],
"title": "Azure DevOps Server Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-36869",
"datePublished": "2023-08-08T17:08:19.962Z",
"dateReserved": "2023-06-27T20:26:38.144Z",
"dateUpdated": "2025-01-01T01:59:07.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-21569 (GCVE-0-2023-21569)
Vulnerability from cvelistv5 – Published: 2023-06-13 23:25 – Updated: 2025-01-01 01:43
VLAI?
Title
Azure DevOps Server Spoofing Vulnerability
Summary
Azure DevOps Server Spoofing Vulnerability
Severity ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2020.1.2 |
Affected:
2020.1.0 , < 20230601.3
(custom)
|
||||||||||||
|
||||||||||||||
Date Public ?
2023-06-13 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-21569",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T14:04:10.459586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T17:50:05.698Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T09:44:01.189Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21569"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230601.3",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230602.4",
"status": "affected",
"version": "20230131.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230602.5",
"status": "affected",
"version": "2022.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230601.3",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230602.4",
"versionStartIncluding": "20230131.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230602.5",
"versionStartIncluding": "2022.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-06-13T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Spoofing Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-01T01:43:35.391Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21569"
}
],
"title": "Azure DevOps Server Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-21569",
"datePublished": "2023-06-13T23:25:57.688Z",
"dateReserved": "2022-12-01T14:00:11.204Z",
"dateUpdated": "2025-01-01T01:43:35.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-21565 (GCVE-0-2023-21565)
Vulnerability from cvelistv5 – Published: 2023-06-13 23:25 – Updated: 2025-01-01 01:43
VLAI?
Title
Azure DevOps Server Spoofing Vulnerability
Summary
Azure DevOps Server Spoofing Vulnerability
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft | Azure DevOps Server 2022 |
Affected:
20230131.0 , < 20230602.4
(custom)
|
||||||||||||
|
||||||||||||||
Date Public ?
2023-06-13 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-21565",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T18:38:46.631479Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T18:38:53.200Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T09:44:01.540Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21565"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230602.4",
"status": "affected",
"version": "20230131.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2020.1.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230601.3",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure DevOps Server 2022.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "20230602.5",
"status": "affected",
"version": "2022.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230602.4",
"versionStartIncluding": "20230131.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230601.3",
"versionStartIncluding": "2020.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:-:*:*:*:*:*:*",
"versionEndExcluding": "20230602.5",
"versionStartIncluding": "2022.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-06-13T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure DevOps Server Spoofing Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-01T01:43:36.030Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure DevOps Server Spoofing Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21565"
}
],
"title": "Azure DevOps Server Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-21565",
"datePublished": "2023-06-13T23:25:57.118Z",
"dateReserved": "2022-12-01T14:00:11.204Z",
"dateUpdated": "2025-01-01T01:43:36.030Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}