CVE-2019-1072 (CNNVD-201907-388)
中文标题:
Microsoft Team Foundation Server和Microsoft Azure DevOps Server 输入验证错误漏洞
英文标题:
A remote code execution vulnerability exists when Azure DevOps Server and Team Foundation Server (TF...
漏洞描述
中文描述:
Microsoft Team Foundation Server和Microsoft Azure DevOps Server都是美国微软(Microsoft)公司的产品。Microsoft Team Foundation Server是一套应用程序生命周期管理(ALM)工具套件中的团队协作平台。该平台包括的代码管理、项目管理等功能。Microsoft Azure DevOps Server是一套软件开发协作工具。该产品包括共享代码、工作跟踪和软件发布等功能。 Microsoft Team Foundation Server和Microsoft Azure DevOps Server中存在远程代码执行漏洞,该漏洞源于程序没有正确处理用户的输入。攻击者可通过提交特制的文件利用该漏洞在目标服务器上执行代码。以下产品及版本受到影响:Microsoft Azure DevOps Server 2019.0.1版本;Team Foundation Server 2010 SP1版本,Team Foundation Server 2012 Update 4版本,Team Foundation Server 2013 Update 5版本,Team Foundation Server 2015 Update 4.2版本,Team Foundation Server 2017 Update 3.1版本,Team Foundation Server 2018 Update 1.2版本,Team Foundation Server 2018 Update 3.2版本。
英文描述:
A remote code execution vulnerability exists when Azure DevOps Server and Team Foundation Server (TFS) improperly handle user input, aka 'Azure DevOps Server and Team Foundation Server Remote Code Execution Vulnerability'.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| Microsoft | Team Foundation Server 2012 | Update 4 | - | - |
cpe:2.3:a:microsoft:team_foundation_server_2012:update_4:*:*:*:*:*:*:*
|
| Microsoft | Team Foundation Server 2013 Update 5 | unspecified | - | - |
cpe:2.3:a:microsoft:team_foundation_server_2013_update_5:unspecified:*:*:*:*:*:*:*
|
| Microsoft | Team Foundation Server 2018 | Update 1.2 | - | - |
cpe:2.3:a:microsoft:team_foundation_server_2018:update_1.2:*:*:*:*:*:*:*
|
| Microsoft | Team Foundation Server 2018 | Update 3.2 | - | - |
cpe:2.3:a:microsoft:team_foundation_server_2018:update_3.2:*:*:*:*:*:*:*
|
| Microsoft | Team Foundation Server | 2017 Update 3.1 | - | - |
cpe:2.3:a:microsoft:team_foundation_server:2017_update_3.1:*:*:*:*:*:*:*
|
| Microsoft | Team Foundation Server 2015 | Update 4.2 | - | - |
cpe:2.3:a:microsoft:team_foundation_server_2015:update_4.2:*:*:*:*:*:*:*
|
| Microsoft | Azure DevOps Server | 2019.0.1 | - | - |
cpe:2.3:a:microsoft:azure_devops_server:2019.0.1:*:*:*:*:*:*:*
|
| Microsoft | Team Foundation Server 2010 | SP1 (x86) | - | - |
cpe:2.3:a:microsoft:team_foundation_server_2010:sp1_(x86):*:*:*:*:*:*:*
|
| Microsoft | Team Foundation Server 2010 | SP1 (x64) | - | - |
cpe:2.3:a:microsoft:team_foundation_server_2010:sp1_(x64):*:*:*:*:*:*:*
|
| microsoft | team_foundation_server | 2010 | - | - |
cpe:2.3:a:microsoft:team_foundation_server:2010:sp1:*:*:*:*:*:*
|
| microsoft | team_foundation_server | 2012 | - | - |
cpe:2.3:a:microsoft:team_foundation_server:2012:4:*:*:*:*:*:*
|
| microsoft | team_foundation_server | 2013 | - | - |
cpe:2.3:a:microsoft:team_foundation_server:2013:5:*:*:*:*:*:*
|
| microsoft | team_foundation_server | 2015 | - | - |
cpe:2.3:a:microsoft:team_foundation_server:2015:4.2:*:*:*:*:*:*
|
| microsoft | team_foundation_server | 2017 | - | - |
cpe:2.3:a:microsoft:team_foundation_server:2017:3.1:*:*:*:*:*:*
|
| microsoft | team_foundation_server | 2018 | - | - |
cpe:2.3:a:microsoft:team_foundation_server:2018:1.2:*:*:*:*:*:*
|
| microsoft | azure_devops_server | 2019.0.1 | - | - |
cpe:2.3:o:microsoft:azure_devops_server:2019.0.1:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
参考链接
cve.org
CVSS评分详情
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2019-1072 |
2025-11-11 15:20:07 | 2025-11-11 07:35:27 |
| NVD | nvd_CVE-2019-1072 |
2025-11-11 14:56:24 | 2025-11-11 07:44:00 |
| CNNVD | cnnvd_CNNVD-201907-388 |
2025-11-11 15:10:14 | 2025-11-11 07:54:43 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 输入验证错误
- cnnvd_id: 未提取 -> CNNVD-201907-388
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- severity: SeverityLevel.MEDIUM -> SeverityLevel.CRITICAL
- cvss_score: 未提取 -> 9.8
- cvss_vector: NOT_EXTRACTED -> CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss_version: NOT_EXTRACTED -> 3.0
- affected_products_count: 9 -> 16
- data_sources: ['cve'] -> ['cve', 'nvd']