Visual Studio Elevation of Privilege Vulnerability - CVE-2019-1425ID: oval:org.secpod.oval:def:59638 | Date: (C)2019-11-14 (M)2021-06-02 |
Class: VULNERABILITY | Family: windows |
An elevation of privilege vulnerability exists when Visual Studio fails to properly validate hardlinks while extracting archived files. An attacker who successfully exploited this vulnerability could overwrite arbitrary files in the security context of the local system. To exploit this vulnerability, an attacker would need to trick an elevated user into downloading a malicious package, either by getting them to open a malicious project or convincing them to add a malicious package to an existing project. The vulnerabilities were introduced by NPM packages used by Visual Studio and subsequently addressed via the following two NPM advisories: Arbitrary File Overwrite - tar and Arbitrary File Overwrite - fstream. The update addresses the vulnerability by updating the NPM packages, which corrects how Visual Studio validates hardlinks during extraction of file archives.
Platform: |
Microsoft Windows 7 |
Microsoft Windows 8.1 |
Microsoft Windows 10 |
Microsoft Windows Server 2008 |
Microsoft Windows Server 2008 R2 |
Microsoft Windows Server 2012 |
Microsoft Windows Server 2012 R2 |
Microsoft Windows Server 2016 |
Microsoft Windows Server 2019 |
Product: |
Microsoft Visual Studio 2017 |
Microsoft Visual Studio 2019 |