Multiple vulnerabilities in Microsoft Visual Studio
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2019-0537 CVE-2019-0546 |
| CWE-ID | CWE-200 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Visual Studio Universal components / Libraries / Software for developers |
| Vendor | Microsoft |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU16871
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-0537
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to Visual Studio improperly discloses arbitrary file contents if the victim opens a malicious .vscontent file. A remote attacker can trick the victim into opening a malicious .vscontent file using a vulnerable version of Visual Studio and view arbitrary file contents from the computer where the victim launched Visual Studio.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVisual Studio: 2010 Service Pack 1 - 2012 Update 4
CPE2.3- cpe:2.3:a:microsoft:visual_studio:2010_Service_Pack_1:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:2012_Update_4:*:*:*:*:*:*:*
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0537
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU16872
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-0546
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists in Visual Studio when the C++ compiler improperly handles specific combinations of C++ constructs. A remote unauthenticated attacker can trick the victim into opening a specially crafted file which was compiled with an affected version of Visual Studio
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVisual Studio: 15.9
CPE2.3 External linkshttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0546
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
