SB2023041149 - Multiple vulnerabilities in Microsoft Visual Studio
Published: April 11, 2023 Updated: June 8, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Spoofing attack (CVE-ID: CVE-2023-28299)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of newline characters in extension's name. A remote attacker can
2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-28262)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions in Visual Studio, which leads to security restrictions bypass and privilege escalation.
3) Out-of-bounds read (CVE-ID: CVE-2023-28263)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in Visual Studio. A local user can trigger an out-of-bounds read error and read contents of memory on the system.
4) Input validation error (CVE-ID: CVE-2023-28296)
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input in Visual Studio. A remote attacker can pass specially crafted input to the application and execute arbitrary code on the target system.
Remediation
Install update from vendor's website.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-28299
- https://www.varonis.com/blog/visual-studio-bug
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-28262
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-28263
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-28296