Multiple vulnerabilities in Microsoft Visual Studio
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2024-29060 CVE-2024-30052 |
| CWE-ID | CWE-254 CWE-693 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #2 is available. |
| Vulnerable software |
Visual Studio Universal components / Libraries / Software for developers |
| Vendor | Microsoft |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Security features bypass
EUVDB-ID: #VU91701
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-29060
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to an error when handling extensions. A remote attacker can trick the victim to install a malicious extension and execute arbitrary code on the system.
Install updates from vendor's website.
Vulnerable software versionsVisual Studio: 15.0 26228.04 - 17.10.1 17.10.34928.147
CPE2.3- cpe:2.3:a:microsoft:visual_studio:15.0:26228.04:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:15.0:26228.09:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:15.0:26228.10:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:15.0:26228.12:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:15.0:26228.13:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:15.0:26228.16:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:15.0:26228.17:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:15.0:26228.18:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:15.0:26228.21:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:15.0:26228.23:*:*:*:*:*:*
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-29060
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Protection mechanism failure
EUVDB-ID: #VU91699
Risk: High
CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2024-30052
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient implementation of security measures. An attacker can trick victim to open a specially crafted file and execute arbitrary code on the system.
Install updates from vendor's website.
Vulnerable software versionsVisual Studio: 15.0 26228.04 - 17.10.1 17.10.34928.147
CPE2.3- cpe:2.3:a:microsoft:visual_studio:15.0:26228.04:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:15.0:26228.09:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:15.0:26228.10:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:15.0:26228.12:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:15.0:26228.13:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:15.0:26228.16:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:15.0:26228.17:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:15.0:26228.18:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:15.0:26228.21:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:15.0:26228.23:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visual_studio:15.0:26228.26:*:*:*:*:*:*
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-30052
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
