CVE-2020-16874 : A remote code execution vulnerability exists in Visual Studio when it imprope

A remote code execution vulnerability exists in Visual Studio when it improperly handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerability, an attacker would have to convince a user to open a specially crafted file with an affected version of Visual Studio. The update addresses the vulnerability by correcting how Visual Studio handles objects in memory.

Published 2020-09-11 17:15:17

Updated 2023-12-31 22:15:52

Source Microsoft Corporation

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2020-16874

Microsoft » Visual Studio » Version: 2012 Update Update 5
cpe:2.3:a:microsoft:visual_studio:2012:update_5:*:*:*:*:*:*
Matching versions
Microsoft » Visual Studio » Version: 2015 Update Update 3
cpe:2.3:a:microsoft:visual_studio:2015:update_3:*:*:*:*:*:*
Matching versions
Microsoft » Visual Studio » Version: 2013 Update Update 5
cpe:2.3:a:microsoft:visual_studio:2013:update_5:*:*:*:*:*:*
Matching versions
Microsoft » Visual Studio 2017
Versions from including (>=) 15.0 and up to, including, (<=) 15.8
cpe:2.3:a:microsoft:visual_studio_2017:*:*:*:*:*:*:*:*
Matching versions
Microsoft » Visual Studio 2019
Versions from including (>=) 16.5 and up to, including, (<=) 16.6
cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:*
Matching versions
Microsoft » Visual Studio 2019
Versions from including (>=) 16.0 and up to, including, (<=) 16.3
cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-16874

EPSS FAQ

5.87%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 90 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-16874

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	Microsoft Corporation
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

References for CVE-2020-16874

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16874

CVE-2020-16874 | Visual Studio Remote Code Execution Vulnerability
Patch;Vendor Advisory

Jump to

Vulnerability Details : CVE-2020-16874

Products affected by CVE-2020-16874

Exploit prediction scoring system (EPSS) score for CVE-2020-16874

CVSS scores for CVE-2020-16874

References for CVE-2020-16874