CVE-2020-0758: 
vulnerability analysis and mitigation

An elevation of privilege vulnerability (CVE-2020-0758) exists in Azure DevOps Server and Team Foundation Services when they improperly handle pipeline job tokens. The vulnerability was disclosed in March 2020 and affects multiple versions of Azure DevOps Server 2019 and Team Foundation Server 2017/2018 (MITRE, NVD).

The vulnerability stems from improper handling of pipeline job tokens in Azure DevOps Server and Team Foundation Services. The security issue allows attackers to extend their access to a project by swapping short-term tokens for long-term ones. Microsoft has rated this vulnerability as Important severity (Bleeping Computer).

A successful exploitation of this vulnerability could allow an attacker to extend their access to a project. However, the attacker must first have access to the project to exploit this vulnerability by swapping the short-term token for a long-term one (MITRE).

Microsoft has addressed the vulnerability by correcting how the Azure DevOps Server and Team Foundation Services updater handles these tokens. The fix was released through security updates for affected versions including Azure DevOps Server 2019 Update 1, 1.1, 2019.0.1, and Team Foundation Server 2017 Update 3.1, 2018 Update 1.2, and 2018 Update 3.2 (Bleeping Computer).

The vulnerability was discovered and reported by security researcher Terry Zhang (@pnig0s) (Bleeping Computer).