CVE-2020-0900: 
Visual Studio 2022 vulnerability analysis and mitigation

An elevation of privilege vulnerability (CVE-2020-0900) was discovered in the Visual Studio Extension Installer Service, disclosed in April 2020. The vulnerability affects multiple versions of Microsoft Visual Studio, including Visual Studio 2015 Update 3, Visual Studio 2017 Version 15.9, Visual Studio 2019 Version 16.0, 16.4, and 16.5. The flaw exists when the Visual Studio Extension Installer Service improperly handles file operations (NVD, Microsoft Support).

The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. The vulnerability requires local access and low privileges to exploit, with no user interaction needed. The impact primarily affects integrity, with no direct impact on confidentiality or availability (NVD).

If successfully exploited, this vulnerability could allow an attacker to delete files in arbitrary locations with elevated permissions. The attack requires the attacker to have local access to the target system (NVD, Qualys).

Microsoft has released security updates to address this vulnerability. For Visual Studio 2015 Update 3, users must have both Visual Studio 2015 Update 3 and the Cumulative Servicing Release KB 3165756 installed before applying the security update. It is recommended to close Visual Studio before installing the security update (Microsoft Support).