CVE-2019-1372
CVE-2019-1372 is a critical-severity vulnerability in Microsoft Azure App Service On Azure Stack with a CVSS 3.x base score of 10.0. Its EPSS exploit-prediction score of 18% places it in the 97th percentile, indicating an elevated likelihood of exploitation.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- CVSS v2: 10.0
- EPSS exploit prediction: 18% (97th percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Microsoft Azure App Service On Azure Stack
- Published:
- Last modified:
Description
An remote code execution vulnerability exists when Azure App Service/ Antares on Azure Stack fails to check the length of a buffer prior to copying memory to it.An attacker who successfully exploited this vulnerability could allow an unprivileged function run by the user to execute code in the context of NT AUTHORITY\system thereby escaping the Sandbox.The security update addresses the vulnerability by ensuring that Azure App Service sanitizes user inputs., aka 'Azure App Service Remote Code Execution Vulnerability'.
Frequently asked questions
- What is CVE-2019-1372?
- An remote code execution vulnerability exists when Azure App Service/ Antares on Azure Stack fails to check the length of a buffer prior to copying memory to it.An attacker who successfully exploited this vulnerability could allow an unprivileged function run by the user to execute code in the context of NT AUTHORITY\system thereby escaping the Sandbox.The security update addresses the vulnerability by ensuring that Azure App Service sanitizes user inputs., aka 'Azure App Service Remote Code Execution Vulnerability'.
- How severe is CVE-2019-1372?
- CVE-2019-1372 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2019-1372 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 18% (97th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2019-1372?
- CVE-2019-1372 affects Microsoft Azure App Service On Azure Stack. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2019-1372?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2019-1372 published?
- CVE-2019-1372 was published on 2019-10-10 and last updated on 2026-06-17.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1372
- https://research.checkpoint.com/2020/remote-cloud-execution-critical-vulnerabilities-in-azure-cloud-infrastructure-part-ii/
Affected products (1)
- cpe:2.3:a:microsoft:azure_app_service_on_azure_stack:*:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Azure App Service On Azure Stack
- CVE-2023-21777 — High (CVSS 8.7): Azure App Service on Azure Stack Hub Elevation of Privilege Vulnerability
- CVE-2018-8600 — Medium (CVSS 6.1): A Cross-site Scripting (XSS) vulnerability exists when Azure App Services on Azure Stack does not properly sanitize…
- CVE-2025-53765 — Medium (CVSS 4.4): Exposure of private personal information to an unauthorized actor in Azure Stack allows an authorized attacker to…
All CVEs affecting Microsoft Azure App Service On Azure Stack →