The vulnerability is a server‑side request forgery that allows an authenticated user to force the Azure DevOps Server to send arbitrary HTTP requests to internal network addresses, effectively enabling spoofing of internal services. This flaw, classified as CWE‑918, can be exploited to access or manipulate resources that are normally behind internal firewalls. The ability to trigger external requests from the server gives the attacker potential to exfiltrate data or pivot to other systems, thereby compromising confidentiality and possibly affecting integrity by modifying internal resources.

Microsoft Azure DevOps Server 2022. No specific patch or version details are listed in the CNA data, so all installations of the 2022 release are potentially vulnerable until updated.

The CVSS score of 6.5 indicates a moderate severity, and the EPSS score of <1% suggests low current exploitation probability. The issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack requires the attacker to be authorized and to supply a crafted request within the server’s processing workflow. Inference: the likely attack vector involves sending a specially crafted URL or payload through an authenticated session that causes the server to issue an outbound request to a target internal host.