CVE-2020-11450

Опубликовано: 02 апр. 2020

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Высокий

Описание

Microstrategy Web 10.4 exposes the JVM configuration, CPU architecture, installation folder, and other information through the URL /MicroStrategyWS/happyaxis.jsp. An attacker could use this vulnerability to learn more about the environment the application is running in. This issue has been mitigated in all versions of the product 11.0 and higher.

Ссылки

http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html
Exploit
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2020/Apr/1
Mailing List
Third Party Advisory
https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability
Patch
Vendor Advisory
https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/
Exploit
Third Party Advisory
http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html
Exploit
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2020/Apr/1
Mailing List
Third Party Advisory
https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability
Patch
Vendor Advisory
https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:microstrategy:microstrategy_web:*:*:*:*:*:*:*:*

Версия до 11.0 (исключая)

EPSS

Процентиль: 99%

0.86821

Высокий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

GHSA-pq8g-7rq7-j5mh