CVE-2020-24815

Опубликовано: 24 нояб. 2020

Источник: nvd

CVSS3: 6.5

CVSS2: 4

EPSS Низкий

Описание

A Server-Side Request Forgery (SSRF) affecting the PDF generation in MicroStrategy 10.4, 2019 before Update 6, and 2020 before Update 2 allows authenticated users to access the content of internal network resources or leak files from the local system via HTML containers embedded in a dossier/dashboard document. NOTE: 10.4., no fix will be released as version will reach end-of-life on 31/12/2020.

Ссылки

http://microstrategy.com
Vendor Advisory
https://community.microstrategy.com/s/article/Securing-PDF-and-Excel-Export-with-Whitelists?language=en_US
Vendor Advisory
https://triskelelabs.com/extracting-your-aws-access-keys-through-a-pdf-file/
Exploit
Third Party Advisory
http://microstrategy.com
Vendor Advisory
https://community.microstrategy.com/s/article/Securing-PDF-and-Excel-Export-with-Whitelists?language=en_US
Vendor Advisory
https://triskelelabs.com/extracting-your-aws-access-keys-through-a-pdf-file/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:microstrategy:microstrategy:10.4:*:*:*:*:*:*:*

cpe:2.3:a:microstrategy:microstrategy:2019:update1:*:*:*:*:*:*

cpe:2.3:a:microstrategy:microstrategy:2019:update2:*:*:*:*:*:*

cpe:2.3:a:microstrategy:microstrategy:2019:update3:*:*:*:*:*:*

cpe:2.3:a:microstrategy:microstrategy:2019:update4:*:*:*:*:*:*

cpe:2.3:a:microstrategy:microstrategy:2019:update5:*:*:*:*:*:*

cpe:2.3:a:microstrategy:microstrategy:2020:update1:*:*:*:*:*:*

EPSS

Процентиль: 92%

0.07537

Низкий

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-918

Связанные уязвимости

GHSA-73jg-p8q6-m47j

github

больше 3 лет назад