CVE-2020-11452

Exploit

EPSS 0.3%
Veröffentlicht 02.04.2020 16:15:14
Zuletzt bearbeitet 21.11.2024 04:57:56
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Microstrategy Web 10.4 includes functionality to allow users to import files or data from external resources such as URLs or databases. By providing an external URL under attacker control, it's possible to send requests to external resources (aka SSRF) or leak files from the local system using the file:// stream wrapper.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Microstrategy ≫ Microstrategy Web Version <= 10.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.3%	0.527

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability

Patch

Vendor Advisory

http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html

Third Party Advisory

Exploit

VDB Entry

http://seclists.org/fulldisclosure/2020/Apr/1

https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2020-11452