CVE-2020-11453

Exploit

EPSS 1.71%
Veröffentlicht 02.04.2020 16:15:14
Zuletzt bearbeitet 21.11.2024 04:57:57
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Microstrategy Web 10.4 is vulnerable to Server-Side Request Forgery in the Test Web Service functionality exposed through the path /MicroStrategyWS/. The functionality requires no authentication and, while it is not possible to pass parameters in the SSRF request, it is still possible to exploit it to conduct port scanning. An attacker could exploit this vulnerability to enumerate the resources allocated in the network (IP addresses and services exposed). NOTE: MicroStrategy is unable to reproduce the issue reported in any version of its product

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Microstrategy ≫ Microstrategy Web Version10.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.71%	0.821

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability

Patch

Vendor Advisory

http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html

Third Party Advisory

Exploit

VDB Entry

http://seclists.org/fulldisclosure/2020/Apr/1

https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2020-11453