Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-1044

A security feature bypass vulnerability exists in SQL Server Reporting Services (SSRS) when the server improperly validates attachments uploaded to reports. An attacker who successfully exploited this vulnerability could upload file types that were disallowed by an administrator. To exploit the vulnerability, an authenticated attacker would need to send a specially crafted request to an affected SSRS server. The update addresses the vulnerability by modifying how SSRS validates attachment uploads.

Published

2020-09-11T17:15:18.260

Last Modified

2024-11-21T05:09:37.700

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-20

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	microsoft	sql_server_reporting_services	2017	Yes
Application	microsoft	sql_server_reporting_services	2019	Yes

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1044 Patch, Vendor Advisory ([email protected])
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1044 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)