7.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
47.1%
Microsoft has released security update guide CVE-2021-41372 for Power BI Report Server. See the complete guide at <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41372>.
After certain malicious Microsoft Power BI reports are uploaded to a Power BI Report Server, it’s possible to run scripts in the security context of the user and perform privilege escalation.
Power BI Report Server is updated to the following versions in this security update.Product Name | Product version | File version |
---|---|---|
Power BI Report Server (September 2021) | 15.0.1107.165 | 1.12.7977.29537 |
Power BI Report Server (May 2021) | 15.0.1106.457 | 1.11.8091.10468 |
These updates are available for download from the Microsoft Download Center:Download the September 2021 package now Release date: November 9, 2021Download the May 2021 package now Release date: March 4, 2022
To apply the updates, you must have any version of Power BI Report Server installed.
7.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
47.1%