Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
mskbMicrosoftKB5007903
HistoryNov 09, 2021 - 8:00 a.m.

Escalation of privilege possible in Power BI Report Server (September, May 2021): March 4, 2022 (KB5007903)

2021-11-0908:00:00
Microsoft
support.microsoft.com
135

7.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

47.1%

JSON

Escalation of privilege possible in Power BI Report Server (September, May 2021): March 4, 2022 (KB5007903)

INTRODUCTION

Microsoft has released security update guide CVE-2021-41372 for Power BI Report Server. See the complete guide at <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41372&gt;.

Symptoms

After certain malicious Microsoft Power BI reports are uploaded to a Power BI Report Server, it’s possible to run scripts in the security context of the user and perform privilege escalation.

Affected versions

  • Power BI Report Server (September 2021)
    1.12.7936.39665 (build 15.0.1107.146)
  • Power BI Report Server (May 2021)
    1.11.7815.26414 (build 15.0.1106.169)
Power BI Report Server is updated to the following versions in this security update.Product Name Product version File version
Power BI Report Server (September 2021) 15.0.1107.165 1.12.7977.29537
Power BI Report Server (May 2021) 15.0.1106.457 1.11.8091.10468

How to obtain and install the updates

These updates are available for download from the Microsoft Download Center:Download iconDownload the September 2021 package now Release date: November 9, 2021Download iconDownload the May 2021 package now Release date: March 4, 2022

More information

Prerequisites

To apply the updates, you must have any version of Power BI Report Server installed.

Related

prion 1
cve 1
nessus 1
mscve 1
kaspersky 1
prion
prion
Cross site request forgery (csrf)
2021-11-10 01:19:00
cve
cve
CVE-2021-41372
2021-11-10 01:19:00
nessus
nessus
Security Update for Microsoft Power BI Report Server (November 2021)
2021-11-11 00:00:00
mscve
mscve
Power BI Report Server Spoofing Vulnerability
2021-11-09 08:00:00
kaspersky
kaspersky
KLA12344 SUI vulnerability in Microsoft SQL Server
2021-11-09 00:00:00

7.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

47.1%

JSON
Related for KB5007903
prion1cve1nessus1mscve1kaspersky1