The Microsoft SQL Server Reporting Services installation on the remote host is missing a security update due to a security feature bypass vulnerability
Reporter | Title | Published | Views | Family All 7 |
---|---|---|---|---|
CVE | CVE-2020-1044 | 11 Sep 202017:15 | – | cve |
NVD | CVE-2020-1044 | 11 Sep 202017:15 | – | nvd |
Cvelist | CVE-2020-1044 SQL Server Reporting Services Security Feature Bypass Vulnerability | 11 Sep 202017:08 | – | cvelist |
Kaspersky | KLA11958 SB vulnerability in Microsoft SQL Server | 8 Sep 202000:00 | – | kaspersky |
Microsoft CVE | SQL Server Reporting Services Security Feature Bypass Vulnerability | 8 Sep 202007:00 | – | mscve |
Prion | Security feature bypass | 11 Sep 202017:15 | – | prion |
Information Security Automation | Microsoft Patch Tuesday September 2020: Zerologon and other exploits, RCEs in SharePoint and Exchange | 30 Sep 202023:46 | – | avleonov |
Source | Link |
---|---|
nessus | www.nessus.org/u |
cve | www.cve.mitre.org/cgi-bin/cvename.cgi |
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were extracted from the Microsoft Security Updates
# API. The text itself is copyright (C) Microsoft Corporation.
#
include('compat.inc');
if (description)
{
script_id(140534);
script_version("1.7");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/20");
script_cve_id("CVE-2020-1044");
script_xref(name:"IAVA", value:"2020-A-0410-S");
script_xref(name:"CEA-ID", value:"CEA-2020-0118");
script_name(english:"Security Updates for Microsoft SQL Server Reporting Services (September 2020)");
script_set_attribute(attribute:"synopsis", value:
"The Microsoft SQL Server Reporting Services installation on the remote host is missing a security update.");
script_set_attribute(attribute:"description", value:
"The Microsoft SQL Server Reporting Services installation on the remote host is missing a security update. It is,
therefore, affected by a security feature bypass vulnerability in SQL Server Reporting Services (SSRS) due to improper
validation of uploaded attachments to reports. An authenticated, remote attacker could exploit this issue to upload file
types that were disallowed by an administrator. (CVE-2020-1044)");
# https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1044
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5708b76b");
script_set_attribute(attribute:"solution", value:
"Refer to Microsoft documentation and upgrade to relevant fixed version.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1044");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/09/08");
script_set_attribute(attribute:"patch_publication_date", value:"2020/09/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/09/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sql_server_reporting_services");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("sql_server_reporting_services_installed.nbin");
script_require_keys("installed_sw/Microsoft SQL Server Reporting Services");
script_require_ports(139, 445);
exit(0);
}
include('vcf.inc');
app_info = vcf::get_app_info(app:'Microsoft SQL Server Reporting Services', win_local:TRUE);
constraints = [
{ 'min_version':'14.0.0.0', 'fixed_version' : '14.0.600.1669'},
{ 'min_version':'15.0.0.0', 'fixed_version' : '15.0.7545.4810'}
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo