Lucene search

K
saintSAINT CorporationSAINT:C857C9B9FEF5E0F807DAAB797C3B2D87
HistoryMar 03, 2020 - 12:00 a.m.

Microsoft SharePoint Picker.aspx deserialization vulnerability

2020-03-0300:00:00
SAINT Corporation
my.saintcorporation.com
437

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.974

Percentile

100.0%

Added: 03/03/2020
CVE: CVE-2019-0604
BID: 106914

Background

Microsoft SharePoint is a tool for management and automation of business processes, as well as a platform for social networking.

Problem

A deserialization vulnerability in Microsoft SharePoint allows remote attackers to execute arbitrary commands by sending a specially crafted request to the **Picker.aspx** resource.

Resolution

Apply the appropriate update referenced in Microsoft advisory CVE-2019-0604.

References

<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604&gt;

Platforms

Windows

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.974

Percentile

100.0%