CVE-2020-1044 — MEDIUM (4.3)

Vulnerability Description

A security feature bypass vulnerability exists in SQL Server Reporting Services (SSRS) when the server improperly validates attachments uploaded to reports. An attacker who successfully exploited this vulnerability could upload file types that were disallowed by an administrator. To exploit the vulnerability, an authenticated attacker would need to send a specially crafted request to an affected SSRS server. The update addresses the vulnerability by modifying how SSRS validates attachment uploads.

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Microsoft	Sql Server Reporting Services	2017

Related Weaknesses (CWE)

CWE-20

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1044PatchVendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1044PatchVendor Advisory

FAQ

What is CVE-2020-1044?

CVE-2020-1044 is a vulnerability with a CVSS score of 4.3 (MEDIUM). A security feature bypass vulnerability exists in SQL Server Reporting Services (SSRS) when the server improperly validates attachments uploaded to reports. An attacker who successfully exploited t...

How severe is CVE-2020-1044?

CVE-2020-1044 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-1044?

Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Sql Server Reporting Services.