Vulnerability Description
A Server-Side Request Forgery (SSRF) affecting the PDF generation in MicroStrategy 10.4, 2019 before Update 6, and 2020 before Update 2 allows authenticated users to access the content of internal network resources or leak files from the local system via HTML containers embedded in a dossier/dashboard document. NOTE: 10.4., no fix will be released as version will reach end-of-life on 31/12/2020.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microstrategy | Microstrategy | 10.4 |
Related Weaknesses (CWE)
References
- http://microstrategy.comVendor Advisory
- https://community.microstrategy.com/s/article/Securing-PDF-and-Excel-Export-withVendor Advisory
- https://triskelelabs.com/extracting-your-aws-access-keys-through-a-pdf-file/ExploitThird Party Advisory
- http://microstrategy.comVendor Advisory
- https://community.microstrategy.com/s/article/Securing-PDF-and-Excel-Export-withVendor Advisory
- https://triskelelabs.com/extracting-your-aws-access-keys-through-a-pdf-file/ExploitThird Party Advisory
FAQ
What is CVE-2020-24815?
CVE-2020-24815 is a vulnerability with a CVSS score of 6.5 (MEDIUM). A Server-Side Request Forgery (SSRF) affecting the PDF generation in MicroStrategy 10.4, 2019 before Update 6, and 2020 before Update 2 allows authenticated users to access the content of internal net...
How severe is CVE-2020-24815?
CVE-2020-24815 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-24815?
Check the references section above for vendor advisories and patch information. Affected products include: Microstrategy Microstrategy.