Security Updates for Microsoft SQL Server Reporting Services (September 2020)

medium Nessus Plugin ID 140534

Synopsis

The Microsoft SQL Server Reporting Services installation on the remote host is missing a security update.

Description

The Microsoft SQL Server Reporting Services installation on the remote host is missing a security update. It is, therefore, affected by a security feature bypass vulnerability in SQL Server Reporting Services (SSRS) due to improper validation of uploaded attachments to reports. An authenticated, remote attacker could exploit this issue to upload file types that were disallowed by an administrator. (CVE-2020-1044)

Solution

Refer to Microsoft documentation and upgrade to relevant fixed version.

See Also

http://www.nessus.org/u?5708b76b

Plugin Details

Severity: Medium

ID: 140534

File Name: smb_nt_ms20_sep_ssrs.nasl

Version: 1.8

Type: local

Agent: windows

Published: 9/11/2020

Updated: 11/29/2024

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2020-1044

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:microsoft:sql_server_reporting_services

Required KB Items: installed_sw/Microsoft SQL Server Reporting Services

Exploit Ease: No known exploits are available

Patch Publication Date: 9/8/2020

Vulnerability Publication Date: 9/8/2020

Reference Information

CVE: CVE-2020-1044

IAVA: 2020-A-0410-S