CVE-2020-24815

moderate-risk
Published 2020-11-24

A Server-Side Request Forgery (SSRF) affecting the PDF generation in MicroStrategy 10.4, 2019 before Update 6, and 2020 before Update 2 allows authenticated users to access the content of internal network resources or leak files from the local system via HTML containers embedded in a dossier/dashboard document. NOTE: 10.4., no fix will be released as version will reach end-of-life on 31/12/2020.

Do I need to act?

~
7.5% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10 Medium
NETWORK / LOW complexity

Affected Products (7)

Microstrategy
Microstrategy
Microstrategy
Microstrategy
Microstrategy
Microstrategy
Microstrategy

Affected Vendors

Microstrategy

References (6)

Vendor Advisory http://microstrategy.com
Vendor Advisory https://community.microstrategy.com/s/article/Securing-PDF-and-Excel-Export-with...
Exploit https://triskelelabs.com/extracting-your-aws-access-keys-through-a-pdf-file/
Vendor Advisory http://microstrategy.com
Vendor Advisory https://community.microstrategy.com/s/article/Securing-PDF-and-Excel-Export-with...
Exploit https://triskelelabs.com/extracting-your-aws-access-keys-through-a-pdf-file/
48
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 10/34 · Low
Exposure 14/34 · Moderate