PT-2019-11033 · Microstrategy · Microstrategy Web Services

Published

2019-05-14

Updated

2019-05-17

CVE-2018-6885

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: MicroStrategy Web Services versions prior to 10.4 Hotfix 7 MicroStrategy Web Services versions prior to 10.11

Description: The issue allows unauthenticated access to asset files with MicroStrategy user privileges, potentially leading to access to the admin dashboard credentials, which may result in remote code execution (RCE). The vulnerability is located in a SOAP request in the web service component, specifically allowing path traversal.

Recommendations: For versions prior to 10.4 Hotfix 7, update to version 10.4 Hotfix 7 or later. For versions prior to 10.11, update to version 10.11 or later.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2018-6885

Affected Products

Microstrategy Web Services

PT-2019-11033 · Microstrategy · Microstrategy Web Services

CVE-2018-6885

Weakness Enumeration

Related Identifiers

Affected Products

References · 3