CVE-2022-29596

Name of the Vulnerable Software and Affected Versions MicroStrategy Enterprise Manager version 2022

Description The issue allows authentication bypass by triggering a login failure and then entering a specific substring for directory traversal. This can be achieved by entering Uid=/../../../../../../../../../../../windows/win.ini%00.jpg&Pwd= any password &ConnMode=1&3054=Login. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.

Recommendations For MicroStrategy Enterprise Manager version 2022, consider disabling the login functionality until a patch is available. Restrict access to the login endpoint to minimize the risk of exploitation. Avoid using the Uid and Pwd parameters in the affected login endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.