Vulnerability-Lookup

CNVD-2020-23178

Vulnerability from cnvd - Published: 2020-04-16

Title

Microstrategy Web信息泄露漏洞

Description

Microstrategy Web是美国Microstrategy公司的一套企业数据分析平台。该平台具有数据发现、数据可视化和报表生成等功能。 Microstrategy Web 10.4版本中存在安全漏洞。攻击者可利用该漏洞获取该应用程序运行环境的相关信息。

Severity

高

Formal description

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法：

https://www.microstrategy.com/

Impacted products

Name
MicroStrategy Microstrategy Web 10.4

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-11450"
    }
  },
  "description": "Microstrategy Web\u662f\u7f8e\u56fdMicrostrategy\u516c\u53f8\u7684\u4e00\u5957\u4f01\u4e1a\u6570\u636e\u5206\u6790\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u5177\u6709\u6570\u636e\u53d1\u73b0\u3001\u6570\u636e\u53ef\u89c6\u5316\u548c\u62a5\u8868\u751f\u6210\u7b49\u529f\u80fd\u3002\n\nMicrostrategy Web 10.4\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u8be5\u5e94\u7528\u7a0b\u5e8f\u8fd0\u884c\u73af\u5883\u7684\u76f8\u5173\u4fe1\u606f\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u6682\u672a\u53d1\u5e03\u4fee\u590d\u63aa\u65bd\u89e3\u51b3\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u6216\u53c2\u8003\u7f51\u5740\u4ee5\u83b7\u53d6\u89e3\u51b3\u529e\u6cd5\uff1a\r\n\r\nhttps://www.microstrategy.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-23178",
  "openTime": "2020-04-16",
  "products": {
    "product": "MicroStrategy Microstrategy Web 10.4"
  },
  "serverity": "\u9ad8",
  "submitTime": "2020-04-03",
  "title": "Microstrategy Web\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2020-11450 (GCVE-0-2020-11450)

Vulnerability from cvelistv5 – Published: 2020-04-02 15:01 – Updated: 2024-08-04 11:28

Summary

Microstrategy Web 10.4 exposes the JVM configuration, CPU architecture, installation folder, and other information through the URL /MicroStrategyWS/happyaxis.jsp. An attacker could use this vulnerability to learn more about the environment the application is running in. This issue has been mitigated in all versions of the product 11.0 and higher.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://community.microstrategy.com/s/article/Web…	x_refsource_MISC
	https://www.redtimmy.com/web-application-hacking/…	x_refsource_MISC
	http://packetstormsecurity.com/files/157068/Micro…	x_refsource_MISC
	http://seclists.org/fulldisclosure/2020/Apr/1	mailing-listx_refsource_FULLDISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:28:13.908Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html"
          },
          {
            "name": "20200403 MicroStrategy Intelligence Server and Web 10.4 - multiple vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2020/Apr/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Microstrategy Web 10.4 exposes the JVM configuration, CPU architecture, installation folder, and other information through the URL /MicroStrategyWS/happyaxis.jsp. An attacker could use this vulnerability to learn more about the environment the application is running in. This issue has been mitigated in all versions of the product 11.0 and higher."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-06-09T20:28:56.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html"
        },
        {
          "name": "20200403 MicroStrategy Intelligence Server and Web 10.4 - multiple vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2020/Apr/1"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-11450",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Microstrategy Web 10.4 exposes the JVM configuration, CPU architecture, installation folder, and other information through the URL /MicroStrategyWS/happyaxis.jsp. An attacker could use this vulnerability to learn more about the environment the application is running in. This issue has been mitigated in all versions of the product 11.0 and higher."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability",
              "refsource": "MISC",
              "url": "https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability"
            },
            {
              "name": "https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/",
              "refsource": "MISC",
              "url": "https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/"
            },
            {
              "name": "http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html"
            },
            {
              "name": "20200403 MicroStrategy Intelligence Server and Web 10.4 - multiple vulnerabilities",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2020/Apr/1"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-11450",
    "datePublished": "2020-04-02T15:01:45.000Z",
    "dateReserved": "2020-04-01T00:00:00.000Z",
    "dateUpdated": "2024-08-04T11:28:13.908Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-23178

CVE-2020-11450 (GCVE-0-2020-11450)

Tags

Sightings

Nomenclature