Power BI Report Server におけるなりすまされる脆弱性
| Title |
Power BI Report Server におけるなりすまされる脆弱性
|
| Summary |
Power BI Report Server には、なりすまされる脆弱性が存在します。
|
| Possible impacts |
なりすまされる可能性があります。 |
| Solution |
ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。 |
| Publication Date |
Nov. 9, 2021, midnight |
| Registration Date |
Nov. 15, 2021, 5:48 p.m. |
| Last Update |
Nov. 15, 2021, 5:48 p.m. |
|
CVSS3.0 : 緊急
|
| Score |
9.6
|
| Vector |
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
|
CVSS2.0 : 警告
|
| Score |
6.8
|
| Vector |
AV:N/AC:M/Au:N/C:P/I:P/A:P |
Affected System
| マイクロソフト |
|
Power BI Report Server
|
CVE (情報セキュリティ 共通脆弱性識別子)
CWE (共通脆弱性タイプ一覧)
ベンダー情報
その他
Change Log
| No |
Changed Details |
Date of change |
| 1 |
[2021年11月15日]
掲載 |
Nov. 15, 2021, 5:48 p.m. |
NVD Vulnerability Information
CVE-2021-41372
| Summary |
A Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exists when Power BI Report Server Template file (pbix) containing HTML files is uploaded to the server and HTML files are accessed directly by the victim.
Combining these 2 vulnerabilities together, an attacker is able to upload malicious Power BI templates files to the server using the victim's session and run scripts in the security context of the user and perform privilege escalation in case the victim has admin privileges when the victim access one of the HTML files present in the malicious Power BI template uploaded.
The security update addresses the vulnerability by helping to ensure that Power BI Report Server properly sanitize file uploads.
|
| Publication Date |
Nov. 10, 2021, 10:19 a.m. |
| Registration Date |
Nov. 10, 2021, 4 p.m. |
| Last Update |
Nov. 21, 2024, 3:26 p.m. |
Affected software configurations
| Configuration1 |
or higher |
or less |
more than |
less than |
| cpe:2.3:a:microsoft:power_bi_report_server:15.0.1107.165:*:*:*:*:*:*:* |
|
|
|
|
Related information, measures and tools
Common Vulnerabilities List