Information disclosure in Microsoft SQL Server Analysis Services

Published: 2017-08-08 21:57:07
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2017-8516
CVSSv3 3.8 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CWE ID CWE-264
Exploitation vector Network
Public exploit Not available
Vulnerable software Microsoft SQL Server
Vulnerable software versions Microsoft SQL Server 2012
Microsoft SQL Server 2014
Microsoft SQL Server 2016
Vendor URL Microsoft

Security Advisory

1) Information disclosure

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to improper privilege enforcement in Microsoft SQL Server Analysis Services. A remote authenticated attacker can gain access to potentially sensitive information.

Successful exploitation of the vulnerability may allow an attacker to gain additional database and file information.

Remediation

Install updates from vendor's website.

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8516

Back to List