CVE-2021-26859: Microsoft Power BI Information Disclosure Vulnerability

Overview

Severity

High (CVSS 7.7)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2021-Mar

Released

2021-03-09

EPSS Score

3.75% (percentile: 88.0%)

FAQ

What type of information could be disclosed by this vulnerability? Exploiting this vulnerability could allow the disclosure of NTLM hashes.

Affected Products (2)

SQL Server

• Power BI Report Server version 15.0.1103.234
• Power BI Report Server version 15.0.1104.300

Security Updates (2)

• 5001284
• 5001285

Acknowledgments

Maxime ESCOURBIAC of <a href="https://cert.michelin.com/">Michelin CERT</a>

Revision History

• 2021-03-09: Information published.