Microsoft issues an out-of-band update to address SharePoint information disclosure flaw

Pierluigi Paganini December 19, 2019

Microsoft issues an out-of-band update to address SharePoint flaw, tracked as CVE-2019-1491, that could be exploited to obtain sensitive information.

Microsoft issues an out-of-band update to fix an information disclosure vulnerability in SharePoint server, tracked as CVE-2019-1491, that could be exploited by an attacker to obtain sensitive information.

“An information disclosure vulnerability exists in SharePoint Server. An attacker who exploited this vulnerability could read arbitrary files on the server,” reads the advisory published by Microsoft. “To exploit the vulnerability, an attacker would need to send a specially crafted request to a susceptible SharePoint Server instance.”

Microsoft said that the update addresses the vulnerability by changing how the affected APIs process requests.

The CVE-2019-1491 flaw affects Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2010 SP2 and 2013 SP1 and Microsoft SharePoint Server 2019. The flaw was reported by Saif ElSherei from the Microsoft Research Center’s Vulnerabilities and Mitigations Team.

This month, Microsoft Patch Tuesday security updates for the following software:

  • Microsoft Windows
  • Internet Explorer
  • Microsoft Office and Microsoft Office Services and Web Apps
  • SQL Server
  • Visual Studio
  • Skype for Business

Microsoft’s December 2019 Patch Tuesday updates address a total of 36 flaws, including a Windows zero-day, tracked as CVE-2019-1458 exploited in attacks linked to North Korea. The vulnerability could be exploited to execute arbitrary code in kernel mode.

The CVE-2019-1458 vulnerability is a privilege escalation issue related to how the Win32k component handles objects in memory.

Microsoft addresses this vulnerability by correcting how Win32k handles objects in memory.

The vulnerability was reported by Kaspersky, experts at the security firm confirmed that the CVE-2019-1458 flaw has been exploited in a campaign called Operation WizardOpium.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SharePoint, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment