Microsoft issues an out-of-band update to address SharePoint information disclosure flaw

December 19, 2019  By Pierluigi Paganini


Microsoft issues an out-of-band update to address SharePoint flaw, tracked as CVE-2019-1491, that could be exploited to obtain sensitive information.

Microsoft issues an out-of-band update to fix an information disclosure vulnerability in SharePoint server, tracked as CVE-2019-1491, that could be exploited by an attacker to obtain sensitive information.

“An information disclosure vulnerability exists in SharePoint Server. An attacker who exploited this vulnerability could read arbitrary files on the server,” reads the advisory published by Microsoft. “To exploit the vulnerability, an attacker would need to send a specially crafted request to a susceptible SharePoint Server instance.”

Microsoft said that the update addresses the vulnerability by changing how the affected APIs process requests.

The CVE-2019-1491 flaw affects Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2010 SP2 and 2013 SP1 and Microsoft SharePoint Server 2019. The flaw was reported by Saif ElSherei from the Microsoft Research Center’s Vulnerabilities and Mitigations Team.

This month, Microsoft Patch Tuesday security updates for the following software:

  • Microsoft Windows
  • Internet Explorer
  • Microsoft Office and Microsoft Office Services and Web Apps
  • SQL Server
  • Visual Studio
  • Skype for Business

Microsoft’s December 2019 Patch Tuesday updates address a total of 36 flaws, including a Windows zero-day, tracked as CVE-2019-1458 exploited in attacks linked to North Korea. The vulnerability could be exploited to execute arbitrary code in kernel mode.

The CVE-2019-1458 vulnerability is a privilege escalation issue related to how the Win32k component handles objects in memory.

Microsoft addresses this vulnerability by correcting how Win32k handles objects in memory.

The vulnerability was reported by Kaspersky, experts at the security firm confirmed that the CVE-2019-1458 flaw has been exploited in a campaign called Operation WizardOpium.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SharePoint, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

Emotet distributed with emails posing as German authorities, BSI warns

 BSI, Germany's federal cybersecurity agency warns of an active malspam campaign that distributing the infamous Emotet banking...