Microsoft issues an out-of-band update to fix an information disclosure vulnerability in SharePoint server, tracked as CVE-2019-1491, that could be exploited by an attacker to obtain sensitive information.
“An information disclosure vulnerability exists in SharePoint Server. An attacker who exploited this vulnerability could read arbitrary files on the server,” reads the advisory published by Microsoft. “To exploit the vulnerability, an attacker would need to send a specially crafted request to a susceptible SharePoint Server instance.”
Microsoft said that the update addresses the vulnerability by changing how the affected APIs process requests.
The CVE-2019-1491 flaw affects Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2010 SP2 and 2013 SP1 and Microsoft SharePoint Server 2019. The flaw was reported by Saif ElSherei from the Microsoft Research Center’s Vulnerabilities and Mitigations Team.
This month, Microsoft Patch Tuesday security updates for the following software:
Microsoft’s December 2019 Patch Tuesday updates address a total of 36 flaws, including a Windows zero-day, tracked as CVE-2019-1458 exploited in attacks linked to North Korea. The vulnerability could be exploited to execute arbitrary code in kernel mode.
The CVE-2019-1458 vulnerability is a privilege escalation issue related to how the Win32k component handles objects in memory.
Microsoft addresses this vulnerability by correcting how Win32k handles objects in memory.
The vulnerability was reported by Kaspersky, experts at the security firm confirmed that the CVE-2019-1458 flaw has been exploited in a campaign called Operation WizardOpium.
(SecurityAffairs – SharePoint, hacking)