CVE-2020-1044

Published: Sep 11, 2020Modified: Feb 23, 2026

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD (Secondary)

Description

<p>A security feature bypass vulnerability exists in SQL Server Reporting Services (SSRS) when the server improperly validates attachments uploaded to reports. An attacker who successfully exploited this vulnerability could upload file types that were disallowed by an administrator.</p> <p>To exploit the vulnerability, an authenticated attacker would need to send a specially crafted request to an affected SSRS server.</p> <p>The update addresses the vulnerability by modifying how SSRS validates attachment uploads.</p>

Affected (2)

Products: Microsoft: Sql Server Reporting Services

1 product

Sql Server Reporting Services

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Microsoft Sql Server Reporting Services	Version 2017
Microsoft Sql Server Reporting Services	Version 2019

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (2)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1044

Source: secure@microsoft.com

PatchVendor Advisory

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1044

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.