CVE-2020-0931: 
vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2020-0931) was discovered in Microsoft SharePoint when the software fails to check the source markup of an application package. The vulnerability was disclosed on April 15, 2020, affecting multiple versions of SharePoint including SharePoint Enterprise Server 2013 SP1, 2016, SharePoint Foundation 2013 SP1, and SharePoint Server 2019 (NVD).

The specific vulnerability exists within the handling of controls in the Microsoft.PerformancePoint.Scorecards.Client module. The flaw is triggered when instantiating the ExcelDataSet control, which can lead to the deserialization of untrusted data. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a serious security risk (ZDI, NVD).

An attacker who successfully exploits this vulnerability can execute arbitrary code in the context of the SharePoint web server process. The vulnerability allows for complete compromise of system confidentiality, integrity, and availability with high impact ratings across all three security metrics (ZDI).

Microsoft has released a security update to address this vulnerability. The fix is available through Microsoft Update, Microsoft Update Catalog, and as a standalone package through the Microsoft Download Center. Organizations using affected SharePoint versions should apply security update 4484291 for the 64-bit version of SharePoint Server 2019 Language Pack (Microsoft Support).