INTRODUCTION
Microsoft has released security update guide CVE-2021-41372 for Power BI Report Server. See the complete guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41372.
Symptoms
After certain malicious Microsoft Power BI reports are uploaded to a Power BI Report Server, it's possible to run scripts in the security context of the user and perform privilege escalation.
Affected versions
-
Power BI Report Server (September 2021)
1.12.7936.39665 (build 15.0.1107.146) -
Power BI Report Server (May 2021)
1.11.7815.26414 (build 15.0.1106.169)
Power BI Report Server is updated to the following versions in this security update.
Product Name |
Product version |
File version |
---|---|---|
Power BI Report Server (September 2021) |
15.0.1107.165 |
1.12.7977.29537 |
Power BI Report Server (May 2021) |
15.0.1106.457 |
1.11.8091.10468 |
How to obtain and install the updates
These updates are available for download from the Microsoft Download Center:
Download the September 2021 package now
Release date: November 9, 2021
Download the May 2021 package now
Release date: March 4, 2022
More information
Prerequisites
To apply the updates, you must have any version of Power BI Report Server installed.