Directory Traversal Vulnerability in Crystal Reports Server by SAP
CVE-2018-2406

5.3MEDIUM

Key Information:

Vendor
SAP
Status
SAP Crystal Reports Server, Oem Edition
Vendor
CVE Published:
10 April 2018

Summary

A directory traversal vulnerability exists in Crystal Reports Server, OEM Edition, due to an unquoted Windows search path in the startup configuration. This flaw could allow attackers to escalate privileges or gain unauthorized access to sensitive files in the system by leveraging the vulnerable installations on affected versions, specifically those from 4.0 to 4.30. Prompt updates and configuration changes are recommended to mitigate potential security risks associated with this vulnerability.

Affected Version(s)

SAP Crystal Reports Server, OEM Edition 4.0

SAP Crystal Reports Server, OEM Edition 4.10

SAP Crystal Reports Server, OEM Edition 4.20

References

https://launchpad.support.sap.com/#/notes/2560132
x_refsource_MISC
https://blogs.sap.com/2018/04/10/sap-security-patch-day-a...
x_refsource_CONFIRM
http://www.securityfocus.com/bid/103719
vdb-entryx_refsource_BID

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.