Deserialization Vulnerability in SAP BusinessObjects BI Platform
CVE-2022-41203

9.9CRITICAL

Key Information:

Vendor: SAP
Status: SAP Businessobjects Business Intelligence Platform (central Management Console And Bi LauncHPad)
Vendor: CVE Published:; 8 November 2022

Summary

In specific workflows of the SAP BusinessObjects BI Platform, an authenticated attacker with low privileges may exploit a deserialization vulnerability. By intercepting a serialized object in system parameters and substituting it with a malicious counterpart, the attacker can trigger the deserialization of untrusted data. This exploitation has the potential to significantly undermine the confidentiality, integrity, and availability of system data, which may lead to unauthorized access or manipulation of sensitive information.

Affected Version(s)

SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad) = 4.2 = 4.2

SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad) = 4.3 = 4.3

References

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-...

https://launchpad.support.sap.com/#/notes/3243924

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 8, 2022
Vulnerability Reserved
Sep 21, 2022