Deserialization Vulnerability in SAP BusinessObjects BI Platform
CVE-2022-41203

9.9CRITICAL

Key Information:

Vendor

SAP
Status
SAP Businessobjects Business Intelligence Platform (central Management Console And Bi LauncHPad)
Vendor
CVE Published:
8 November 2022

What is CVE-2022-41203?

In specific workflows of the SAP BusinessObjects BI Platform, an authenticated attacker with low privileges may exploit a deserialization vulnerability. By intercepting a serialized object in system parameters and substituting it with a malicious counterpart, the attacker can trigger the deserialization of untrusted data. This exploitation has the potential to significantly undermine the confidentiality, integrity, and availability of system data, which may lead to unauthorized access or manipulation of sensitive information.

Affected Version(s)

SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad) = 4.2 = 4.2

SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad) = 4.3 = 4.3

References

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-...
https://launchpad.support.sap.com/#/notes/3243924

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

CVSS V3.0

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.