Sensitive Information Disclosure in the SAP BusinessObjects Business Intelligence platform
CVE-2023-27894

5.3MEDIUM

Key Information:

Vendor: SAP
Status: BusinessObjects Business Intelligence Platform (Web Services)
Vendor: CVE Published:; 14 March 2023

Summary

SAP BusinessObjects Business Intelligence Platform (Web Services) - versions 420, 430, allows an attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to execute malicious requests, resulting in sensitive information disclosure. This causes limited impact on confidentiality of data.

Affected Version(s)

BusinessObjects Business Intelligence Platform (Web Services) 420

BusinessObjects Business Intelligence Platform (Web Services) 430

References

https://launchpad.support.sap.com/#/notes/3287120

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 14, 2023
Vulnerability Reserved
Mar 7, 2023