Server Side Request Forgery (SSRF) in the SAP BusinessObjects Business Intelligence platform
CVE-2023-27896

7.5HIGH

Key Information:

Vendor: SAP
Status: BusinessObjects Business Intelligence Platform (Web Services)
Vendor: CVE Published:; 14 March 2023

Summary

In SAP BusinessObjects Business Intelligence Platform versions 420 and 430, a vulnerability exists that allows an attacker to control a malicious BOE server. This exploitation method can force the application server to establish a connection with its own Central Management Server (CMS), which could severely disrupt the availability of the application. Organizations using these versions should implement necessary security measures to mitigate potential risks associated with this vulnerability.

Affected Version(s)

BusinessObjects Business Intelligence Platform (Web Services) 420

BusinessObjects Business Intelligence Platform (Web Services) 430

References

https://launchpad.support.sap.com/#/notes/3287120

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 14, 2023
Vulnerability Reserved
Mar 7, 2023