Password Change rate limit bypass in SAP BusinessObjects Business Intelligence Platform
CVE-2023-36917

7.5HIGH

Key Information:

Vendor: SAP
Status: SAP BusinessObjects Business Intelligence Platform
Vendor: CVE Published:; 11 July 2023

What is CVE-2023-36917?

The SAP BusinessObjects Business Intelligence Platform versions 420 and 430 are susceptible to a session hijack vulnerability. This allows an attacker, who has gained unauthorized access to a user's session, to circumvent the victim’s old password using brute force tactics. The weakness arises from an unrestricted rate limit in the password change functionality. While this vulnerability does not compromise the integrity or availability of the system, it poses a significant risk of account takeover, potentially granting the attacker full access to the victim's account.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

SAP BusinessObjects Business Intelligence Platform 4.20

SAP BusinessObjects Business Intelligence Platform 430

References

https://me.sap.com/notes/3320702

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 11, 2023
Vulnerability Reserved
Jun 27, 2023

JSON

SAP

What is CVE-2023-36917?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.