Arbitrary File Delete via Directory Junction in SAP BusinessObjects Suite(installer)
CVE-2023-40623

7.1HIGH

Key Information:

Vendor: SAP
Status: SAP BusinessObjects Suite (Installer)
Vendor: CVE Published:; 12 September 2023

Summary

The SAP BusinessObjects Suite Installer versions 420 and 430 contain a directory traversal vulnerability that enables attackers within the same network to create a malicious directory in the temporary folder. This can lead to a link to critical operating system files, resulting in the potential deletion of these files. Consequently, the attacker can compromise system availability and impose limitations on data integrity.

Affected Version(s)

SAP BusinessObjects Suite (Installer) 420

SAP BusinessObjects Suite (Installer) 430

References

https://me.sap.com/notes/3317702

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 12, 2023
Vulnerability Reserved
Aug 17, 2023