Lucene search

SapCVELIST:CVE-2020-6219

HistoryApr 14, 2020 - 6:19 p.m.

CVE-2020-6219

2020-04-1418:19:18

CWE-502

sap

www.cve.org

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H

AI Score

8.7

Confidence

High

EPSS

0.001

Percentile

40.9%

JSON

SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), versions 4.1, 4.2, and Crystal Reports for VS version 2010, allows an attacker with basic authorization to perform deserialization attack in the application, leading to service interruptions and denial of service and unauthorized execution of arbitrary commands, leading to Deserialization of Untrusted Data.

CNA Affected

[
  {
    "product": "SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer)",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "< 4.1"
      },
      {
        "status": "affected",
        "version": "< 4.2"
      }
    ]
  },
  {
    "product": "Crystal Reports for VS",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "< 2010"
      }
    ]
  }
]

References

launchpad.support.sap.com/#/notes/2863731

wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202