Lucene search

SapCVELIST:CVE-2023-27896

HistoryMar 14, 2023 - 5:02 a.m.

CVE-2023-27896 Server Side Request Forgery (SSRF) in the SAP BusinessObjects Business Intelligence platform

2023-03-1405:02:29

CWE-918

sap

www.cve.org

cve-2023-27896

server side request forgery

sap businessobjects

business intelligence platform

version 420

version 430

attacker control

malicious boe server

application server

cms

availability impact

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

37.9%

JSON

In SAP BusinessObjects Business Intelligence Platform - version 420, 430, an attacker can control a malicious BOE server, forcing the application server to connect to its own CMS, leading to a high impact on availability.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "BusinessObjects Business Intelligence Platform (Web Services)",
    "vendor": "SAP",
    "versions": [
      {
        "status": "affected",
        "version": "420"
      },
      {
        "status": "affected",
        "version": "430"
      }
    ]
  }
]

References

launchpad.support.sap.com/#/notes/3287120

www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

37.9%

JSON

Related for CVELIST:CVE-2023-27896