Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.SAP_BUSINESS_OBJECTS_BIP_CVE-2022-24398.NASL
HistoryJan 10, 2023 - 12:00 a.m.

SAP BusinessObjects Business Intelligence Platform 4.2 < 4.2 SP9 P6 / 4.3 < 4.3 SP1 P11 Information Disclosure

2023-01-1000:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
41
sap businessobjects
bi platform
information disclosure
vulnerability
windows host.

0.001 Low

EPSS

Percentile

28.6%

JSON

The version of SAP BusinessObjects Business Intelligence Platform installed on the remote Windows host is prior to 4.2 SP9 P6, 4.3 SP1 P11, 4.3 SP2 or 4.3 SP3. It is, therefore, affected by a vulnerability:

  • Under certain conditions SAP Business Objects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker to access information which would otherwise be restricted. (CVE-2022-24398)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(169747);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/01/11");

  script_cve_id("CVE-2022-24398");
  script_xref(name:"IAVA", value:"2022-A-0104");

  script_name(english:"SAP BusinessObjects Business Intelligence Platform 4.2 < 4.2 SP9 P6 / 4.3 < 4.3 SP1 P11 Information Disclosure");

  script_set_attribute(attribute:"synopsis", value:
"SAP BusinessObjects Business Intelligence Platform installed on the remote Windows host is affected by an information disclosure vulnerability");
  script_set_attribute(attribute:"description", value:
"The version of SAP BusinessObjects Business Intelligence Platform installed on the remote Windows host is prior to
4.2 SP9 P6, 4.3 SP1 P11, 4.3 SP2 or 4.3 SP3. It is, therefore, affected by a vulnerability:

 - Under certain conditions SAP Business Objects Business Intelligence Platform - versions 420, 430, allows an
   authenticated attacker to access information which would otherwise be restricted. (CVE-2022-24398)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's
self-reported version number.");
  # https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?18f404d5");
  script_set_attribute(attribute:"see_also", value:"https://launchpad.support.sap.com/#/notes/3103424");
  script_set_attribute(attribute:"solution", value:
"See vendor advisories.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-24398");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/03/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/03/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/01/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:sap:businessobjects_business_intelligence_platform");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("sap_business_objects_intelligence_platform_win_installed.nbin");
  script_require_keys("installed_sw/SAP BusinessObjects Business Intelligence Platform", "SMB/Registry/Enumerated");

  exit(0);
}

include('vcf.inc');

get_kb_item_or_exit('SMB/Registry/Enumerated');

var app_info = vcf::get_app_info(app:'SAP BusinessObjects Business Intelligence Platform', win_local:TRUE);

# https://launchpad.support.sap.com/#/notes/0001602088 for translations
# 4.2 SP9 P6, 4.3 SP1 P11, 4.3 SP2, 4.3 SP3
var constraints = [
  { 'min_version': '14.2', 'fixed_version' : '14.2.9.4130', 'fixed_display': '4.2 SP009 000600'},
  { 'min_version': '14.3', 'fixed_version' : '14.3.1.4142', 'fixed_display': '4.3 SP001 001100 / 4.3 SP002 000000 / 4.3 SP003 000000'}
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_NOTE);
VendorProductVersionCPE
sapbusinessobjects_business_intelligence_platformcpe:/a:sap:businessobjects_business_intelligence_platform

Related

nvd 1
cvelist 1
cve 1
prion 1
nvd
nvd
CVE-2022-24398
2022-03-10 17:46:10
cvelist
cvelist
CVE-2022-24398
2022-03-08 13:35:41
cve
cve
CVE-2022-24398
2022-03-10 17:46:10
prion
prion
Authentication flaw
2022-03-10 17:46:00

0.001 Low

EPSS

Percentile

28.6%

JSON
Related for SAP_BUSINESS_OBJECTS_BIP_CVE-2022-24398.NASL
nvd1cvelist1cve1prion1