CVE-2024-25646

Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence

Severity Score

7.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Due to improper validation, SAP BusinessObject Business Intelligence Launch Pad allows an authenticated attacker to access operating system information using crafted document. On successful exploitation there could be a considerable impact on confidentiality of the application.

Debido a una validación incorrecta, SAP BusinessObject Business Intelligence Launch Pad permite que un atacante autenticado acceda a información del sistema operativo mediante un documento manipulado. Una explotación exitosa podría tener un impacto considerable en la confidencialidad de la solicitud.

*Credits: N/A

CVSS Scores

SAP SEv3.1 7.7

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-09 CVE Reserved
2024-04-09 CVE Published
2024-04-09 EPSS Updated
2024-09-28 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-732: Incorrect Permission Assignment for Critical Resource

CAPEC

References (2)

URL	Tag	Source
https://me.sap.com/notes/3421384
https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
SAP SE Search vendor "SAP SE"		SAP BusinessObjects Web Intelligence Search vendor "SAP SE" for product "SAP BusinessObjects Web Intelligence"				420 Search vendor "SAP SE" for product "SAP BusinessObjects Web Intelligence" and version "420"		en		Affected
SAP SE Search vendor "SAP SE"		SAP BusinessObjects Web Intelligence Search vendor "SAP SE" for product "SAP BusinessObjects Web Intelligence"				430 Search vendor "SAP SE" for product "SAP BusinessObjects Web Intelligence" and version "430"		en		Affected
SAP SE Search vendor "SAP SE"		SAP BusinessObjects Web Intelligence Search vendor "SAP SE" for product "SAP BusinessObjects Web Intelligence"				440 Search vendor "SAP SE" for product "SAP BusinessObjects Web Intelligence" and version "440"		en		Affected