CVE-2020-6219 — Deserialization of Untrusted Data in SE Crystal Reports FOR VS

CWE-502 — Deserialization of Untrusted Data3 documents3 sources

Severity

8.8HIGHNVD

EPSS

1.3%

top 20.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE Crystal Reports FOR VS SAP SE SAP Business Objects Business Intelligence Platform SAP Businessobjects Business Intelligence Platform +1 more

Timeline

PublishedApr 14

Latest updateMay 24

Description

SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), versions 4.1, 4.2, and Crystal Reports for VS version 2010, allows an attacker with basic authorization to perform deserialization attack in the application, leading to service interruptions and denial of service and unauthorized execution of arbitrary commands, leading to Deserialization of Untrusted Data.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5sap_se/sap_business_objects_business_intelligence_platform< 4.1+1

▶NVDsap/businessobjects_business_intelligence_platform4.1, 4.2+1

▶CVEListV5sap_se/crystal_reports_for_vs< 2010

▶NVDsap/crystal_reports2010

🔴Vulnerability Details

GHSA

GHSA-54q6-x68f-358m: SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), versions 4↗2022-05-24

▶

CVEList

CVE-2020-6219: SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), versions 4↗2020-04-14

▶