CVE-2022-41203 — Deserialization of Untrusted Data in SE SAP Businessobjects Business Intelligence Platform

CWE-502 — Deserialization of Untrusted Data3 documents3 sources

Severity

8.8HIGHNVD

EPSS

1.0%

top 23.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Businessobjects Business Intelligence Platform SAP Businessobjects Business Intelligence

Timeline

PublishedNov 8

Latest updateNov 9

Description

In some workflow of SAP BusinessObjects BI Platform (Central Management Console and BI LaunchPad), an authenticated attacker with low privileges can intercept a serialized object in the parameters and substitute with another malicious serialized object, which leads to deserialization of untrusted data vulnerability. This could highly compromise the Confidentiality, Integrity, and Availability of the system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5sap_se/sap_businessobjects_business_intelligence_platform= 4.2, = 4.3+1

▶NVDsap/businessobjects_business_intelligence4.2, 4.3+1

🔴Vulnerability Details

GHSA

GHSA-733v-x8pr-2mxj: In some workflow of SAP BusinessObjects BI Platform (Central Management Console and BI LaunchPad), an authenticated attacker with low privileges can i↗2022-11-09

▶

CVEList

CVE-2022-41203: In some workflow of SAP BusinessObjects BI Platform (Central Management Console and BI LaunchPad), an authenticated attacker with low privileges can i↗2022-11-08

▶