CVE-2022-41267 — Unrestricted File Upload in SAP Businessobjects Business Intelligence Platform

CWE-434 — Unrestricted File Upload3 documents3 sources

Severity

8.8HIGHNVD

CNA9.9

EPSS

0.5%

top 32.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP Businessobjects Business Intelligence Platform SAP Business Objects Business Intelligence Platform

Timeline

PublishedDec 13

Description

SAP Business Objects Platform - versions 420, and 430, allows an attacker with normal BI user privileges to upload/replace any file on Business Objects server at the operating system level, enabling the attacker to take full control of the system causing a high impact on confidentiality, integrity, and availability of the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5sap/businessobjects_business_intelligence_platform420, 430+1

▶NVDsap/business_objects_business_intelligence_platform420, 430+1

🔴Vulnerability Details

CVEList

CVE-2022-41267: SAP Business Objects Platform - versions 420, and 430, allows an attacker with normal BI user privileges to upload/replace any file on Business Object↗2022-12-13

▶

GHSA

GHSA-8v36-8jq8-23wc: SAP Business Objects Platform - versions 420, and 430, allows an attacker with normal BI user privileges to upload/replace any file on Business Object↗2022-12-13

▶