CVE-2024-41730 — Missing Authorization in SE SAP Businessobjects Business Intelligence Platform

CWE-862 — Missing Authorization5 documents5 sources

Severity

9.8CRITICALNVD

EPSS

14.3%

top 5.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Businessobjects Business Intelligence Platform SAP Business Objects Business Intelligence Platform

Timeline

PublishedAug 13

Latest updateNov 22

Description

In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint. The attacker can fully compromise the system resulting in High impact on confidentiality, integrity and availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDsap/business_objects_business_intelligence_platformenterprise_430, enterprise_440+1

▶CVEListV5sap_se/sap_businessobjects_business_intelligence_platform440, ENTERPRISE 430+1

🔴Vulnerability Details

CVEList

Missing Authentication check in SAP BusinessObjects Business Intelligence Platform↗2024-08-13

▶

GHSA

GHSA-fg4w-vj95-g2c7: In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a log↗2024-08-13

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS SAP BusinessObjects Business Intelligence Platform Authentication Bypass Attempt (CVE-2024-41730)↗2024-11-22

▶

🕵️Threat Intelligence

Bleepingcomputer

Critical SAP flaw allows remote attackers to bypass authentication↗2024-08-13

▶