#VU79275 Insufficient verification of data authenticity in SAP BusinessObjects Business Intelligence suite - CVE-2023-37490
Vulnerability identifier: #VU79275
Vulnerability risk: Low
CVSSv4.0: 5.2 [CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-345
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
SAP BusinessObjects Business Intelligence suite
Server applications /
Other server solutions
Vendor: SAP
Description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to missing verification of data authenticity in SAP BusinessObjects Installer application. An attacker with control over the network share from which the application is being installed can replace files in temporary directory with malicious ones and compromise the affected system.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
SAP BusinessObjects Business Intelligence suite: 4.2 - 4.3
External links
https://me.sap.com/notes/3317710
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
