CVE-2021-40500

Опубликовано: 12 окт. 2021

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versions 420, 430, allows an unauthenticated attacker to exploit missing XML validations at endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation can enable the attacker to retrieve arbitrary files from the server.

Ссылки

https://launchpad.support.sap.com/#/notes/3074693
Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983
Vendor Advisory
https://launchpad.support.sap.com/#/notes/3074693
Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:sap:businessobjects_business_intelligence_platform:4.20:*:*:*:*:*:*:*

cpe:2.3:a:sap:businessobjects_business_intelligence_platform:4.30:*:*:*:*:*:*:*

EPSS

Процентиль: 79%

0.01212

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-611

Связанные уязвимости

GHSA-m39x-pwc9-4whq

github

больше 3 лет назад