cnvd - cnvd-2023-40160

CNVD-2023-40160

Vulnerability from cnvd - Published: 2023-05-24

Title

SAP BusinessObjects Platform信息泄露漏洞

Description

SAP BusinessObjects Platform是德国思爱普（SAP）公司的一个用于数据报告、可视化和共享的集中式套件。 SAP BusinessObjects Platform存在安全漏洞，远程攻击者可利用该漏洞提交特殊的请求，通过嗅探可获取敏感信息。

Severity

中

Patch Name

SAP BusinessObjects Platform信息泄露漏洞的补丁

Patch Description

SAP BusinessObjects Platform是德国思爱普（SAP）公司的一个用于数据报告、可视化和共享的集中式套件。 SAP BusinessObjects Platform存在安全漏洞，远程攻击者可利用该漏洞提交特殊的请求，通过嗅探可获取敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已提供漏洞修复方案，请关注厂商主页更新： https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Reference

https://nvd.nist.gov/vuln/detail/CVE-2023-28764

Impacted products

Name
['SAP BusinessObjects 4.20', 'SAP BusinessObjects 4.30']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-28764",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-28764"
    }
  },
  "description": "SAP BusinessObjects Platform\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u7528\u4e8e\u6570\u636e\u62a5\u544a\u3001\u53ef\u89c6\u5316\u548c\u5171\u4eab\u7684\u96c6\u4e2d\u5f0f\u5957\u4ef6\u3002\n\nSAP BusinessObjects Platform\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u4ea4\u7279\u6b8a\u7684\u8bf7\u6c42\uff0c\u901a\u8fc7\u55c5\u63a2\u53ef\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u5382\u5546\u5df2\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-40160",
  "openTime": "2023-05-24",
  "patchDescription": "SAP BusinessObjects Platform\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u7528\u4e8e\u6570\u636e\u62a5\u544a\u3001\u53ef\u89c6\u5316\u548c\u5171\u4eab\u7684\u96c6\u4e2d\u5f0f\u5957\u4ef6\u3002\r\n\r\nSAP BusinessObjects Platform\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u4ea4\u7279\u6b8a\u7684\u8bf7\u6c42\uff0c\u901a\u8fc7\u55c5\u63a2\u53ef\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP BusinessObjects Platform\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "SAP BusinessObjects 4.20",
      "SAP BusinessObjects 4.30"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2023-28764",
  "serverity": "\u4e2d",
  "submitTime": "2023-05-15",
  "title": "SAP BusinessObjects Platform\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2023-28764 (GCVE-0-2023-28764)

Vulnerability from cvelistv5 – Published: 2023-05-09 00:55 – Updated: 2025-01-28 18:57

Summary

SAP BusinessObjects Platform - versions 420, 430, Information design tool transmits sensitive information as cleartext in the binaries over the network. This could allow an unauthenticated attacker with deep knowledge to gain sensitive information such as user credentials and domain names, which may have a low impact on confidentiality and no impact on the integrity and availability of the system.

Severity ?

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-522 - Insufficiently Protected Credentials

Assigner

sap

References

URL

Tags

	https://i7p.wdf.sap.corp/sap/support/notes/3302595
	https://www.sap.com/documents/2022/02/fa865ea4-16…

Impacted products

	Vendor	Product	Version
	SAP_SE	SAP BusinessObjects Platform	Affected: 420 Affected: 430

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T13:51:37.075Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://i7p.wdf.sap.corp/sap/support/notes/3302595"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-28764",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-28T18:57:07.115258Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-28T18:57:29.954Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SAP BusinessObjects Platform",
          "vendor": "SAP_SE",
          "versions": [
            {
              "status": "affected",
              "version": "420"
            },
            {
              "status": "affected",
              "version": "430"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSAP BusinessObjects Platform - versions 420, 430, Information design tool transmits sensitive information as cleartext in the binaries over the network. This could allow an unauthenticated attacker with deep knowledge to gain sensitive information such as user credentials and domain names, which may have a low impact on confidentiality and no impact on the integrity and availability of the system.\u003c/p\u003e"
            }
          ],
          "value": "SAP BusinessObjects Platform - versions 420, 430, Information design tool transmits sensitive information as cleartext in the binaries over the network. This could allow an unauthenticated attacker with deep knowledge to gain sensitive information such as user credentials and domain names, which may have a low impact on confidentiality and no impact on the integrity and availability of the system.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-522",
              "description": "CWE-522: Insufficiently Protected Credentials",
              "lang": "eng",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-05-09T00:55:04.357Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "url": "https://i7p.wdf.sap.corp/sap/support/notes/3302595"
        },
        {
          "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Information Disclosure vulnerability in SAP BusinessObjects Platform",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2023-28764",
    "datePublished": "2023-05-09T00:55:04.357Z",
    "dateReserved": "2023-03-23T04:20:27.699Z",
    "dateUpdated": "2025-01-28T18:57:29.954Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2023-40160

CVE-2023-28764 (GCVE-0-2023-28764)

Tags

Sightings

Nomenclature