Detections
Analytics
SAP BusinessObjects Business Intelligence Platform < 420, 430 Information Disclosure (3298961)
critical Nessus Plugin ID 174174
Language:
Synopsis
SAP BusinessObjects Business Intelligence Platform installed on the remote Windows host is affected by an information disclosure vulnerabilityDescription
The version of SAP BusinessObjects Business Intelligence Platform installed on the remote Windows host is prior to 420, 430. It is, therefore, affected by an information disclosure vulnerability. An attacker with basic privileges in SAP BusinessObjects Business Intelligence Platform (Promotion Management) - versions 420, 430, can get access to lcmbiar file and further decrypt the file. After this attacker can gain access to BI user's passwords and depending on the privileges of the BI user, the attacker can perform operations that can completely compromise the application.Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.
Solution
See vendor advisories.See Also
Plugin Details
Severity: Critical
ID: 174174
File Name: sap_business_objects_bip_cve-2023-28765.nasl
Version: 1.3
Type: local
Agent: windows
Family: Windows
Published: 4/12/2023
Updated: 4/14/2023
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: Critical
Base Score: 10
Temporal Score: 7.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2023-28765
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:sap:businessobjects_business_intelligence_platform
Required KB Items: SMB/Registry/Enumerated, installed_sw/SAP BusinessObjects Business Intelligence Platform
Exploit Ease: No known exploits are available
Patch Publication Date: 4/11/2023
Vulnerability Publication Date: 4/11/2023
Reference Information
CVE: CVE-2023-28765
IAVA: 2023-A-0192