SAP BusinessObjects Business Intelligence Platform Multiple Vulnerabilities (3433545)

medium Nessus Plugin ID 207852

Synopsis

The remote host is missing one or more security updates.

Description

The version of SAP BusinessObjects Business Intelligence Platform installed on the remote host is prior to 4.2 SP009 001900, 4.3 SP003 001200, 4.3 SP004 000600, or 4.3 SP005 000000. It is, therefore, affected by multiple vulnerabilities as referenced in the 3433545 and 3515653 advisories.

- SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network, that could be executed by the application. On successful exploitation, the attacker can cause a low impact on the Integrity of the application. (CVE-2024-42375)

- SAP BusinessObjects Business Intelligence Platform allows an unauthenticated attacker to upload malicious files to BI file repository over the network. For an attacker to bypass the front-end file format check, in depth system knowledge is required. On successful exploitation, the attacker could modify some data causing low impact on Integrity of the application. (CVE-2024-28166)

- SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious files to BI file repository over the network. For an attacker to bypass the front-end file format check, in depth system knowledge is required. On successful exploitation, the attacker could modify some data causing low impact on Integrity of the application. (CVE-2024-41731)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to SAP BusinessObjects Business Intelligence Platform version 4.2 SP009 001900 / 4.3 SP003 001200 / 4.3 SP004 000600 / 4.3 SP005 000000 or later.

See Also

https://launchpad.support.sap.com/#/notes/3433545

https://launchpad.support.sap.com/#/notes/3515653

Plugin Details

Severity: Medium

ID: 207852

File Name: sap_business_objects_bip_aug_2024_3433545.nasl

Version: 1.3

Type: local

Agent: windows

Family: Windows

Published: 9/27/2024

Updated: 12/12/2024

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2024-42375

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:sap:businessobjects_business_intelligence_platform

Required KB Items: SMB/Registry/Enumerated, installed_sw/SAP BusinessObjects Business Intelligence Platform

Exploit Ease: No known exploits are available

Patch Publication Date: 8/13/2024

Vulnerability Publication Date: 8/13/2024

Reference Information

CVE: CVE-2024-28166, CVE-2024-41731, CVE-2024-42375

IAVA: 2024-A-0617