Insufficient verification of data authenticity in SAP BusinessObjects Business Intelligence suite - CVE-2023-37490

 

Insufficient verification of data authenticity in SAP BusinessObjects Business Intelligence suite - CVE-2023-37490

Published: August 9, 2023


Vulnerability identifier: #VU79275
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-37490
CWE-ID: CWE-345
Exploitation vector: Adjecent network
Exploit availability: No public exploit available
Vendor: SAP
Affected software:
SAP BusinessObjects Business Intelligence suite

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to missing verification of data authenticity in SAP BusinessObjects Installer application. An attacker with control over the network share from which the application is being installed can replace files in temporary directory with malicious ones and compromise the affected system.


How to mitigate CVE-2023-37490

Install updates from vendor's website.

Sources