Unrestricted file upload in SAP BusinessObjects Business Intelligence suite

#VU17730 Unrestricted file upload in SAP BusinessObjects Business Intelligence suite

Published: 2019-02-18

Vulnerability identifier: #VU17730

Vulnerability risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-0259

CWE-ID: CWE-434

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SAP BusinessObjects Business Intelligence suite
Server applications / Other server solutions

Vendor: SAP

Description
The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to unrestricted file upload. A remote attacker can supply specially crafted input, trick the victim into processing it and bypass security restrictions to conduct further attacks.

Mitigation
Install update from vendor's website.

Vulnerable software versions

SAP BusinessObjects Business Intelligence suite: 4.2 - 4.3

External links
http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922950

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in SAP products