#VU36006 Information disclosure in Crystal Reports - CVE-2019-0285

Cybersecurity Help s.r.o.

Published: 2019-04-10 | Updated: 2021-06-17

Vulnerability identifier: #VU36006

Vulnerability risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2019-0285

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Crystal Reports
Other software / Other software solutions

Vendor: SAP

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The .NET SDK WebForm Viewer in SAP Crystal Reports for Visual Studio (fixed in version 2010) discloses sensitive database information including credentials which can be misused by the attacker.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Crystal Reports: 2010

External links
https://packetstormsecurity.com/files/153471/SAP-Crystal-Reports-Information-Disclosure.html
https://launchpad.support.sap.com/#/notes/2687663
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Information disclosure in SAP Crystal Reports