CVE-2019-0352 - OpenCVE

In SAP Business Objects Business Intelligence Platform, before versions 4.1, 4.2 and 4.3, some dynamic pages (like jsp) are cached, which leads to an attacker can see the sensitive information via cache and can open the dynamic pages even after logout.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Sap	Businessobjects Business Intelligence Platform

Configuration 1 [-]

OR	cpe:2.3:a:sap:businessobjects_business_intelligence_platform:4.10:::::::*
	cpe:2.3:a:sap:businessobjects_business_intelligence_platform:4.20:::::::*
	cpe:2.3:a:sap:businessobjects_business_intelligence_platform:4.30:::::::*

References

Link	Resource
https://launchpad.support.sap.com/#/notes/2735924	Permissions Required Vendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: sap

Published: 2019-09-10T16:03:38

Updated: 2019-09-10T16:03:38

Reserved: 2018-11-26T00:00:00

Link: CVE-2019-0352

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-09-10T17:15:10.750

Modified: 2019-09-11T12:20:29.977

Link: CVE-2019-0352

JSON object: View

Redhat Information

No data.

CWE

CWE-200

{"containers": {"cna": {"affected": [{"product": "SAP BusinessObjects Business Intelligence Platform (CMC)", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 4.1"}, {"status": "affected", "version": "< 4.2"}, {"status": "affected", "version": "< 4.3"}]}], "descriptions": [{"lang": "en", "value": "In SAP Business Objects Business Intelligence Platform, before versions 4.1, 4.2 and 4.3, some dynamic pages (like jsp) are cached, which leads to an attacker can see the sensitive information via cache and can open the dynamic pages even after logout."}], "problemTypes": [{"descriptions": [{"description": "Other", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-09-10T16:03:38", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/2735924"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2019-0352", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP BusinessObjects Business Intelligence Platform (CMC)", "version": {"version_data": [{"version_name": "<", "version_value": "4.1"}, {"version_name": "<", "version_value": "4.2"}, {"version_name": "<", "version_value": "4.3"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In SAP Business Objects Business Intelligence Platform, before versions 4.1, 4.2 and 4.3, some dynamic pages (like jsp) are cached, which leads to an attacker can see the sensitive information via cache and can open the dynamic pages even after logout."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Other"}]}]}, "references": {"reference_data": [{"name": "https://launchpad.support.sap.com/#/notes/2735924", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/2735924"}, {"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506", "refsource": "CONFIRM", "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506"}]}}}}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2019-0352", "datePublished": "2019-09-10T16:03:38", "dateReserved": "2018-11-26T00:00:00", "dateUpdated": "2019-09-10T16:03:38", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:businessobjects_business_intelligence_platform:4.10:*:*:*:*:*:*:*", "matchCriteriaId": "3B376347-8275-422E-85EB-FFF06DD4B163", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:businessobjects_business_intelligence_platform:4.20:*:*:*:*:*:*:*", "matchCriteriaId": "94D99965-4042-45FB-9DD1-E2179BC2CB04", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:businessobjects_business_intelligence_platform:4.30:*:*:*:*:*:*:*", "matchCriteriaId": "8736E5E3-BF1A-4E3C-92B9-E81C4F7B4877", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In SAP Business Objects Business Intelligence Platform, before versions 4.1, 4.2 and 4.3, some dynamic pages (like jsp) are cached, which leads to an attacker can see the sensitive information via cache and can open the dynamic pages even after logout."}, {"lang": "es", "value": "En SAP Business Objects Business Intelligence Platform, versiones anteriores a 4.1, 4.2 y 4.3, algunas p\u00e1ginas din\u00e1micas (como jsp) son almacenadas en cach\u00e9, lo que conlleva a que un atacante pueda visualizar la informaci\u00f3n confidencial por medio de la cach\u00e9 y puede abrir las p\u00e1ginas din\u00e1micas incluso luego de cerrar sesi\u00f3n."}], "id": "CVE-2019-0352", "lastModified": "2019-09-11T12:20:29.977", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-09-10T17:15:10.750", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://launchpad.support.sap.com/#/notes/2735924"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}