CVE-2020-6219 - OpenCVE

SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), versions 4.1, 4.2, and Crystal Reports for VS version 2010, allows an attacker with basic authorization to perform deserialization attack in the application, leading to service interruptions and denial of service and unauthorized execution of arbitrary commands, leading to Deserialization of Untrusted Data.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Sap	Crystal Reports For Visual Studio Businessobjects Business Intelligence Platform

Configuration 1 [-]

OR	cpe:2.3:a:sap:businessobjects_business_intelligence_platform:4.1:-::::::
	cpe:2.3:a:sap:businessobjects_business_intelligence_platform:4.2:-::::::
	cpe:2.3:a:sap:crystal_reports_for_visual_studio:2010:::::::*

References

Link	Resource
https://launchpad.support.sap.com/#/notes/2863731	Permissions Required Vendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: sap

Published: 2020-04-14T18:19:18

Updated: 2020-04-14T18:19:18

Reserved: 2020-01-08T00:00:00

Link: CVE-2020-6219

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-04-14T19:15:17.250

Modified: 2020-04-15T16:23:26.460

Link: CVE-2020-6219

JSON object: View

Redhat Information

No data.

CWE

CWE-502

{"containers": {"cna": {"affected": [{"product": "SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer)", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 4.1"}, {"status": "affected", "version": "< 4.2"}]}, {"product": "Crystal Reports for VS", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 2010"}]}], "descriptions": [{"lang": "en", "value": "SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), versions 4.1, 4.2, and Crystal Reports for VS version 2010, allows an attacker with basic authorization to perform deserialization attack in the application, leading to service interruptions and denial of service and unauthorized execution of arbitrary commands, leading to Deserialization of Untrusted Data."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-04-14T18:19:18", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202"}, {"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/2863731"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2020-6219", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer)", "version": {"version_data": [{"version_name": "<", "version_value": "4.1"}, {"version_name": "<", "version_value": "4.2"}]}}, {"product_name": "Crystal Reports for VS", "version": {"version_data": [{"version_name": "<", "version_value": "2010"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), versions 4.1, 4.2, and Crystal Reports for VS version 2010, allows an attacker with basic authorization to perform deserialization attack in the application, leading to service interruptions and denial of service and unauthorized execution of arbitrary commands, leading to Deserialization of Untrusted Data."}]}, "impact": {"cvss": {"baseScore": "9.1", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-502"}]}]}, "references": {"reference_data": [{"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202", "refsource": "MISC", "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202"}, {"name": "https://launchpad.support.sap.com/#/notes/2863731", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/2863731"}]}}}}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2020-6219", "datePublished": "2020-04-14T18:19:18", "dateReserved": "2020-01-08T00:00:00", "dateUpdated": "2020-04-14T18:19:18", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:businessobjects_business_intelligence_platform:4.1:-:*:*:*:*:*:*", "matchCriteriaId": "A8B6535B-B825-4FDF-83A6-FD480EE6A987", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:businessobjects_business_intelligence_platform:4.2:-:*:*:*:*:*:*", "matchCriteriaId": "E094F9CE-B0A0-46B7-9BAF-0CA76888B19E", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:crystal_reports_for_visual_studio:2010:*:*:*:*:*:*:*", "matchCriteriaId": "73474196-71E1-4363-9FBE-31F3815FDFB3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), versions 4.1, 4.2, and Crystal Reports for VS version 2010, allows an attacker with basic authorization to perform deserialization attack in the application, leading to service interruptions and denial of service and unauthorized execution of arbitrary commands, leading to Deserialization of Untrusted Data."}, {"lang": "es", "value": "SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), versiones 4.1, 4.2 y Crystal Reports para VS versi\u00f3n 2010, permite a un atacante con autorizaci\u00f3n b\u00e1sica llevar a cabo ataques de deserializaci\u00f3n en la aplicaci\u00f3n, conllevando a interrupciones del servicio y una denegaci\u00f3n de servicio y a una ejecuci\u00f3n no autorizada de comandos arbitrarios, conllevando a la deserializaci\u00f3n de datos no confiables."}], "id": "CVE-2020-6219", "lastModified": "2020-04-15T16:23:26.460", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H", "version": "3.0"}, "exploitabilityScore": 3.1, "impactScore": 5.3, "source": "cna@sap.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-04-14T19:15:17.250", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://launchpad.support.sap.com/#/notes/2863731"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "cna@sap.com", "type": "Secondary"}]}