May 10, 2023

SAP Patches Critical Vulnerabilitiy Affects SAP BusinessObjects Intelligence Platform

As part of May monthly security rollup updates, SAP has released patches to resolve several vulnerabilities which affect several SAP products including critical vulnerability affects SAP BusinessObjects Intelligence Platform.

The Critical Vulnerability

• CVE-2023-28762 (CVSS 3.1: 9.1, Critical) -An Information Disclosure vulnerabilities in SAP BusinessObjects Intelligence Platform.
  Successful exploitations may allows an authenticated attacker with administrator privileges to get the login token of any logged-in BI user over the network without any user interaction.
  The attacker can impersonate any user on the platform resulting into accessing and modifying data or make the system partially or entirely unavailable.

Affected Products

• The Critical vulnerability affects SAP BusinessObjects – versions 420, 430

Furthermore, SAP has published additional patches to address another high-severity vulnerabilities affecting several products.

The full list of affected products can be seen in SAP Advisory.

Mitigation

CYREBRO recommends those who use the vulnerable products to update their affected products to the most recent version in order to mitigate the vulnerabilities.

References: SAP Advisory