This SAP Security Note addresses below vulnerabilities identified in SAP Business Objects Business Intelligence Platform. The vulnerability details along with their CVE relevant information can be found below.

File Injection:

SAP Business Objects Version Management allows an attacker to inject file/code that can be executed by the application. An attacker could thereby control the behavior of the application.

• CVE-2020-6245 
• CVSS:6.5;CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Some well-known impacts of Code Injection vulnerability are

• Unauthorized execution of commands
• Sensitive information disclosure
• Denial of Service

Denial of Service(DoS) :

SAP BusinessObjects Platform allows an unauthenticated attacker to prevent legitimate users from accessing a service. Using a specially-crafted request, the attacker can crash or flood the Central Management Server, thereby impacting system availability.

• CVE-2020-6247
• CVSS: 5.9; CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Some well-known impacts of Denial of Service vulnerability are –

• Long response delays and service interruptions, thus degrading the service quality experienced by legitimate users
• Direct impact on availability

Information Disclosure :

Under certain conditions or error scenarios, SAP Business Objects allows an attacker to access information which would otherwise be restricted. The attack is found in BILaunchPad/CMC module.

• CVE-2020-6251
• CVSS: 4.3; CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Some well-known impacts of Information Disclosure are –

• Loss of information and system configuration confidentiality
• Information gathering for further exploits and attacks