Description
This SAP security note addresses several vulnerabilities identified in SAP 3D Visual Enterprise Viewer. The vulnerability details along with their CVE relevant information can be found below.
1. Information Disclosure
Attacker can send certain manipulated file to the victim, which can lead to leakage of sensitive information when the victim loads the malicious file into SAP 3D VE viewer.
- CVE-2020-6315
- CVSS Score: 5.7; CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
2. Improper Input Validation
When a user opens manipulated files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application.
The file format details along with their CVE relevant information can be found below:
Right Hemisphere Binary (.rh) - CVE-2020-6376
Computer Graphics Metafile (.cgm) - CVE-2020-6375
Jupiter Tessallation (.jt) - CVE-2020-6374
Portable Document Format (.pdf) - CVE-2020-6373
Portable Document Format (.pdf) - CVE-2020-6372
CVSS Score: 4.3; CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Available fix and Supported packages
- VE_VIEWER_COMPLETE | 9 | 9
- VE_VIEWER_COMPLETE 9.0 | SP009 | 000003
Affected component
- CA-VE-VEV
SAP Visual Enterprise Viewer
CVSS
Score: 5.7
CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/2973497
