This SAP security note addresses several vulnerabilities identified in SAP 3D Visual Enterprise Viewer. The vulnerability details along with their CVE relevant information can be found below.
1. Information Disclosure
Attacker can send certain manipulated file to the victim, which can lead to leakage of sensitive information when the victim loads the malicious file into SAP 3D VE viewer.
- CVSS Score: 5.7; CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
2. Improper Input Validation
When a user opens manipulated files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application.
The file format details along with their CVE relevant information can be found below:
Right Hemisphere Binary (.rh) - CVE-2020-6376
Computer Graphics Metafile (.cgm) - CVE-2020-6375
Jupiter Tessallation (.jt) - CVE-2020-6374
Portable Document Format (.pdf) - CVE-2020-6373
Portable Document Format (.pdf) - CVE-2020-6372
CVSS Score: 4.3; CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Available fix and Supported packages
- VE_VIEWER_COMPLETE | 9 | 9
- VE_VIEWER_COMPLETE 9.0 | SP009 | 000003
SAP Visual Enterprise Viewer
Exploit is not available.
For detailed information please contact the mail [email protected]