CVE-2024-41730: Missing Authentication check in SAP BusinessObjects Business Intelligence Platform
First published: Tue Aug 13 2024(Updated: )
In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint. The attacker can fully compromise the system resulting in High impact on confidentiality, integrity and availability.
Credit: cna@sap.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SAP BusinessObjects Business Intelligence Platform | =enterprise_430 | |
| SAP BusinessObjects Business Intelligence Platform | =enterprise_440 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.bleepingcomputer.com/news/security/critical-sap-flaw-allows-remote-attackers-to-bypass-authentication/
- https://www.theregister.com/2024/08/14/august_patch_tuesday/
- https://www.theregister.com/2024/08/14/august_patch_tuesday_ipv6/
- https://me.sap.com/notes/3479478
- https://url.sap/sapsecuritypatchday
- https://www.theregister.com/2024/09/11/patch_tuesday_september_2024/
- https://www.theregister.com/2024/10/08/patch_tuesday_october_2024/
Frequently Asked Questions
What is the severity of CVE-2024-41730?
CVE-2024-41730 has a high severity due to the potential for unauthorized users to gain a logon token and compromise the system.
How do I fix CVE-2024-41730?
To fix CVE-2024-41730, it is recommended to apply the latest security patches provided by SAP for versions 430 and 440.
What impact does CVE-2024-41730 have on my system?
CVE-2024-41730 can lead to significant impacts on confidentiality, integrity, and availability due to unauthorized access.
Who is affected by CVE-2024-41730?
CVE-2024-41730 affects users of SAP BusinessObjects Business Intelligence Platform versions enterprise_430 and enterprise_440.
What kind of attack can exploit CVE-2024-41730?
CVE-2024-41730 can be exploited by an attacker using a REST endpoint to bypass Enterprise authentication.
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- agent/description
- agent/severity
- agent/author
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2024-41730
- alias/CVE-2024-29415
- alias/CVE-2023-42282
- collector/the-register
- source/The Register
- alias/CVE-2024-38189
- alias/CVE-2024-38178
- alias/CVE-2024-38193
- alias/CVE-2024-38106
- alias/CVE-2024-38107
- alias/CVE-2024-38213
- alias/CVE-2024-38063
- alias/CVE-2024-38140
- alias/CVE-2024-38160
- alias/CVE-2024-38159
- alias/CVE-2024-38166
- alias/CVE-2024-38206
- alias/CVE-2024-38109
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/softwarecombine
- alias/CVE-2024-43491
- alias/CVE-2024-38216
- alias/CVE-2024-38220
- alias/CVE-2024-38194
- alias/CVE-2024-38188
- alias/CVE-2024-43470
- alias/CVE-2024-43469
- alias/CVE-2024-38018
- alias/CVE-2024-43464
- alias/CVE-2024-38119
- alias/CVE-2024-24968
- alias/CVE-2024-23984
- alias/CVE-2024-33003
- alias/CVE-2024-7889
- alias/CVE-2024-7890
- alias/CVE-2024-8190
- alias/CVE-2024-43572
- alias/CVE-2024-43573
- alias/CVE-2024-6197
- alias/CVE-2024-43583
- alias/CVE-2024-20659
- alias/CVE-2024-43468
- alias/CVE-2024-38124
- alias/CVE-2022-23302
- agent/references
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/sap
- canonical/sap businessobjects business intelligence platform
- version/sap businessobjects business intelligence platform/enterprise_430
- version/sap businessobjects business intelligence platform/enterprise_440