Login Sign Up

CVE-2020-26831

9.6 CRITICAL
Denial of Service SSRF XXE

📋 TL;DR

This vulnerability in SAP BusinessObjects BI Platform allows attackers with basic privileges to upload malicious XML entities during crystal report generation, leading to file disclosure, directory traversal, SSRF, and denial-of-service attacks. It affects SAP BusinessObjects BI Platform versions 4.1, 4.2, and 4.3. Users with access to crystal report generation functionality are at risk.

💻 Affected Systems

Products:
  • SAP BusinessObjects BI Platform
Versions: 4.1, 4.2, 4.3
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Requires basic user privileges and access to crystal report generation functionality.

📦 What is this software?

Businessobjects Business Intelligence Platform by Sap

View all CVEs affecting Businessobjects Business Intelligence Platform →

Businessobjects Business Intelligence Platform by Sap

View all CVEs affecting Businessobjects Business Intelligence Platform →

Businessobjects Business Intelligence Platform by Sap

View all CVEs affecting Businessobjects Business Intelligence Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through SSRF to internal services, sensitive data exfiltration via file disclosure, and service disruption via DoS.

🟠

Likely Case

Internal file and directory disclosure leading to information leakage and potential privilege escalation paths.

🟢

If Mitigated

Limited impact if proper input validation and network segmentation are implemented, though DoS risk remains.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires basic user privileges but is technically straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Security Note 2989075

Vendor Advisory: https://launchpad.support.sap.com/#/notes/2989075

Restart Required: Yes

Instructions:

1. Download and apply SAP Security Note 2989075. 2. Restart affected SAP BusinessObjects services. 3. Verify the patch is applied correctly.

🔧 Temporary Workarounds

Disable XML entity processing

all

Configure XML parsers to disable external entity resolution

Configure FEATURE_SECURE_PROCESSING and DISALLOW_DOCTYPE_DECL in XML parser settings

Restrict user privileges

all

Limit crystal report generation to trusted users only

🧯 If You Can't Patch

  • Implement strict input validation for XML uploads
  • Network segmentation to limit SSRF impact and monitor for suspicious XML processing

🔍 How to Verify

Check if Vulnerable:

Check SAP BusinessObjects version and verify if SAP Security Note 2989075 is applied

Check Version:

Check SAP BusinessObjects administration console or version files

Verify Fix Applied:

Verify SAP Security Note 2989075 is installed and test XML upload functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual XML processing errors
  • Multiple failed XML upload attempts
  • Suspicious file access patterns

Network Indicators:

  • Unexpected outbound connections from SAP server
  • Internal network scanning from SAP server

SIEM Query:

Search for 'XML parsing error' OR 'XXE' in SAP BusinessObjects logs

📊 Metadata

CVE ID: CVE-2020-26831
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H
Published: December 9, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON