Plattform
sap
Komponente
sap-business-objects-business-intelligence-platform
Behoben in
430.0.1
2025.0.1
2027.0.1
CVE-2025-42988 describes a Server-Side Request Forgery (SSRF) vulnerability affecting SAP Business Objects Business Intelligence Platform. This flaw allows an unauthenticated attacker to enumerate HTTP endpoints within the internal network by crafting specific HTTP requests. While it doesn't directly impact data integrity or availability, the exposed information can be leveraged for further attacks, including SSRF. The vulnerability impacts versions of the platform up to and including Enterprise 430, with a fix available in version 430.0.1.
The primary impact of CVE-2025-42988 is information disclosure. An attacker can use the vulnerability to discover internal HTTP endpoints that are not normally exposed to the outside world. This reconnaissance can then be used to launch SSRF attacks, potentially allowing the attacker to access internal resources, interact with internal APIs, or even trigger actions on internal systems. While the vulnerability itself doesn't allow for direct data modification or denial of service, the SSRF component could be exploited to achieve those outcomes depending on the internal services exposed. The lack of authentication required to exploit the vulnerability significantly broadens the potential attack surface.
CVE-2025-42988 was publicly disclosed on 2025-06-10. The CVSS score is LOW (3.7), indicating a relatively low probability of exploitation in most environments. No public proof-of-concept (PoC) code has been released at the time of this writing. It is not currently listed on the CISA KEV catalog. The vulnerability's reliance on HTTP endpoint enumeration suggests a reconnaissance-focused attack pattern.
Organizations utilizing SAP Business Objects Business Intelligence Platform, particularly those with complex internal network architectures and limited network segmentation, are at increased risk. Shared hosting environments where multiple tenants share the same infrastructure could also be vulnerable if the platform is deployed in a multi-tenant configuration.
• java / server:
# Monitor access logs for requests to internal endpoints originating from the SAP Business Objects platform.
# Example (assuming Apache access logs): grep "SAP Business Objects" /var/log/apache2/access.log | grep "internal_endpoint"• generic web:
# Use curl to probe for potential internal endpoints. This is a manual check, not automated.
curl -v http://<SAP_Business_Objects_IP>/internal_endpointdisclosure
Exploit-Status
EPSS
0.08% (23% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2025-42988 is to upgrade to SAP Business Objects Business Intelligence Platform version 430.0.1 or later. Prior to upgrading, it's crucial to review SAP's official upgrade documentation and perform thorough testing in a non-production environment to ensure compatibility and avoid any disruption to business operations. As a temporary workaround, consider implementing strict network segmentation to limit access to internal resources from the Business Objects platform. Web Application Firewalls (WAFs) can be configured to filter HTTP requests and block those attempting to enumerate endpoints. Monitor network traffic for unusual outbound connections originating from the Business Objects server.
Wenden Sie die von SAP bereitgestellten Sicherheitsupdates für Business Objects Business Intelligence Platform an. Konsultieren Sie die SAP-Notiz 3585545 für detaillierte Informationen zu den Updates und betroffenen Versionen. Es wird empfohlen, vor der Anwendung des Updates in der Produktion umfassende Tests in einer Staging-Umgebung durchzuführen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-42988 is a Server-Side Request Forgery (SSRF) vulnerability in SAP Business Objects Business Intelligence Platform allowing unauthenticated attackers to enumerate internal HTTP endpoints.
You are affected if you are running SAP Business Objects Business Intelligence Platform versions up to and including Enterprise 430.
Upgrade to SAP Business Objects Business Intelligence Platform version 430.0.1 or later. Consider network segmentation and WAF rules as interim measures.
There is no confirmed active exploitation as of the last update, but the vulnerability's nature suggests potential for future exploitation.
Refer to the official SAP Security Notes for details and updates regarding CVE-2025-42988. Check the SAP Support Portal for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.