SAP takes the security of its vast product portfolio very seriously and thus releases security fixes for
vulnerabilities reported by external researchers and their customers every second Tuesday of the month.
SAP Note 2701027
was released on
10.12.2019 and deals with
"[CVE-2019-0398] Cross-Site Request Forgery (CSRF) vulnerability in SAP BusinessObjects Business Intelligence Platform (Monitoring application)" within BI/BO platform.
We advice you to follow the instructions, to resolve
cross-site request forgery (xsrf)
medium potential for exploitation
in component BI-BIP-MON.
According to SAP Security Advisory team a workaround does not exist. It is advisable to implement the correction as part of maintenance.
Risk specificationBOE Monitoring Application allows an unauthenticated attacker to trick an authenticated user to send unintended request to the web server resulting in a CSRF vulnerability.
The XSRF protection framework is now properly utilized in the BOE Monitoring Application checking for correct authentication tokens to be present
SAP BusinessObjects Business Intelligence suite is an analytics platform allowing SAP customers to make better decisions based on their business data. SAP BI is a module meant for producing business insights and expands its power in combination with HANA DB and also exists as BW/4 HANA. Due to processing sensitive business data, the Data security is of utmost importance.
The advisory is valid for
- 9.9 [CVE-2021-33690] Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure (Component Build Service)
- 7.6 [CVE-2020-6275] Server Side Request Forgery vulnerability in SAP NetWeaver AS ABAP
- 5.5 Cross-Site Request Forgery (CSRF) vulnerability in Cash Management
- 5.4 Cross-Site Request Forgery (CSRF) vulnerability in S/4HANA Finance for advanced payment management
- 5.4 Cross-Site Request Forgery (CSRF) vulnerability in S/4HANA OP2020, OP1909 in Import Financial Plan Data