SAP takes the security of its vast product portfolio very seriously and thus releases security fixes for
vulnerabilities reported by external researchers and their customers every second Tuesday of the month.
SAP Note 2973497
was released on
13.10.2020 and deals with
"[CVE-2020-6315] Multiple Vulnerabilities in SAP 3D Visual Enterprise Viewer" within SAP 3D Visual Eneprise .
We advice you to follow the instructions, to resolve
denial of service (dos)
medium potential for exploitation
in component CA-VE-VEV.
According to SAP Security Advisory team a workaround does not exist. It is advisable to implement the correction as part of maintenance.
Risk specificationThis SAP security note addresses several vulnerabilities identified in SAP 3D Visual Enterprise Viewer. Under certain conditions SAP 3D Visual Enterprise Viewer allows an attacker to access information which would otherwise be restricted. Additionally, when a user opens manipulated files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application.
The resolution of external DTD entities was disabled by default. The following file formats have been fixed with additional validation when they are opened in SAP 3D Visual Enterprise Viewer: Computer Graphics Metafile (.cgm); Jupiter Tessallation (.jt); Portable Document Format (.pdf); Right Hemisphere Binary (.rh)
The advisory is valid for