CVE-2022-35296 The SAP BusinessObjects Version Management System can expose sensitive information to a high-privileged user who isn't explicitly authorized to see it.

This can be mitigated by implementing access control rules that govern how information is shared between users and roles. In addition, the data that is shared must adhere to the principles of data quality to maintain the integrity of the data. In this security advisory, we will discuss two issues with this product that might lead to a security risk. The first issue is due to the fact that the product exposes sensitive data to a low-privileged user over the network. The second issue is caused by the fact that the data that is exposed is not governed by access control rules, which can lead to a high risk for integrity. In addition, we will discuss a third issue: the data that is exposed is not governed by data quality rules which can lead to a high risk for Confidentiality.

Network Exposure

The product exposes sensitive data from the Identity Manager to a low-privileged user over the network. This can lead to a high risk for a security breach because the user is not required to provide authentication for this access.

Data Exposure to a Network User

The product in question is marketed as a product that provides users with access to data shared within the organization. This product exposes sensitive data over the network without any explicit authorization. The user must be authenticated before they are allowed to access this information. In this situation, it might be possible for an unauthorized person to gain access to sensitive information that is stored on the system by using credentials belonging to a low-privileged user.

Network Exposure of Sensitive Data :

In this security advisory, we will discuss a potential risk caused by the fact that the product exposes sensitive data over the network. In this scenario, a low-privileged user could access and view sensitive data that they should not without authorization. This would lead to an increased risk for security because it could be used to bypass access control rules or analyze the data in ways that are not intended. This can also lead to a risk for integrity due to the fact that confidential information might be revealed publicly.

Exposing Sensitive Data to a Low-Privileged User Over the Network

This product exposes sensitive data to a low-privileged user over the network. This data includes an organizational identifier, which is an identifier that can be used to uniquely identify an entity such as a person or organization. Additionally, this product exposes the email address of the administrator and a password hash of the administrator's password.
This information could be used to gain access to other administrative functions on this product by intercepting traffic between the physical appliance and the management portal if it is accessible outside of its local network.

Issue 1: Data exposed over network to low privileged user

This issue can be mitigated by implementing access control rules that govern how information is shared between users and roles. In addition, the data that is shared must adhere to the principles of data quality to maintain the integrity of the data.

Timeline

Published on: 10/11/2022 21:15:00 UTC
Last modified on: 10/12/2022 17:29:00 UTC

References

• https://launchpad.support.sap.com/#/notes/3233226
• https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-35296