CVE-2025-42988 PUBLISHED

Server-Side Request Forgery in SAP Business Objects Business Intelligence Platform

Assigner: sap
Reserved: 16.04.2025 Published: 10.06.2025 Updated: 10.06.2025

Under certain conditions, SAP Business Objects Business Intelligence Platform allows an unauthenticated attacker to enumerate HTTP endpoints in the internal network by specially crafting HTTP requests. This disclosure of information could further enable the researcher to cause SSRF. It has no impact on integrity and availability of the application.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 3.7

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	SAP Business Objects Business Intelligence Platform
Versions	Default: unaffected Version ENTERPRISE 430 is affected Version 2025 is affected Version 2027 is affected

CVE-2025-42988 PUBLISHED

Server-Side Request Forgery in SAP Business Objects Business Intelligence Platform

Metrics

Product Status

References

Problem Types