SAP Patches High Severity Flaws in Crystal Reports, NetWeaver
April 10, 2019 / Ionut Arghire
SAP this week released 6 Security Notes as part of its April 2019 Security Patch Day, including two that address High severity flaws in Crystal Reports and NetWeaver. Tracked as CVE-2019-0285 (CVSS Base Score: 7.5), the vulnerability in Crystal Reports is an information disclosure issue that could provide an attacker with access to details such as system data, debugging information, and more. The second High risk flaw is CVE-2019-0283 (CVSS Base Score: 7.1), a spoofing attack vulnerability in NetWeaver Java Application Server. An attacker could target the bug to spoof the data being displayed to the user. Other vulnerabilities addressed this month include a missing authorization check for the ABAP INST function module (CVE-2019-0279, CVSS Base Score: 5.5), information disclosure in NetWeaver (CVE-2019-0282, CVSS Base Score: 5.3; CVE-2019-0278, CVSS Base Score: 5.1), and an XML External Entity (XXE) vulnerability in SAP HANA (CVE-2019-0284, CVSS Base Score: 5.1).