SAP Knowledge Base Article - Preview

3190652 - Spring Framework vulnerabilities - further information for BI 4.x

Symptom

Further information on following Spring Framework vulnerabilities:

  • CVE-2010-1622 - impacted versions: SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 
  • CVE-2014-0054 - impacted versions: Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2
  • CVE-2013-4152 - impacted versions: Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1
  • CVE-2013-7315 - impacted versions: Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2
  • CVE-2022-22950 - impacted versions: Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions
  • CVE-2022-22965 - impacted versions: Spring MVC or Spring WebFlux application running on JDK 9+
  • CVE-2022-22963 - impacted versions: Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions
  • CVE-2024-22259 – impacted versions: 5.3.x/ 6.0.x/6.1.
  • CVE-2024-22243 – impacted versions: 5.3.x/ 6.0.x/6.1.
  • CVE-2024-38819 -  impacted versions: Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions
  • CVE-2014-3527
  • CVE-2019-20444


Read more...

Environment

  • SAP BusinessObjects Business Intelligence (BI) Platform 4.2 (all Support Packs and Patches)
  • SAP BusinessObjects Business Intelligence (BI) Platform 4.3 (all Support Packs and Patches)
  • Spring Framework
  • Windows
  • Linux / Unix 

Product

SAP BusinessObjects Business Intelligence platform 4.2 ; SAP BusinessObjects Business Intelligence platform 4.3

Keywords

CVE-2010-1622 Spring Framework - Arbitrary code Execution
CVE-2014-0054 Incomplete fix for CVE-2013-7315 / CVE-2013-6429 (XXE)
CVE-2013-4152 XML eXternal Entity (XXE) injection in Spring Framework
CVE-2013-7315 XML External Entity (XXE) injection in Spring Framework
CVE-2022-22950 Spring Expression DoS Vulnerability
CVE-2022-22965 Spring Framework RCE via Data Binding on JDK 9+ Spring4Shell Zero-Day
CVE-2022-22963 Remote code execution in Spring Cloud Function by malicious Spring Expression
CVE-2024-22259
CVE-2024-22243 
CVE-2024-38819 , KBA , BI-BIP-DEP , Webapp Deployment, Networking, Vulnerabilities, Webservices , MOB-APP-BI-SRV , Mobile BI Server , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.