CVE-2022-32246

Name of the Vulnerable Software and Affected Versions SAP Business Objects Business Intelligence Platform (Visual Difference Application) versions 420, 430

Description The issue allows an authenticated attacker with access to the BI admin console to send crafted queries and extract data from the SQL backend, potentially causing limited impact on confidentiality and integrity of the application. This is due to the lack of measures to neutralize special elements used in SQL queries. An attacker can exploit this by sending a specially crafted SQL query to disclose protected information.

Recommendations For versions 420 and 430, consider restricting access to the BI admin console and limiting the ability to send crafted queries to the SQL backend until a fix is available. As a temporary workaround, disabling the Visual Difference Application component may help minimize the risk of exploitation.