CVE-2020-6308

MEDIUM EXPLOITED NUCLEI

SAP BusinessObjects Web Services - Info Disclosure

Title source: llm

Exploitation Summary

CVE-2020-6308 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including InitRoot, TheMMMdev, MachadoOtto. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository provides a detailed technical analysis of CVE-2020-6308, an SSRF vulnerability in SAP BusinessObjects Business Intelligence Platform. It includes HTTP request examples, timing-based port scanning techniques, and explanations of the vulnerable CMS parameter injection.

Description

SAP BusinessObjects Business Intelligence Platform (Web Services) versions - 410, 420, 430, allows an unauthenticated attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure and gather information for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to perform malicious requests, resulting in a Server-Side Request Forgery vulnerability.

Exploits (4)

nomisec WRITEUP 36 stars

by InitRoot · infoleak

https://github.com/InitRoot/CVE-2020-6308-PoC

View Code ZIP pw:eip

The repository provides a detailed technical analysis of CVE-2020-6308, an SSRF vulnerability in SAP BusinessObjects Business Intelligence Platform. It includes HTTP request examples, timing-based port scanning techniques, and explanations of the vulnerable CMS parameter injection.

Classification

Writeup 90%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: SAP BusinessObjects Business Intelligence Platform (Web Services) versions 410, 420, 430

No auth needed

Prerequisites: Network access to the SAP BusinessObjects server · Misconfigured firewall allowing outbound connections

MITRE ATT&CK

T1083 - File and Directory Discovery T1133 - External Remote Services

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by TheMMMdev · infoleak

https://github.com/TheMMMdev/CVE-2020-6308

View Code ZIP pw:eip

This repository contains a functional Go script that automates the exploitation of CVE-2020-6308, an SSRF vulnerability in SAP Business Objects. The script sends crafted HTTP requests to probe internal ports via the vulnerable endpoint, using timing-based responses to infer port status.

Classification

Working Poc 95%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: SAP Business Objects

No auth needed

Prerequisites: Network access to the vulnerable SAP Business Objects instance · The target endpoint must be reachable

MITRE ATT&CK

T1083 - File and Directory Discovery T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by MachadoOtto · infoleak

https://github.com/MachadoOtto/sap_bo_launchpad-ssrf-timing_attack

View Code ZIP pw:eip

This repository contains a functional Python script that exploits CVE-2020-6308, an SSRF vulnerability in SAP BusinessObjects Launchpad. The script performs a timing attack to infer open ports on a target IP by leveraging SAP's authentication mechanisms.

Classification

Working Poc 95%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: SAP BusinessObjects Launchpad

No auth needed

Prerequisites: Access to the SAP BusinessObjects Launchpad URL · Target IP address to probe

MITRE ATT&CK

T1189 - Drive-by Compromise T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by freeFV · poc

https://github.com/freeFV/CVE-2020-6308-mass-exploiter

View Code ZIP pw:eip

This repository contains a functional mass exploiter for CVE-2020-6308, targeting F5 Big-IP devices. The exploit leverages a path traversal vulnerability to read sensitive files like /etc/passwd, confirming vulnerability status.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: F5 Big-IP

No auth needed

Prerequisites: List of target IPs/URLs

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

SAP BusinessObjects Business Intelligence Platform - Blind Server-Side Request Forgery

MEDIUMby madrobot

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196

Permissions Required, Vendor Advisory x_refsource_misc

https://launchpad.support.sap.com/#/notes/2943844

Scores

CVSS v3 5.3

EPSS 0.6174

EPSS Percentile 99.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

VulnCheck KEV 2024-02-14

CWE

CWE-918

Status published

Products (3)

sap/businessobjects_business_intelligence_platform 4.1

sap/businessobjects_business_intelligence_platform 4.2

sap/businessobjects_business_intelligence_platform 4.3

Published Oct 20, 2020

Tracked Since Feb 18, 2026