CVE-2020-6208: 
SAP Crystal Reports vulnerability analysis and mitigation

SAP Business Objects Business Intelligence Platform (Crystal Reports), versions 4.1 and 4.2, contains a use-after-free vulnerability that allows an attacker with basic authorization to execute arbitrary code. The vulnerability was discovered in November 2019 and publicly disclosed on March 12, 2020, receiving a CVE identifier of CVE-2020-6208 (NVD, ZDI).

The vulnerability exists within the parsing of RPT files and results from the lack of validating the existence of an object prior to performing operations on the object. This use-after-free condition can be exploited to achieve remote code execution. The vulnerability has been assigned a CVSS v3.1 base score of 8.2 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H (ZDI).

When successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. Although the attack vector is local, multiple applications can be impacted as a result of the vulnerability, potentially leading to complete system compromise (NVD).

SAP has released security updates to address this vulnerability. Users are advised to apply the patches available through the SAP support portal (ZDI).