Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Security Vulnerability in SAP Crystal Reports for Eclipse (JAVA) SP31 - CVE-2024-21742

Go to solution
neilpayne-1
Explorer

on ‎2025 Mar 07 4:40 PM

0 Likes
1,037

Hello

Regarding Crystal report for eclipse (java) - SP31;

Looks like there is vulnerability CVE-2024-21742 in file:

lib/xmlconnector.jar/lib/apache-mime4j-core-0.8.9.jar

version 0.8.10 and beyond does not have this vulnerability:
https://mvnrepository.com/artifact/org.apache.james/apache-mime4j-core

CVE details:
Improper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message. This can be exploited by an attacker to add unintended headers to MIME messages.

Can someone confirm if this is effected by this CVE, and if so can this be a hotfix or new service pack?

Thank you!

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (1)

Accepted Solutions (1)

DonWilliams
Active Contributor
‎2025 Mar 13 5:55 PM
0 Likes

I heard back from R&D:

apache-mime4j-core-0.8.9.jar is used to parse XML/web service data sources, If you don’t use XML/web service as the data source, this CVE won’t affect you.

When using Crystal Report for Eclipse, users must first ensure that the data source is secure, so the impact of this CVE on us is also limited.

Additionally, we can consider upgrading it in SP32.

Hope this answers your questions?

Don

Show replies
Show replies
neilpayne-1
Explorer
‎2025 Mar 13 8:24 PM
0 Likes

Thank you again DonWilliams

That is good to know, we do not use XML/Web services as the datasource, so we are testing the application without this jar file and so far it seems OK

Regarding SP32, that doesnt seem to be available on the website?
https://pages.community.sap.com/topics/crystal-reports
note that SP31 is the latest service pack for SAP Crystal Reports for Eclipse (JAVA) on that link
Is there another public link for SP32?

EDIT: i just realised you said you COULD upgrade it in SP32, please do!

Thank you!

Answers (1)

Answers (1)

DonWilliams
Active Contributor
‎2025 Mar 08 11:33 AM
0 Likes

I pinged R&D to comment on this one.

Often though there are reported CVE's but CR doesn't use that part so it doesn't affect the use in CR Applications.

If you have concerns for your implementation in your app you will need to show R&D how your app is vulnerable in a test app they can look at.

They are in Shanghai so it may take a few days to get a response...

Show replies
Show replies
neilpayne-1
Explorer
‎2025 Mar 11 3:30 PM
0 Likes

Thank you DonWilliams.

For context, xmlconnector is a file which is distributed for the crystal reports runtime for eclipse, currently we distribute all files from the lib folder with our java wrapper application. Are we saying depending on the java wrapper that jar may not be used? If so is there any information of what it is used for by crystal report engine?

Also, any update from R&D as yet?

Thank you very much!

Ask a Question