Solved: Upgrade timeline for the libcurl vulnerability in ...

EFDS · ‎2024 Dec 20

Hi All,

We have an application that uses the Crystal Reports Runtime (CRR). Recently, through an internal vulnerability scan we found that the latest version of CRR i.e. v.13_0_37 is still using a vulnerable version of libcurl.dll(v.8.4.0.0) which has been flagged in the NIST Database NVD - cve-2024-7264.

Wanted to know if the dev team at SAP has any upgrade timeline to update this vulnerable version of libcurl.dll to v.8.9.1 or higher?

DonWilliams · ‎2024 Dec 24

Hello,

From the SAP Developers:

This CVE NVD - cve-2024-7264. had already been assessed internally since the function GTime2str() mentioned was never used by our code.

So it did not impact CR Runtime. If there’s any critical CVE and the risk could not be mitigated, then we will upgrade the corresponding tp(third party) component.

So as I mentioned it doesn't affect CR runtime so just flag it as not critical in your scans.

Merry Christmas and Happy New Year

Don

DonWilliams · ‎2024 Dec 23

I have not found anything about it so I pinged SAP Developers to see what they have to say...

They are in Shanghai so it'll be a day or so for a response.

Typically if the API reported is not used in CR they won't fix anything so you can simply ignore the reported scan.

Upgrading r3rd party references is a huge amount of work so they won't upgrade it if the reported issue is not used in CR's runtime.

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My Account

My Account

Upgrade timeline for the libcurl vulnerability in Crystal Reports Runtime for VS

Know the answer?

Need more details?

Accepted Solutions (1)

Accepted Solutions (1)

Answers (1)

Answers (1)