• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1414089

Главная Специалистам База уязвимостей Не установлено обновление Note 1414089

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1414089-1) SAP Support Packages (SAPKB64026, SAPKB70022, SAPKB70107, SAPKB70203, SAPKB71010, SAPKB71105)
Описание
The affected remote API consists of two ICF nodes. The nodes (one for  HTTP, anther one for HTTPS) are used to transfer cache data from ABAP  Integration Server to RWB in xml format. In some cases input parameters  of an HTTP request are returned as-is to the http client. This makes these nodes vulnerable to reflective XSS attacks.

* What are the affected releases?
SAP_BASIS 640
SAP_BASIS 700
SAP_BASIS 701
SAP_BASIS 702
SAP_BASIS 710
SAP_BASIS 711

SAP_BASIS 720 is not affected as there is no PI 7.20
SAP_BASIS 730 is not vulnerable to this attack
Как исправить
The provided patch fixes the problem. The patch ensures that the http client (browser) never gets http input parameters as-is, but in an html-escaped way. This removes the danger of reflective XSS attacks.

* What are the fixed versions and patch levels?
SAP_BASIS 640 SP26
SAP_BASIS 700 SP22
SAP_BASIS 701 SP7
SAP_BASIS 702 SP3
SAP_BASIS 710 SP10
SAP_BASIS 711 SP5

Please apply the support package from the list above or apply the correction from the note.
Ссылки