• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1422625

Главная Специалистам База уязвимостей Не установлено обновление Note 1422625

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1422625-9) SAP Support Packages (SAPKB62068, SAPKB64026, SAPKB70022, SAPKB70107, SAPKB70203, SAPKB71010, SAPKB71105, SAPKB72003)
Описание
The cause of the problem is an SQL injection vulnerability. In the  source code, an SQL statement is composed of strings. In this case, an  attacker can obtain control of the contents of a substring. Therefore,  the attacker can manipulate the resulting entire SQL statement and  execute it with the rights of the database user who is logged on.
In this case, the attacker can display the data of all destinations, but  not the passwords of the logon users that are entered in the connection  data. The attacker cannot create new destinations or change or delete  existing destinations. The reading of destinations still always requires  (including those read without permission) the authorization S_RFC_ADM.
Как исправить
Import the relevant Support Package. In the corrected source code, we removed the dynamic WHERE clause and replaced it with a case distinction for the SQL statement that is used. This prevents the SQL injection.
Ссылки