Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
(AV:N/AC:L/Au:N/C:P/I:C/A:P)
Производитель ПО
Наименование ПО
SAP Notes
(1503579-4)
SAP Support Packages
(XI_TOOLS_30_SP024_000008, XI_TOOLS_30_SP025_000005, XI_TOOLS_30_SP026_000003, XI_TOOLS_30_SP027_000001, XI_TOOLS_30_SP999999_999999, XI_TOOLS_700_SP019_000014, XI_TOOLS_700_SP020_000012, XI_TOOLS_700_SP021_000007, XI_TOOLS_700_SP022_000007, XI_TOOLS_700_SP023_000000, XI_TOOLS_700_SP024_000000, XI_TOOLS_700_SP999999_999999, XI_TOOLS_701_SP004_000009, XI_TOOLS_701_SP005_000008, XI_TOOLS_701_SP006_000006, XI_TOOLS_701_SP007_000003, XI_TOOLS_701_SP008_000000, XI_TOOLS_701_SP009_000000, XI_TOOLS_701_SP999999_999999, XI_TOOLS_702_SP003_000001, XI_TOOLS_702_SP004_000002, XI_TOOLS_702_SP005_000001, XI_TOOLS_702_SP006_000000, XI_TOOLS_702_SP999999_999999, XI_TOOLS_710_SP007_000030, XI_TOOLS_710_SP008_000019, XI_TOOLS_710_SP009_000013, XI_TOOLS_710_SP010_000004, XI_TOOLS_710_SP012_000000, XI_TOOLS_710_SP999999_999999, XI_TOOLS_711_SP003_000021, XI_TOOLS_711_SP004_000016, XI_TOOLS_711_SP005_000005, XI_TOOLS_711_SP006_000001, XI_TOOLS_711_SP007_000000, XI_TOOLS_711_SP999999_999999, XI_TOOLS_730_SP001_000000, XI_TOOLS_730_SP999999_999999)
Описание
Certain HTTP requests elude the authentication checks performed for HTTP GET requests so that the command is executed. The respective Java Servlets and Java Server Pages belong to the old administration pages which were replaced in NetWeaver 7.1 with a web-dynpro based solution. However, the old pages still exist and are accessible.
* What are the affected releases?
SAP_BASIS 640
SAP_BASIS 700
SAP_BASIS 701
SAP_BASIS 702
SAP_BASIS 710
SAP_BASIS 711
SAP_BASIS 730
SAP_BASIS 720 is not affected as there is no PI 7.20
SAP_BASIS 731 is not vulnerable to this attack
* What are the affected releases?
SAP_BASIS 640
SAP_BASIS 700
SAP_BASIS 701
SAP_BASIS 702
SAP_BASIS 710
SAP_BASIS 711
SAP_BASIS 730
SAP_BASIS 720 is not affected as there is no PI 7.20
SAP_BASIS 731 is not vulnerable to this attack
Как исправить
The provided patch solves the problem. Each HTTP request will undergo the authentication checks.
* What are the fixed versions and patch levels?
SAP_BASIS 640 SP24
SAP_BASIS 700 SP19
SAP_BASIS 701 SP4
SAP_BASIS 702 SP3
SAP_BASIS 710 SP7
SAP_BASIS 711 SP3
SAP_BASIS 730 SP1
Please apply the support package from the list above or apply the correction from the note.
* What are the fixed versions and patch levels?
SAP_BASIS 640 SP24
SAP_BASIS 700 SP19
SAP_BASIS 701 SP4
SAP_BASIS 702 SP3
SAP_BASIS 710 SP7
SAP_BASIS 711 SP3
SAP_BASIS 730 SP1
Please apply the support package from the list above or apply the correction from the note.
Ссылки