Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1503974-3)
SAP Support Packages
(NW_MOBILE_CLIENT_SETUP_710_SP006_000015, NW_MOBILE_CLIENT_SETUP_710_SP007_000016, NW_MOBILE_CLIENT_SETUP_710_SP008_000005, NW_MOBILE_CLIENT_SETUP_710_SP009_000004, NW_MOBILE_CLIENT_SETUP_710_SP010_000004, NW_MOBILE_CLIENT_SETUP_710_SP012_000000, NW_MOBILE_CLIENT_SETUP_710_SP999999_999999, NW_MOBILE_CLIENT_SETUP_711_SP002_000005, NW_MOBILE_CLIENT_SETUP_711_SP003_000001, NW_MOBILE_CLIENT_SETUP_711_SP004_000003, NW_MOBILE_CLIENT_SETUP_711_SP005_000001, NW_MOBILE_CLIENT_SETUP_711_SP007_000000, NW_MOBILE_CLIENT_SETUP_711_SP999999_999999)
Описание
When Netweaver Mobile laptop client is launched as a Windows service, it has administrator rights. If a JSP application is now launched within a browser from this laptop client, the application will have administrator rights and a malicious user can use this security loophole to traverse the directory structure of the client and read files meant only for the administrator. The malicious user could also use the application to write to directories to which he has no access to - thereby possibly corrupting the system / altering the behavior of the Netweaver Mobile client.
Как исправить
The JSP application is now launched from within the client status monitor which has the rights of the logged in user.
To get this security fix, please upgrade the client to at least the patch level as mentioned in the "SP Patch Level" section of this note, relevant to the release and SP that you are using.
To get this security fix, please upgrade the client to at least the patch level as mentioned in the "SP Patch Level" section of this note, relevant to the release and SP that you are using.
Ссылки