• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1503974

Главная Специалистам База уязвимостей Не установлено обновление Note 1503974

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1503974-3) SAP Support Packages (NW_MOBILE_CLIENT_SETUP_710_SP006_000015, NW_MOBILE_CLIENT_SETUP_710_SP007_000016, NW_MOBILE_CLIENT_SETUP_710_SP008_000005, NW_MOBILE_CLIENT_SETUP_710_SP009_000004, NW_MOBILE_CLIENT_SETUP_710_SP010_000004, NW_MOBILE_CLIENT_SETUP_710_SP012_000000, NW_MOBILE_CLIENT_SETUP_710_SP999999_999999, NW_MOBILE_CLIENT_SETUP_711_SP002_000005, NW_MOBILE_CLIENT_SETUP_711_SP003_000001, NW_MOBILE_CLIENT_SETUP_711_SP004_000003, NW_MOBILE_CLIENT_SETUP_711_SP005_000001, NW_MOBILE_CLIENT_SETUP_711_SP007_000000, NW_MOBILE_CLIENT_SETUP_711_SP999999_999999)
Описание
When Netweaver Mobile laptop client is launched as a Windows service, it  has administrator rights. If a JSP application is now launched within a  browser from this laptop client, the application will have administrator  rights and a malicious user can use this security loophole to traverse  the directory structure of the client and read files meant only for the  administrator. The malicious user could also use the application to  write to directories to which he has no access to - thereby possibly  corrupting the system / altering the behavior of the Netweaver Mobile client.
Как исправить
The JSP application is now launched from within the client status monitor which has the rights of the logged in user.

To get this security fix, please upgrade the client to at least the patch level as mentioned in the "SP Patch Level" section of this note, relevant to the release and SP that you are using.
Ссылки