• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1518284

Главная Специалистам База уязвимостей Не установлено обновление Note 1518284

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1518284-5) SAP Support Packages (SAPK-51015INSCMEWM, SAPK-70009INSCMEWM, SAPK-70103INSCMEWM, SAPKY50019)
Описание
The programs contained in the correction instructions contain  vulnerabilities through which a malicious user can potentially read  arbitrary files on the remote server, possibly disclosing confidential information.
Как исправить
For Release EWM 5.0 (SCM 5.) only local filenames can be used in the above transactions. For this release implement the correction instruction. This disables that the application server can be accessed. The handling of logical filenames is not necessary.

For release SCM 5.1 and above (SCMEWM 5.1 and above) please refer to note 1497003 for additional information and instructions. The corrections from note 1497003 are a prerequisite for implementation of this note.

The following logical file names have been created to enable the validation of the physical file names for the mentioned transactions:
transaction /SCWM/SBUP: logical filename = EWM_STOBIN_UPLOAD
transaction /SCWM/SRTUP: logical filename = EWM_STOBIN_SORT_UPLOAD
transaction /SCWM/ISU: logical filename = EWM_STOCK_UPLOAD
transaction /SCWM/ELS_UPLOAD: see note 1453187 for information and prerequisite for the logical filenames.
transaction /SCWM/MS_RESULT: see note 1452989 for information and prerequisites for the logical filenames.
The logical files names that are listed above use the following logical file paths.
logical filename = EWM_STOBIN_UPLOAD. logical filepath = EWM_STOBIN_UPLOAD_PATH
logical filename = EWM_STOBIN_SORT_UPLOAD. logical filepath = EWM_STOBIN_SORT_UPLOAD_PATH
logical filename = EWM_STOCK_UPLOAD. logical filepath = EWM_STOCK_UPLOAD_PATH
Ссылки