Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1531793-1)
SAP Support Packages
(SAPK-01133INCCEE, SAPK-10315INCCEE, SAPK-10633INCCEE, SAPK-11025INCCEE, SAPK-60211INCCEE, SAPK-60311INCCEE, SAPK-60409INCCEE)
Описание
1. The programs contained in the correction instructions contain vulnerabilities through which a malicious user can potentially read arbitrary files on the remote server, possibly disclosing confidential information.
2. Some of the programs contained in the correction instructions contain a vulnerability through which a malicious user can potentially write arbitrary files on the remote server, possibly corrupting data or altering system behavior.
2. Some of the programs contained in the correction instructions contain a vulnerability through which a malicious user can potentially write arbitrary files on the remote server, possibly corrupting data or altering system behavior.
Как исправить
Please refer to note 1497003 for additional information and instructions. The corrections from note 1497003 are a prerequisite for implementation of this note.
The following logical file names have been created in order to enable the validation of physical file names:
SI_FILE_EXPORT1
SI_FILE_EXPORT2
For the Selection screen parameters
Path to save file
Path to save file (OTV,ZAK)
the verification for the permitted directory was added. For setting up physical file paths you should follow transaction FILE (see F1 help for field Physical path).
------------------------------------------------------------------------
|Manual Pre-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component C-CEE Country version...|
| Release 110_600 Until SAPK-11024INCCEE |
| Release 011_46C Until SAPK-01132INCCEE |
| Release 106_500 Until SAPK-10632INCCEE |
| Release 103_470 Until SAPK-10314INCCEE |
| Release 110_603 Until SAPK-60310INCCEE |
| Release 110_602 Until SAPK-60210INCCEE |
| Release 110_604 Until SAPK-60408INCCEE |
------------------------------------------------------------------------
The following logical file names have been created in order to enable the validation of physical file names:
SI_FILE_EXPORT1
SI_FILE_EXPORT2
For the Selection screen parameters
Path to save file
Path to save file (OTV,ZAK)
the verification for the permitted directory was added. For setting up physical file paths you should follow transaction FILE (see F1 help for field Physical path).
------------------------------------------------------------------------
|Manual Pre-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component C-CEE Country version...|
| Release 110_600 Until SAPK-11024INCCEE |
| Release 011_46C Until SAPK-01132INCCEE |
| Release 106_500 Until SAPK-10632INCCEE |
| Release 103_470 Until SAPK-10314INCCEE |
| Release 110_603 Until SAPK-60310INCCEE |
| Release 110_602 Until SAPK-60210INCCEE |
| Release 110_604 Until SAPK-60408INCCEE |
------------------------------------------------------------------------
Ссылки