• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Note 1628537 - Directory Traversal in Exportability Check Servlet

Главная Специалистам База уязвимостей Note 1628537 - Directory Traversal in Exportability Check Servlet

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
(AV:N/AC:L/AU:S/C:C/I:N/A:NSAP)
Производитель ПО
SAP
Наименование ПО
SAP Notes (1628537-7) SAP Support Packages (ESR_710_SP011_000015, ESR_710_SP012_000008, ESR_710_SP013_000008, ESR_710_SP014_000004, ESR_710_SP015_000000, ESR_710_SP016_000000, ESR_710_SP999999_999999, ESR_711_SP007_000009, ESR_711_SP008_000006, ESR_711_SP010_000000, ESR_711_SP999999_999999, ESR_720_SP003_000006, ESR_720_SP004_000004, ESR_720_SP005_000003, ESR_720_SP006_000002, ESR_720_SP007_000001, ESR_720_SP999999_999999, ESR_730_SP000_000004, ESR_730_SP001_000010, ESR_730_SP002_000014, ESR_730_SP003_000007, ESR_730_SP004_000002, ESR_730_SP005_000006, ESR_730_SP006_000000, ESR_730_SP007_000001, ESR_730_SP008_000000, ESR_730_SP999999_999999, ESR_731_SP001_000004, ESR_731_SP002_000003, ESR_731_SP003_000004, ESR_731_SP004_000000, ESR_731_SP999999_999999, XI_ADAPTER_FRAMEWORK_30_SP026_000010, XI_ADAPTER_FRAMEWORK_30_SP027_000007, XI_ADAPTER_FRAMEWORK_30_SP028_000003, XI_ADAPTER_FRAMEWORK_30_SP029_000002, XI_ADAPTER_FRAMEWORK_30_SP030_000000, XI_ADAPTER_FRAMEWORK_30_SP999999_999999, XI_ADAPTER_FRAMEWORK_701_SP007_000010, XI_ADAPTER_FRAMEWORK_701_SP008_000006, XI_ADAPTER_FRAMEWORK_701_SP009_000005, XI_ADAPTER_FRAMEWORK_701_SP010_000003, XI_ADAPTER_FRAMEWORK_701_SP011_000003, XI_ADAPTER_FRAMEWORK_701_SP012_000000, XI_ADAPTER_FRAMEWORK_701_SP999999_999999, XI_ADAPTER_FRAMEWORK_710_SP011_000014, XI_ADAPTER_FRAMEWORK_710_SP012_000010, XI_ADAPTER_FRAMEWORK_710_SP013_000004, XI_ADAPTER_FRAMEWORK_710_SP014_000004, XI_ADAPTER_FRAMEWORK_710_SP015_000000, XI_ADAPTER_FRAMEWORK_710_SP016_000000, XI_ADAPTER_FRAMEWORK_710_SP999999_999999, XI_ADAPTER_FRAMEWORK_711_SP007_000020, XI_ADAPTER_FRAMEWORK_711_SP008_000011, XI_ADAPTER_FRAMEWORK_711_SP009_000002, XI_ADAPTER_FRAMEWORK_711_SP010_000000, XI_ADAPTER_FRAMEWORK_711_SP999999_999999, XI_ADAPTER_FRAMEWORK_720_SP003_000002, XI_ADAPTER_FRAMEWORK_720_SP004_000001, XI_ADAPTER_FRAMEWORK_720_SP005_000001, XI_ADAPTER_FRAMEWORK_720_SP006_000002, XI_ADAPTER_FRAMEWORK_720_SP007_000001, XI_ADAPTER_FRAMEWORK_720_SP999999_999999, XI_ADAPTER_FRAMEWORK_730_SP000_000004, XI_ADAPTER_FRAMEWORK_730_SP001_000011, XI_ADAPTER_FRAMEWORK_730_SP002_000012, XI_ADAPTER_FRAMEWORK_730_SP003_000018, XI_ADAPTER_FRAMEWORK_730_SP004_000013, XI_ADAPTER_FRAMEWORK_730_SP005_000013, XI_ADAPTER_FRAMEWORK_730_SP007_000001, XI_ADAPTER_FRAMEWORK_730_SP008_000000, XI_ADAPTER_FRAMEWORK_730_SP999999_999999, XI_ADAPTER_FRAMEWORK_731_SP001_000007, XI_ADAPTER_FRAMEWORK_731_SP002_000008, XI_ADAPTER_FRAMEWORK_731_SP003_000004, XI_ADAPTER_FRAMEWORK_731_SP004_000000, XI_ADAPTER_FRAMEWORK_731_SP999999_999999, XI_TOOLS_30_SP024_000013, XI_TOOLS_30_SP025_000014, XI_TOOLS_30_SP026_000011, XI_TOOLS_30_SP027_000008, XI_TOOLS_30_SP030_000000, XI_TOOLS_30_SP999999_999999, XI_TOOLS_700_SP023_000012, XI_TOOLS_700_SP024_000014, XI_TOOLS_700_SP025_000007, XI_TOOLS_700_SP026_000002, XI_TOOLS_700_SP028_000000, XI_TOOLS_700_SP999999_999999, XI_TOOLS_701_SP007_000013, XI_TOOLS_701_SP008_000008, XI_TOOLS_701_SP009_000008, XI_TOOLS_701_SP010_000005, XI_TOOLS_701_SP011_000001, XI_TOOLS_701_SP012_000000, XI_TOOLS_701_SP999999_999999, XI_TOOLS_702_SP003_000008, XI_TOOLS_702_SP004_000009, XI_TOOLS_702_SP005_000009, XI_TOOLS_702_SP006_000009, XI_TOOLS_702_SP007_000007, XI_TOOLS_702_SP008_000006, XI_TOOLS_702_SP009_000005, XI_TOOLS_702_SP010_000003, XI_TOOLS_702_SP011_000002, XI_TOOLS_702_SP012_000000, XI_TOOLS_702_SP999999_999999, XI_TOOLS_711_SP006_000018, XI_TOOLS_711_SP007_000007, XI_TOOLS_711_SP008_000005, XI_TOOLS_711_SP010_000000, XI_TOOLS_711_SP999999_999999, XI_TOOLS_730_SP000_000001, XI_TOOLS_730_SP001_000007, XI_TOOLS_730_SP002_000007, XI_TOOLS_730_SP003_000009, XI_TOOLS_730_SP005_000007, XI_TOOLS_730_SP008_000000, XI_TOOLS_730_SP999999_999999, XI_TOOLS_731_SP001_000003, XI_TOOLS_731_SP002_000003, XI_TOOLS_731_SP003_000004, XI_TOOLS_731_SP004_000000, XI_TOOLS_731_SP999999_999999)
Описание
User inputs for directory traversal not validated. i.e. In the file name  input containing .. and \ and / for navigation were not validated.
Как исправить
This patch would fix the security issues mentioned with ESR which could cause a potential security threat like XI administrative tools          exhibiting several possibilities for script injection attacks via URL   parameters.The directory traversal threat used to access the files in the file system of the user is addressed in the fix. In the directory and repository support page for Exportability Servlet, the input fields have been handled to not allow the user to traverse through the file system using .. and / and \ characters.Customer can find out the version that he uses by opening the Administration pages of ESR and then clicking on "Software Build Information" link and viewing the following information - Make Release ,SPS Number.All the affected versions are fixed.You can get the fixed versions from the service market place.Service Market Place -> Downloads -> SAP Support Package -> Enter by Application Group -> SAP Netweaver -> Select desired Release -> Desired SCA.
Ссылки