Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
(AV:N/AC:L/AU:S/C:C/I:N/A:NSAP)
Производитель ПО
Наименование ПО
SAP Notes
(1628537-7)
SAP Support Packages
(ESR_710_SP011_000015, ESR_710_SP012_000008, ESR_710_SP013_000008, ESR_710_SP014_000004, ESR_710_SP015_000000, ESR_710_SP016_000000, ESR_710_SP999999_999999, ESR_711_SP007_000009, ESR_711_SP008_000006, ESR_711_SP010_000000, ESR_711_SP999999_999999, ESR_720_SP003_000006, ESR_720_SP004_000004, ESR_720_SP005_000003, ESR_720_SP006_000002, ESR_720_SP007_000001, ESR_720_SP999999_999999, ESR_730_SP000_000004, ESR_730_SP001_000010, ESR_730_SP002_000014, ESR_730_SP003_000007, ESR_730_SP004_000002, ESR_730_SP005_000006, ESR_730_SP006_000000, ESR_730_SP007_000001, ESR_730_SP008_000000, ESR_730_SP999999_999999, ESR_731_SP001_000004, ESR_731_SP002_000003, ESR_731_SP003_000004, ESR_731_SP004_000000, ESR_731_SP999999_999999, XI_ADAPTER_FRAMEWORK_30_SP026_000010, XI_ADAPTER_FRAMEWORK_30_SP027_000007, XI_ADAPTER_FRAMEWORK_30_SP028_000003, XI_ADAPTER_FRAMEWORK_30_SP029_000002, XI_ADAPTER_FRAMEWORK_30_SP030_000000, XI_ADAPTER_FRAMEWORK_30_SP999999_999999, XI_ADAPTER_FRAMEWORK_701_SP007_000010, XI_ADAPTER_FRAMEWORK_701_SP008_000006, XI_ADAPTER_FRAMEWORK_701_SP009_000005, XI_ADAPTER_FRAMEWORK_701_SP010_000003, XI_ADAPTER_FRAMEWORK_701_SP011_000003, XI_ADAPTER_FRAMEWORK_701_SP012_000000, XI_ADAPTER_FRAMEWORK_701_SP999999_999999, XI_ADAPTER_FRAMEWORK_710_SP011_000014, XI_ADAPTER_FRAMEWORK_710_SP012_000010, XI_ADAPTER_FRAMEWORK_710_SP013_000004, XI_ADAPTER_FRAMEWORK_710_SP014_000004, XI_ADAPTER_FRAMEWORK_710_SP015_000000, XI_ADAPTER_FRAMEWORK_710_SP016_000000, XI_ADAPTER_FRAMEWORK_710_SP999999_999999, XI_ADAPTER_FRAMEWORK_711_SP007_000020, XI_ADAPTER_FRAMEWORK_711_SP008_000011, XI_ADAPTER_FRAMEWORK_711_SP009_000002, XI_ADAPTER_FRAMEWORK_711_SP010_000000, XI_ADAPTER_FRAMEWORK_711_SP999999_999999, XI_ADAPTER_FRAMEWORK_720_SP003_000002, XI_ADAPTER_FRAMEWORK_720_SP004_000001, XI_ADAPTER_FRAMEWORK_720_SP005_000001, XI_ADAPTER_FRAMEWORK_720_SP006_000002, XI_ADAPTER_FRAMEWORK_720_SP007_000001, XI_ADAPTER_FRAMEWORK_720_SP999999_999999, XI_ADAPTER_FRAMEWORK_730_SP000_000004, XI_ADAPTER_FRAMEWORK_730_SP001_000011, XI_ADAPTER_FRAMEWORK_730_SP002_000012, XI_ADAPTER_FRAMEWORK_730_SP003_000018, XI_ADAPTER_FRAMEWORK_730_SP004_000013, XI_ADAPTER_FRAMEWORK_730_SP005_000013, XI_ADAPTER_FRAMEWORK_730_SP007_000001, XI_ADAPTER_FRAMEWORK_730_SP008_000000, XI_ADAPTER_FRAMEWORK_730_SP999999_999999, XI_ADAPTER_FRAMEWORK_731_SP001_000007, XI_ADAPTER_FRAMEWORK_731_SP002_000008, XI_ADAPTER_FRAMEWORK_731_SP003_000004, XI_ADAPTER_FRAMEWORK_731_SP004_000000, XI_ADAPTER_FRAMEWORK_731_SP999999_999999, XI_TOOLS_30_SP024_000013, XI_TOOLS_30_SP025_000014, XI_TOOLS_30_SP026_000011, XI_TOOLS_30_SP027_000008, XI_TOOLS_30_SP030_000000, XI_TOOLS_30_SP999999_999999, XI_TOOLS_700_SP023_000012, XI_TOOLS_700_SP024_000014, XI_TOOLS_700_SP025_000007, XI_TOOLS_700_SP026_000002, XI_TOOLS_700_SP028_000000, XI_TOOLS_700_SP999999_999999, XI_TOOLS_701_SP007_000013, XI_TOOLS_701_SP008_000008, XI_TOOLS_701_SP009_000008, XI_TOOLS_701_SP010_000005, XI_TOOLS_701_SP011_000001, XI_TOOLS_701_SP012_000000, XI_TOOLS_701_SP999999_999999, XI_TOOLS_702_SP003_000008, XI_TOOLS_702_SP004_000009, XI_TOOLS_702_SP005_000009, XI_TOOLS_702_SP006_000009, XI_TOOLS_702_SP007_000007, XI_TOOLS_702_SP008_000006, XI_TOOLS_702_SP009_000005, XI_TOOLS_702_SP010_000003, XI_TOOLS_702_SP011_000002, XI_TOOLS_702_SP012_000000, XI_TOOLS_702_SP999999_999999, XI_TOOLS_711_SP006_000018, XI_TOOLS_711_SP007_000007, XI_TOOLS_711_SP008_000005, XI_TOOLS_711_SP010_000000, XI_TOOLS_711_SP999999_999999, XI_TOOLS_730_SP000_000001, XI_TOOLS_730_SP001_000007, XI_TOOLS_730_SP002_000007, XI_TOOLS_730_SP003_000009, XI_TOOLS_730_SP005_000007, XI_TOOLS_730_SP008_000000, XI_TOOLS_730_SP999999_999999, XI_TOOLS_731_SP001_000003, XI_TOOLS_731_SP002_000003, XI_TOOLS_731_SP003_000004, XI_TOOLS_731_SP004_000000, XI_TOOLS_731_SP999999_999999)
Описание
User inputs for directory traversal not validated. i.e. In the file name input containing .. and \ and / for navigation were not validated.
Как исправить
This patch would fix the security issues mentioned with ESR which could cause a potential security threat like XI administrative tools exhibiting several possibilities for script injection attacks via URL parameters.The directory traversal threat used to access the files in the file system of the user is addressed in the fix. In the directory and repository support page for Exportability Servlet, the input fields have been handled to not allow the user to traverse through the file system using .. and / and \ characters.Customer can find out the version that he uses by opening the Administration pages of ESR and then clicking on "Software Build Information" link and viewing the following information - Make Release ,SPS Number.All the affected versions are fixed.You can get the fixed versions from the service market place.Service Market Place -> Downloads -> SAP Support Package -> Enter by Application Group -> SAP Netweaver -> Select desired Release -> Desired SCA.
Ссылки