Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
(AV:N/AC:M/AU:S/C:N/I:P/A:PSAP)
Производитель ПО
Наименование ПО
SAP Notes
(1757675-5)
SAP Support Packages
(DI_CHANGE_MGMT_SERVER__701_SP009_000005, DI_CHANGE_MGMT_SERVER__701_SP010_000005, DI_CHANGE_MGMT_SERVER__701_SP011_000003, DI_CHANGE_MGMT_SERVER__701_SP012_000003, DI_CHANGE_MGMT_SERVER__701_SP013_000000, DI_CHANGE_MGMT_SERVER__701_SP014_000000, DI_CHANGE_MGMT_SERVER__701_SP999999_999999, DI_CHANGE_MGMT_SERVER__702_SP007_000004, DI_CHANGE_MGMT_SERVER__702_SP008_000004, DI_CHANGE_MGMT_SERVER__702_SP009_000004, DI_CHANGE_MGMT_SERVER__702_SP010_000003, DI_CHANGE_MGMT_SERVER__702_SP011_000003, DI_CHANGE_MGMT_SERVER__702_SP012_000003, DI_CHANGE_MGMT_SERVER__702_SP013_000000, DI_CHANGE_MGMT_SERVER__702_SP014_000000, DI_CHANGE_MGMT_SERVER__702_SP999999_999999, DI_CHANGE_MGMT_SERVER_700_SP024_000005, DI_CHANGE_MGMT_SERVER_700_SP025_000005, DI_CHANGE_MGMT_SERVER_700_SP026_000003, DI_CHANGE_MGMT_SERVER_700_SP027_000003, DI_CHANGE_MGMT_SERVER_700_SP028_000000, DI_CHANGE_MGMT_SERVER_700_SP029_000000, DI_CHANGE_MGMT_SERVER_700_SP999999_999999, DI_CHANGE_MGMT_SERVER_710_SP012_000001, DI_CHANGE_MGMT_SERVER_710_SP013_000002, DI_CHANGE_MGMT_SERVER_710_SP014_000002, DI_CHANGE_MGMT_SERVER_710_SP015_000002, DI_CHANGE_MGMT_SERVER_710_SP016_000000, DI_CHANGE_MGMT_SERVER_710_SP017_000000, DI_CHANGE_MGMT_SERVER_710_SP999999_999999, DI_CHANGE_MGMT_SERVER_711_SP007_000003, DI_CHANGE_MGMT_SERVER_711_SP008_000002, DI_CHANGE_MGMT_SERVER_711_SP009_000002, DI_CHANGE_MGMT_SERVER_711_SP010_000002, DI_CHANGE_MGMT_SERVER_711_SP011_000000, DI_CHANGE_MGMT_SERVER_711_SP012_000000, DI_CHANGE_MGMT_SERVER_711_SP999999_999999, DI_CHANGE_MGMT_SERVER_720_SP005_000003, DI_CHANGE_MGMT_SERVER_720_SP006_000002, DI_CHANGE_MGMT_SERVER_720_SP007_000002, DI_CHANGE_MGMT_SERVER_720_SP008_000002, DI_CHANGE_MGMT_SERVER_720_SP009_000000, DI_CHANGE_MGMT_SERVER_720_SP999999_999999, DI_CHANGE_MGMT_SERVER_730_SP002_000003, DI_CHANGE_MGMT_SERVER_730_SP003_000003, DI_CHANGE_MGMT_SERVER_730_SP004_000003, DI_CHANGE_MGMT_SERVER_730_SP005_000003, DI_CHANGE_MGMT_SERVER_730_SP007_000002, DI_CHANGE_MGMT_SERVER_730_SP008_000002, DI_CHANGE_MGMT_SERVER_730_SP009_000000, DI_CHANGE_MGMT_SERVER_730_SP999999_999999, DI_CHANGE_MGMT_SERVER_731_SP002_000003, DI_CHANGE_MGMT_SERVER_731_SP003_000003, DI_CHANGE_MGMT_SERVER_731_SP004_000002, DI_CHANGE_MGMT_SERVER_731_SP005_000001, DI_CHANGE_MGMT_SERVER_731_SP006_000000, DI_CHANGE_MGMT_SERVER_731_SP007_000000, DI_CHANGE_MGMT_SERVER_731_SP999999_999999, JDI_640_SP027_000002, JDI_640_SP028_000003, JDI_640_SP029_000002, JDI_640_SP030_000001, JDI_640_SP031_000000, JDI_640_SP032_000000, JDI_640_SP999999_999999, LIFECYCLE_MGMT_TOOLS_701_SP009_000012, LIFECYCLE_MGMT_TOOLS_701_SP010_000009, LIFECYCLE_MGMT_TOOLS_701_SP011_000004, LIFECYCLE_MGMT_TOOLS_701_SP012_000002, LIFECYCLE_MGMT_TOOLS_701_SP013_000000, LIFECYCLE_MGMT_TOOLS_701_SP999999_999999, LIFECYCLE_MGMT_TOOLS_702_SP007_000011, LIFECYCLE_MGMT_TOOLS_702_SP008_000011, LIFECYCLE_MGMT_TOOLS_702_SP009_000010, LIFECYCLE_MGMT_TOOLS_702_SP010_000009, LIFECYCLE_MGMT_TOOLS_702_SP011_000007, LIFECYCLE_MGMT_TOOLS_702_SP012_000001, LIFECYCLE_MGMT_TOOLS_702_SP013_000000, LIFECYCLE_MGMT_TOOLS_702_SP999999_999999, LM_CTS_720_SP005_000002, LM_CTS_720_SP006_000001, LM_CTS_720_SP007_000002, LM_CTS_720_SP008_000001, LM_CTS_720_SP009_000000, LM_CTS_720_SP999999_999999, LM_CTS_730_SP002_000003, LM_CTS_730_SP003_000002, LM_CTS_730_SP004_000002, LM_CTS_730_SP005_000005, LM_CTS_730_SP007_000004, LM_CTS_730_SP008_000001, LM_CTS_730_SP009_000000, LM_CTS_730_SP999999_999999, LM_CTS_731_SP002_000006, LM_CTS_731_SP003_000005, LM_CTS_731_SP004_000003, LM_CTS_731_SP005_000000, LM_CTS_731_SP006_000000, LM_CTS_731_SP999999_999999)
Описание
Directory traversal with write or read/write authorization:CMS/CM Services fails to correctly validate the path to which a user-submitted file is written. As a result, an attacker can potentially overwrite data in the remote system.
Как исправить
Check which of the following software components are installed on your Java application server:SAP_DEVINF (Release 6.40)DI_CMS (Release 7.00 to 7.31)LM-TOOLS (Release 7.01 and 7.02)LM-CTS (Release 7.20 to 7.31)If one or more of the software components listed above are installed on your Java application server, install the patch(es) attached to this SAP Note that correspond to the release and the Support Package level of the software components using JSPM, SDM, or SUM.
Ссылки