Vulnerabilites related to sap - gui
var-201506-0132
Vulnerability from variot
Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316. plural SAP Product LZC Implementation of decompression (vpa106cslzc.cpp of CsObjectInt::CsDecomprLZC function ) Contains a stack-based buffer overflow vulnerability. Vendors have confirmed this vulnerability SAP Security Note 2124806 , 2121661 , 2127995 ,and 2125316 It is released as.Denial of service by attacker ( crash ) Could be put into a state or execute arbitrary code. Multiple SAP Products are prone to a buffer-overflow vulnerability and a denial-of-service vulnerability. Remote attackers can exploit these issues to execute arbitrary code in the context of the application or cause denial-of-service conditions. 1. Advisory Information
Title: SAP LZC/LZH Compression Multiple Vulnerabilities Advisory ID: CORE-2015-0009 Advisory URL: http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities Date published: 2015-05-12 Date of last update: 2015-05-12 Vendors contacted: SAP Release mode: Coordinated release
- Vulnerability Information
Class: Out-of-bounds Write [CWE-787], Out-of-bounds Read [CWE-125] Impact: Denial of service Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2015-2282, CVE-2015-2278
- Vulnerability Description
SAP products make use of a proprietary implementation of the Lempel-Ziv-Thomas (LZC) adaptive dictionary compression algorithm and the Lempel-Ziv-Huffman (LZH) compression algorithm [1] . These compression algorithms are used across several SAP products and programs. Vulnerabilities were found in the decompression routines that could be triggered in different scenarios, and could lead to execution of arbitrary code and denial of service conditions.
- Vulnerable Packages
SAP Netweaver Application Server ABAP. SAP Netweaver Application Server Java. SAP Netweaver RFC SDK SAP RFC SDK SAP GUI SAP MaxDB database SAPCAR archive tool Other products and versions might be affected, but they were not tested.
- Vendor Information, Solutions and Workarounds
SAP published the following Security Notes:
2124806 2121661 2127995 2125316 They can be accessed by SAP clients in their Support Portal [15].
Developers who used the Open Source versions of MaxDB 7.5 and 7.6 for their tools should contact SAP.
- Credits
This vulnerability was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Advisories Team.
- Technical Description / Proof of Concept Code
SAP products make use of LZC and LZH algorithms for compressing in-transit data for different services (Diag protocol, RFC protocol, MaxDB protocol) and for distributing files (SAPCAR program). The implementation of this algorithm was also included in Open Source versions of MaxDB 7.5 and 7.6 [2], and used on multiple Open Source security-related programs [3][4][5][6][7][8][9][10][11].
The code that handles the decompression of LZC and LZH compressed data is prone to two memory corruption vulnerabilities, as described below.
7.1.
The following snippet of code shows the vulnerable function [file vpa106cslzc.cpp in the MaxDB source code [12]]. This piece of code can be reached by decompressing a specially crafted buffer.
[..] int CsObjectInt::CsDecomprLZC (SAP_BYTE * inbuf, SAP_INT inlen, SAP_BYTE * outbuf, SAP_INT outlen, SAP_INT option, SAP_INT * bytes_read, SAP_INT * bytes_written) [..] / Generate output characters in reverse order .................../ while (code >= 256) { *stackp++ = TAB_SUFFIXOF(code); OVERFLOW_CHECK code = TAB_PREFIXOF(code); } [..] Note that the "code" variable contains an attacker controlled value, resulting in a stack overflow if the value is greater than 256 and the value for that code in the prefix table is also greater than 256. It's possible to fill in the stack with arbitrary values by controlling the values stored in the prefix and suffix tables.
It's also worth mentioning that the above code includes a macro for performing some bounds checks on the stack pointer ("OVERFLOW_CHECK"). However, the check implemented by this macro is not sufficient for avoiding this vulnerability and also could lead to fault conditions when decompressing valid buffers. Moreover, vulnerable products and programs were built without this macro enabled ("CS_STACK_CHECK" macro not defined at the time of compilation).
7.2. LZH decompression out-of-bounds read
The vulnerability [CVE-2015-2278] is caused by an out-of-bounds read of a buffer used by the decompression routine when performing look-ups of non-simple codes.
The following piece of code shows the vulnerable function [file vpa108csulzh.cpp in the MaxDB source code [13]]. This piece of code can be reached by decompressing a specially crafted buffer.
[..] int CsObjectInt::BuildHufTree ( unsigned * b, / code lengths in bits (all assumed <= BMAX) / unsigned n, / number of codes (assumed <= N_MAX) / unsigned s, / number of simple-valued codes (0..s-1) / int * d, / list of base values for non-simple codes / int * e, / list of extra bits for non-simple codes / HUFTREE t, / result: starting table / int * m) / maximum lookup bits, returns actual / [..] if (p >= v + n) { r.e = INVALIDCODE; / out of values--invalid code / } else if (p < s) { / 256 is end-of-block code / r.e = (unsigned char)(p < 256 ? LITCODE : EOBCODE); r.v.n = (unsigned short) p; / simple code is just the value/ p++; } else { r.e = (unsigned char) e[p - s]; /non-simple,look up in lists/ r.v.n = (unsigned short) d[*p - s]; p++; } [..]
The "e" and "d" arrays are indexed with the value of "*p - s" which is an attacker-controlled value. When the code is reached, this results in an out-of-bounds read access.
7.3. Attack scenarios
The vulnerabilities affect a varied range of products and programs. The attack scenarios differ based on the way each product makes use of the compression libraries. At very least the following scenarios can be identified:
7.3.1. Attacks against server-side components
SAP Netweaver services like Dispatcher or Gateway handle compressed requests coming from the different clients connecting to them. A remote unauthenticated attacker might be able to connect to the aforementioned services and trigger the vulnerabilities by sending specially crafted packets.
7.3.2. Client-side attacks
An attacker might be able to perform client-side attacks against users of the affected programs that handle compressed data. For instance, an attacker might send a specially crafted .CAR or .SAR archive file aimed at being decompressed using the SAPCAR tool, or mount a rogue SAP server offering Dispatcher and entice users to connect to this malicious server using SAP GUI.
7.3.3. Man-in-the-middle attacks
As most of the services affected by these issues are not encrypted by default, an attacker might be able to perform a man-in-the-middle attack and trigger the vulnerabilities by injecting malicious packets within the communication.
7.4. Looking in binaries for compression routines
The LZC and LZH compression algorithm routines are statically compiled in the different binaries of the affected products and programs. It's possible to check if a binary includes these functions by looking at whether the algorithm's constants are used in the program.
The following Radare [14] command can be used to check if a binary file includes the mentioned constants:
$ rafind2 -x fffefcf8f0e0c080 -x 0103070f1f3f7fff
Example output:
$ rafind2 -X -x fffefcf8f0e0c080 -x 0103070f1f3f7fff SAPCAR64
SAPCAR64: 000 @ 0x1082c1 offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0x001082c1 0103 070f 1f3f 7fff fffe fcf8 f0e0 c080 .....?.......... 0x001082d1 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x001082e1 0000 0000 0000 0000 0000 0000 0000 0004 ................ 0x001082f1 0000 0004 0000 0010 0000 0000 0000 0006 ................ 0x00108301 0000 0008 0000 0010 0000 0000 0000 ..............
- Report Timeline
2015-01-20: Core Security sends an initial notification to SAP. Publication date set to Mar 10, 2015 (Patch Tuesday). 2015-01-21: SAP confirms reception and requests a draft version of the advisory. 2015-01-21: Core Security sends the draft version of the advisory to the vendor. 2015-01-21: SAP confirms reception of the report and assigns the following security message Number: 55318 2015. 2015-01-22: SAP asks if the two vulnerable functions mentioned in the draft are the only ones affected by these vulnerabilities. 2015-01-22: Core Security informs the vendor that researchers were only able to trigger the vulnerabilities in the functions mentioned in the draft advisory. In case they find other instances where the vulnerabilities can be triggered, Core requests to be informed. 2015-01-30: Core Security asks the vendor if they were able to verify the vulnerabilities in order to coordinate a proper release date. 2015-02-02: SAP states that they verified and confirmed the vulnerabilities, are working on a solution, and will provide an update once the solution plan is finished. 2015-02-04: SAP states that they will be able to provide a fix by May's Patch Tuesday, 2015, and not March as requested. They also request to know how the advisory is going to be published and if we have any plans to include them in any upcoming presentations. 2015-02-10: SAP requests confirmation of their previous email in order to coordinate the advisory for the May 12th, 2015. 2015-02-18: Core Security informs SAP that the date is confirmed and that researchers might present something after the publication of the advisory. 2015-02-19: SAP states that it is thankful for Core's commitment to go for a coordinated release. They say they will keep us updated. 2015-05-07: Core Security reminds SAP that the date for the proposed fix to be released is the following week, therefore we would like to resume communications in order to publish our findings in a coordinated manner. 2015-05-07: SAP informs that they are on track to release the security notes as part of their May patch day (May 12th, 2015). 2015-05-11: Core Security asks SAP for the specific time they are planning to publish their security note and requests a tentative link so it can be included in Core's advisory. Additionally, Core sends a tentative fix for the source code that it is planning to add in its advisory for SAP to review, and a list of vulnerable tools that used the vulnerable code so SAP can contact and inform the owners of the fix. 2015-05-12: SAP states that they published 4 security notes regarding the issues we reported. They requested for us to wait 3 months to publish our findings and to send them the advisory before is published. 2015-05-12: Core Security requests that SAP fixes the external ID (Core's ID) they used and offer Core's publication link. Additionally, Core explained that is their policy to release their findings the same day the vendor does. Core also reminded SAP that they were still waiting for a reply to their previous email. 2015-05-12: Advisory CORE-2015-0009 published.
- References
[1] http://en.wikipedia.org/wiki/LZ77_and_LZ78. [2] ftp://ftp.sap.com/pub/maxdb/current/7.6.00/. [3] http://conus.info/utils/SAP_pkt_decompr.txt. [4] https://github.com/sensepost/SAPProx. [5] https://github.com/sensepost/SapCap. [6] http://blog.ptsecurity.com/2011/10/sap-diag-decompress-plugin-for.html. [7] https://github.com/CoreSecurity/pysap. [8] https://github.com/CoreSecurity/SAP-Dissection-plug-in-for-Wireshark. [9] https://github.com/daberlin/sap-reposrc-decompressor. [10] https://labs.mwrinfosecurity.com/tools/sap-decom/. [11] http://www.oxid.it/cain.html. [12] http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa106cslzc_8cpp-source.html. [13] http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa108csulzh_8cpp-source.html. [14] http://radare.org/y/. [15] https://service.sap.com/securitynotes.
- About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security
Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
- Disclaimer
The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201506-0132",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "maxdb",
"scope": "eq",
"trust": 2.4,
"vendor": "sap",
"version": "7.5"
},
{
"model": "maxdb",
"scope": "eq",
"trust": 2.4,
"vendor": "sap",
"version": "7.6"
},
{
"model": "gui",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": null
},
{
"model": "netweaver rfc sdk",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": null
},
{
"model": "netweaver java application server",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": null
},
{
"model": "netweaver abap application server",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": null
},
{
"model": "rfc library",
"scope": "eq",
"trust": 1.0,
"vendor": "sap",
"version": "*"
},
{
"model": "gui",
"scope": null,
"trust": 0.8,
"vendor": "sap",
"version": null
},
{
"model": "netweaver application server abap",
"scope": null,
"trust": 0.8,
"vendor": "sap",
"version": null
},
{
"model": "netweaver application server java",
"scope": null,
"trust": 0.8,
"vendor": "sap",
"version": null
},
{
"model": "netweaver rfc sdk",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "\\u3000"
},
{
"model": "rfc library",
"scope": null,
"trust": 0.6,
"vendor": "sap",
"version": null
},
{
"model": "sapcar archive tool",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "rfc sdk",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "netweaver rfc sdk",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "netweaver application server java",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "netweaver application server abap",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "maxdb database",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "gui",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
}
],
"sources": [
{
"db": "BID",
"id": "74643"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002923"
},
{
"db": "NVD",
"id": "CVE-2015-2282"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-483"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:maxdb:7.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver_abap_application_server:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:gui:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:rfc_library:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:maxdb:7.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver_java_application_server:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver_rfc_sdk:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2015-2282"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Martin Gallo of Core Security Consulting Services.",
"sources": [
{
"db": "BID",
"id": "74643"
}
],
"trust": 0.3
},
"cve": "CVE-2015-2282",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 7.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2015-2282",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2015-2282",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201505-483",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2015-2282",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-2282"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002923"
},
{
"db": "NVD",
"id": "CVE-2015-2282"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-483"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316. plural SAP Product LZC Implementation of decompression (vpa106cslzc.cpp of CsObjectInt::CsDecomprLZC function ) Contains a stack-based buffer overflow vulnerability. Vendors have confirmed this vulnerability SAP Security Note 2124806 , 2121661 , 2127995 ,and 2125316 It is released as.Denial of service by attacker ( crash ) Could be put into a state or execute arbitrary code. Multiple SAP Products are prone to a buffer-overflow vulnerability and a denial-of-service vulnerability. \nRemote attackers can exploit these issues to execute arbitrary code in the context of the application or cause denial-of-service conditions. 1. Advisory Information\n\nTitle: SAP LZC/LZH Compression Multiple Vulnerabilities\nAdvisory ID: CORE-2015-0009\nAdvisory URL: http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities\nDate published: 2015-05-12\nDate of last update: 2015-05-12\nVendors contacted: SAP\nRelease mode: Coordinated release\n\n2. Vulnerability Information\n\nClass: Out-of-bounds Write [CWE-787], Out-of-bounds Read [CWE-125]\nImpact: Denial of service\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2015-2282, CVE-2015-2278\n\n\n3. Vulnerability Description\n\nSAP products make use of a proprietary implementation of the Lempel-Ziv-Thomas (LZC) adaptive dictionary compression algorithm and the Lempel-Ziv-Huffman (LZH) compression algorithm [1] . These compression algorithms are used across several SAP products and programs. Vulnerabilities were found in the decompression routines that could be triggered in different scenarios, and could lead to execution of arbitrary code and denial of service conditions. \n\n\n4. Vulnerable Packages\n\nSAP Netweaver Application Server ABAP. \nSAP Netweaver Application Server Java. \nSAP Netweaver RFC SDK\nSAP RFC SDK\nSAP GUI\nSAP MaxDB database\nSAPCAR archive tool\nOther products and versions might be affected, but they were not tested. \n\n\n5. Vendor Information, Solutions and Workarounds\n\nSAP published the following Security Notes:\n\n2124806\n2121661\n2127995\n2125316\nThey can be accessed by SAP clients in their Support Portal [15]. \n\nDevelopers who used the Open Source versions of MaxDB 7.5 and 7.6 for their tools should contact SAP. \n\n\n6. Credits\n\nThis vulnerability was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Joaqu\u00edn Rodr\u00edguez Varela from Core Advisories Team. \n\n\n\n7. Technical Description / Proof of Concept Code\n\nSAP products make use of LZC and LZH algorithms for compressing in-transit data for different services (Diag protocol, RFC protocol, MaxDB protocol) and for distributing files (SAPCAR program). The implementation of this algorithm was also included in Open Source versions of MaxDB 7.5 and 7.6 [2], and used on multiple Open Source security-related programs [3][4][5][6][7][8][9][10][11]. \n\nThe code that handles the decompression of LZC and LZH compressed data is prone to two memory corruption vulnerabilities, as described below. \n\n7.1. \n\nThe following snippet of code shows the vulnerable function [file vpa106cslzc.cpp in the MaxDB source code [12]]. This piece of code can be reached by decompressing a specially crafted buffer. \n\n \n[..]\nint CsObjectInt::CsDecomprLZC (SAP_BYTE * inbuf,\n SAP_INT inlen,\n SAP_BYTE * outbuf,\n SAP_INT outlen,\n SAP_INT option,\n SAP_INT * bytes_read,\n SAP_INT * bytes_written)\n [..]\n /* Generate output characters in reverse order ...................*/\n while (code \u003e= 256)\n {\n *stackp++ = TAB_SUFFIXOF(code);\n OVERFLOW_CHECK\n code = TAB_PREFIXOF(code);\n }\n[..]\nNote that the \"code\" variable contains an attacker controlled value, resulting in a stack overflow if the value is greater than 256 and the value for that code in the prefix table is also greater than 256. It\u0027s possible to fill in the stack with arbitrary values by controlling the values stored in the prefix and suffix tables. \n\nIt\u0027s also worth mentioning that the above code includes a macro for performing some bounds checks on the stack pointer (\"OVERFLOW_CHECK\"). However, the check implemented by this macro is not sufficient for avoiding this vulnerability and also could lead to fault conditions when decompressing valid buffers. Moreover, vulnerable products and programs were built without this macro enabled (\"CS_STACK_CHECK\" macro not defined at the time of compilation). \n\n7.2. LZH decompression out-of-bounds read\n\nThe vulnerability [CVE-2015-2278] is caused by an out-of-bounds read of a buffer used by the decompression routine when performing look-ups of non-simple codes. \n\nThe following piece of code shows the vulnerable function [file vpa108csulzh.cpp in the MaxDB source code [13]]. This piece of code can be reached by decompressing a specially crafted buffer. \n\n \n[..]\nint CsObjectInt::BuildHufTree (\n unsigned * b, /* code lengths in bits (all assumed \u003c= BMAX) */\n unsigned n, /* number of codes (assumed \u003c= N_MAX) */\n unsigned s, /* number of simple-valued codes (0..s-1) */\n int * d, /* list of base values for non-simple codes */\n int * e, /* list of extra bits for non-simple codes */\n HUFTREE **t, /* result: starting table */\n int * m) /* maximum lookup bits, returns actual */\n [..]\n if (p \u003e= v + n)\n {\n r.e = INVALIDCODE; /* out of values--invalid code */\n }\n else if (*p \u003c s)\n { /* 256 is end-of-block code */\n r.e = (unsigned char)(*p \u003c 256 ? LITCODE : EOBCODE);\n r.v.n = (unsigned short) *p; /* simple code is just the value*/\n p++;\n }\n else\n {\n r.e = (unsigned char) e[*p - s]; /*non-simple,look up in lists*/\n r.v.n = (unsigned short) d[*p - s];\n p++;\n }\n[..]\n \nThe \"e\" and \"d\" arrays are indexed with the value of \"*p - s\" which is an attacker-controlled value. When the code is reached, this results in an out-of-bounds read access. \n\n7.3. Attack scenarios\n\nThe vulnerabilities affect a varied range of products and programs. The attack scenarios differ based on the way each product makes use of the compression libraries. At very least the following scenarios can be identified:\n\n7.3.1. Attacks against server-side components\n\nSAP Netweaver services like Dispatcher or Gateway handle compressed requests coming from the different clients connecting to them. A remote unauthenticated attacker might be able to connect to the aforementioned services and trigger the vulnerabilities by sending specially crafted packets. \n\n7.3.2. Client-side attacks\n\nAn attacker might be able to perform client-side attacks against users of the affected programs that handle compressed data. For instance, an attacker might send a specially crafted .CAR or .SAR archive file aimed at being decompressed using the SAPCAR tool, or mount a rogue SAP server offering Dispatcher and entice users to connect to this malicious server using SAP GUI. \n\n7.3.3. Man-in-the-middle attacks\n\nAs most of the services affected by these issues are not encrypted by default, an attacker might be able to perform a man-in-the-middle attack and trigger the vulnerabilities by injecting malicious packets within the communication. \n\n7.4. Looking in binaries for compression routines\n\nThe LZC and LZH compression algorithm routines are statically compiled in the different binaries of the affected products and programs. It\u0027s possible to check if a binary includes these functions by looking at whether the algorithm\u0027s constants are used in the program. \n\nThe following Radare [14] command can be used to check if a binary file includes the mentioned constants:\n\n \n$ rafind2 -x fffefcf8f0e0c080 -x 0103070f1f3f7fff \u003cbinary_file\u003e\n \nExample output:\n\n \n$ rafind2 -X -x fffefcf8f0e0c080 -x 0103070f1f3f7fff SAPCAR64 \n\nSAPCAR64: 000 @ 0x1082c1\n offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF\n0x001082c1 0103 070f 1f3f 7fff fffe fcf8 f0e0 c080 .....?.......... \n0x001082d1 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n0x001082e1 0000 0000 0000 0000 0000 0000 0000 0004 ................ \n0x001082f1 0000 0004 0000 0010 0000 0000 0000 0006 ................ \n0x00108301 0000 0008 0000 0010 0000 0000 0000 .............. \n \n\n\n8. Report Timeline\n\n2015-01-20: Core Security sends an initial notification to SAP. Publication date set to Mar 10, 2015 (Patch Tuesday). \n2015-01-21: SAP confirms reception and requests a draft version of the advisory. \n2015-01-21: Core Security sends the draft version of the advisory to the vendor. \n2015-01-21: SAP confirms reception of the report and assigns the following security message Number: 55318 2015. \n2015-01-22: SAP asks if the two vulnerable functions mentioned in the draft are the only ones affected by these vulnerabilities. \n2015-01-22: Core Security informs the vendor that researchers were only able to trigger the vulnerabilities in the functions mentioned in the draft advisory. In case they find other instances where the vulnerabilities can be triggered, Core requests to be informed. \n2015-01-30: Core Security asks the vendor if they were able to verify the vulnerabilities in order to coordinate a proper release date. \n2015-02-02: SAP states that they verified and confirmed the vulnerabilities, are working on a solution, and will provide an update once the solution plan is finished. \n2015-02-04: SAP states that they will be able to provide a fix by May\u0027s Patch Tuesday, 2015, and not March as requested. They also request to know how the advisory is going to be published and if we have any plans to include them in any upcoming presentations. \n2015-02-10: SAP requests confirmation of their previous email in order to coordinate the advisory for the May 12th, 2015. \n2015-02-18: Core Security informs SAP that the date is confirmed and that researchers might present something after the publication of the advisory. \n2015-02-19: SAP states that it is thankful for Core\u0027s commitment to go for a coordinated release. They say they will keep us updated. \n2015-05-07: Core Security reminds SAP that the date for the proposed fix to be released is the following week, therefore we would like to resume communications in order to publish our findings in a coordinated manner. \n2015-05-07: SAP informs that they are on track to release the security notes as part of their May patch day (May 12th, 2015). \n2015-05-11: Core Security asks SAP for the specific time they are planning to publish their security note and requests a tentative link so it can be included in Core\u0027s advisory. Additionally, Core sends a tentative fix for the source code that it is planning to add in its advisory for SAP to review, and a list of vulnerable tools that used the vulnerable code so SAP can contact and inform the owners of the fix. \n2015-05-12: SAP states that they published 4 security notes regarding the issues we reported. They requested for us to wait 3 months to publish our findings and to send them the advisory before is published. \n2015-05-12: Core Security requests that SAP fixes the external ID (Core\u0027s ID) they used and offer Core\u0027s publication link. Additionally, Core explained that is their policy to release their findings the same day the vendor does. Core also reminded SAP that they were still waiting for a reply to their previous email. \n2015-05-12: Advisory CORE-2015-0009 published. \n\n\n9. References\n\n[1] http://en.wikipedia.org/wiki/LZ77_and_LZ78. \n[2] ftp://ftp.sap.com/pub/maxdb/current/7.6.00/. \n[3] http://conus.info/utils/SAP_pkt_decompr.txt. \n[4] https://github.com/sensepost/SAPProx. \n[5] https://github.com/sensepost/SapCap. \n[6] http://blog.ptsecurity.com/2011/10/sap-diag-decompress-plugin-for.html. \n[7] https://github.com/CoreSecurity/pysap. \n[8] https://github.com/CoreSecurity/SAP-Dissection-plug-in-for-Wireshark. \n[9] https://github.com/daberlin/sap-reposrc-decompressor. \n[10] https://labs.mwrinfosecurity.com/tools/sap-decom/. \n[11] http://www.oxid.it/cain.html. \n[12] http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa106cslzc_8cpp-source.html. \n[13] http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa108csulzh_8cpp-source.html. \n[14] http://radare.org/y/. \n[15] https://service.sap.com/securitynotes. \n\n\n10. About CoreLabs\n\nCoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. \n\n\n11. About Core Security\n\nCore Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. \n\nCore Security\u0027s software solutions build on over a decade of trusted research and leading-edge threat expertise from the company\u0027s Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. \n\n\n12. Disclaimer\n\nThe contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n\n13. PGP/GPG Keys\n\nThis advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc",
"sources": [
{
"db": "NVD",
"id": "CVE-2015-2282"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002923"
},
{
"db": "BID",
"id": "74643"
},
{
"db": "VULMON",
"id": "CVE-2015-2282"
},
{
"db": "PACKETSTORM",
"id": "131883"
}
],
"trust": 2.07
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2015-2282",
"trust": 2.9
},
{
"db": "PACKETSTORM",
"id": "131883",
"trust": 1.8
},
{
"db": "BID",
"id": "74643",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002923",
"trust": 0.8
},
{
"db": "SECUNIA",
"id": "64440",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201505-483",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2015-2282",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-2282"
},
{
"db": "BID",
"id": "74643"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002923"
},
{
"db": "PACKETSTORM",
"id": "131883"
},
{
"db": "NVD",
"id": "CVE-2015-2282"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-483"
}
]
},
"id": "VAR-201506-0132",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.167840075
},
"last_update_date": "2023-12-18T13:24:46.118000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SAP Security Note 2124806/2121661/2127995/2125316",
"trust": 0.8,
"url": "http://scn.sap.com/docs/doc-55451"
},
{
"title": "martingalloar",
"trust": 0.1,
"url": "https://github.com/martingalloar/martingalloar "
},
{
"title": "publications",
"trust": 0.1,
"url": "https://github.com/martingalloar/publications "
},
{
"title": "The Register",
"trust": 0.1,
"url": "https://www.theregister.co.uk/2015/05/14/saps_compression_is_buggy_and_insecure/"
},
{
"title": "Threatpost",
"trust": 0.1,
"url": "https://threatpost.com/remotely-exploitable-vulnerabilities-in-sap-compression-algorithms/112808/"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-2282"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002923"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-002923"
},
{
"db": "NVD",
"id": "CVE-2015-2282"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
},
{
"trust": 1.7,
"url": "http://packetstormsecurity.com/files/131883/sap-lzc-lzh-compression-denial-of-service.html"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2015/may/50"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2015/may/96"
},
{
"trust": 1.2,
"url": "http://www.securityfocus.com/bid/74643"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2282"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2282"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/535535/100/0/threaded"
},
{
"trust": 0.6,
"url": "http://secunia.com/advisories/64440"
},
{
"trust": 0.3,
"url": "http://www.sap.com"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://threatpost.com/remotely-exploitable-vulnerabilities-in-sap-compression-algorithms/112808/"
},
{
"trust": 0.1,
"url": "http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa108csulzh_8cpp-source.html."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://github.com/sensepost/sapcap."
},
{
"trust": 0.1,
"url": "https://github.com/coresecurity/sap-dissection-plug-in-for-wireshark."
},
{
"trust": 0.1,
"url": "https://github.com/sensepost/sapprox."
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa106cslzc_8cpp-source.html."
},
{
"trust": 0.1,
"url": "https://service.sap.com/securitynotes."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "https://github.com/coresecurity/pysap."
},
{
"trust": 0.1,
"url": "http://conus.info/utils/sap_pkt_decompr.txt."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-2282"
},
{
"trust": 0.1,
"url": "http://www.oxid.it/cain.html."
},
{
"trust": 0.1,
"url": "https://labs.mwrinfosecurity.com/tools/sap-decom/."
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://github.com/daberlin/sap-reposrc-decompressor."
},
{
"trust": 0.1,
"url": "http://blog.ptsecurity.com/2011/10/sap-diag-decompress-plugin-for.html."
},
{
"trust": 0.1,
"url": "http://radare.org/y/."
},
{
"trust": 0.1,
"url": "http://en.wikipedia.org/wiki/lz77_and_lz78."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-2278"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-2282"
},
{
"db": "BID",
"id": "74643"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002923"
},
{
"db": "PACKETSTORM",
"id": "131883"
},
{
"db": "NVD",
"id": "CVE-2015-2282"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-483"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2015-2282"
},
{
"db": "BID",
"id": "74643"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002923"
},
{
"db": "PACKETSTORM",
"id": "131883"
},
{
"db": "NVD",
"id": "CVE-2015-2282"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-483"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-06-02T00:00:00",
"db": "VULMON",
"id": "CVE-2015-2282"
},
{
"date": "2015-05-13T00:00:00",
"db": "BID",
"id": "74643"
},
{
"date": "2015-06-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-002923"
},
{
"date": "2015-05-13T17:48:36",
"db": "PACKETSTORM",
"id": "131883"
},
{
"date": "2015-06-02T14:59:08.880000",
"db": "NVD",
"id": "CVE-2015-2282"
},
{
"date": "2015-05-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201505-483"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-09T00:00:00",
"db": "VULMON",
"id": "CVE-2015-2282"
},
{
"date": "2015-05-13T00:00:00",
"db": "BID",
"id": "74643"
},
{
"date": "2015-06-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-002923"
},
{
"date": "2018-10-09T19:56:14.093000",
"db": "NVD",
"id": "CVE-2015-2282"
},
{
"date": "2015-06-03T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201505-483"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201505-483"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural SAP Product LZC Stack-based buffer overflow vulnerability in the decompression implementation",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-002923"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201505-483"
}
],
"trust": 0.6
}
}
var-202211-0884
Vulnerability from variot
SAP GUI allows an authenticated attacker to execute scripts in the local network. On successful exploitation, the attacker can gain access to registries which can cause a limited impact on confidentiality and high impact on availability of the application. SAP of SAP GUI There is a code injection vulnerability in.Information is obtained and service operation is interrupted (DoS) It may be in a state
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202211-0884",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "gui",
"scope": "eq",
"trust": 1.8,
"vendor": "sap",
"version": "7.70"
},
{
"model": "gui",
"scope": null,
"trust": 0.8,
"vendor": "sap",
"version": null
},
{
"model": "gui",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-020542"
},
{
"db": "NVD",
"id": "CVE-2022-41205"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:gui:7.70:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-41205"
}
]
},
"cve": "CVE-2022-41205",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 1.8,
"impactScore": 4.2,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"author": "cna@sap.com",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 0.8,
"impactScore": 4.7,
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 6.1,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2022-41205",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2022-41205",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "cna@sap.com",
"id": "CVE-2022-41205",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202211-2363",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-020542"
},
{
"db": "NVD",
"id": "CVE-2022-41205"
},
{
"db": "NVD",
"id": "CVE-2022-41205"
},
{
"db": "CNNVD",
"id": "CNNVD-202211-2363"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP GUI allows an authenticated attacker to execute scripts in the local network. On successful exploitation, the attacker can gain access to registries which can cause a limited impact on confidentiality and high impact on availability of the application. SAP of SAP GUI There is a code injection vulnerability in.Information is obtained and service operation is interrupted (DoS) It may be in a state",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-41205"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-020542"
}
],
"trust": 1.62
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-41205",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2022-020542",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202211-2363",
"trust": 0.6
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-020542"
},
{
"db": "NVD",
"id": "CVE-2022-41205"
},
{
"db": "CNNVD",
"id": "CNNVD-202211-2363"
}
]
},
"id": "VAR-202211-0884",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.19973545
},
"last_update_date": "2023-12-18T13:50:47.705000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SAP GUI Fixes for code injection vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=213771"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202211-2363"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-94",
"trust": 1.0
},
{
"problemtype": "Code injection (CWE-94) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-020542"
},
{
"db": "NVD",
"id": "CVE-2022-41205"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"trust": 1.6,
"url": "https://launchpad.support.sap.com/#/notes/3237251"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-41205"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-41205/"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/sap-multiple-vulnerabilities-de-decembre-2021-39865"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-020542"
},
{
"db": "NVD",
"id": "CVE-2022-41205"
},
{
"db": "CNNVD",
"id": "CNNVD-202211-2363"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "JVNDB",
"id": "JVNDB-2022-020542"
},
{
"db": "NVD",
"id": "CVE-2022-41205"
},
{
"db": "CNNVD",
"id": "CNNVD-202211-2363"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-11-02T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-020542"
},
{
"date": "2022-11-08T22:15:17.657000",
"db": "NVD",
"id": "CVE-2022-41205"
},
{
"date": "2022-11-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202211-2363"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-11-02T08:03:00",
"db": "JVNDB",
"id": "JVNDB-2022-020542"
},
{
"date": "2023-11-07T03:52:43.860000",
"db": "NVD",
"id": "CVE-2022-41205"
},
{
"date": "2022-11-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202211-2363"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202211-2363"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP\u00a0 of \u00a0SAP\u00a0GUI\u00a0 Code injection vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-020542"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "code injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202211-2363"
}
],
"trust": 0.6
}
}
var-201703-1156
Vulnerability from variot
SAP GUI 7.2 through 7.5 allows remote attackers to bypass intended security policy restrictions and execute arbitrary code via a crafted ABAP code, aka SAP Security Note 2407616. SAP GUI is prone to a remote code-execution vulnerability. An attacker may exploit this issue to execute arbitrary code within the context of the affected application. The title and technical details have been changed to better reflect the vulnerability impact
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201703-1156",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "gui for windows",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": "7.30"
},
{
"model": "gui for windows",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": "7.20"
},
{
"model": "gui for windows",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": "7.50_core_sp000"
},
{
"model": "gui for windows",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": "7.40_core_sp00-sp011"
},
{
"model": "gui",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "for windows 7.2 to 7.5"
},
{
"model": "gui core sp000",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.50"
},
{
"model": "gui",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.30"
},
{
"model": "gui",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.20"
},
{
"model": "gui",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "10.0.1"
}
],
"sources": [
{
"db": "BID",
"id": "96872"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002686"
},
{
"db": "NVD",
"id": "CVE-2017-6950"
},
{
"db": "CNNVD",
"id": "CNNVD-201703-691"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:gui_for_windows:7.30:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:gui_for_windows:7.40_core_sp00-sp011:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:gui_for_windows:7.50_core_sp000:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:gui_for_windows:7.20:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2017-6950"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The vendor reported this issue.",
"sources": [
{
"db": "BID",
"id": "96872"
}
],
"trust": 0.3
},
"cve": "CVE-2017-6950",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": true,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 7.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2017-6950",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2017-6950",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2017-6950",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNNVD",
"id": "CNNVD-201703-691",
"trust": 0.6,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-002686"
},
{
"db": "NVD",
"id": "CVE-2017-6950"
},
{
"db": "CNNVD",
"id": "CNNVD-201703-691"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP GUI 7.2 through 7.5 allows remote attackers to bypass intended security policy restrictions and execute arbitrary code via a crafted ABAP code, aka SAP Security Note 2407616. SAP GUI is prone to a remote code-execution vulnerability. \nAn attacker may exploit this issue to execute arbitrary code within the context of the affected application. The title and technical details have been changed to better reflect the vulnerability impact",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-6950"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002686"
},
{
"db": "BID",
"id": "96872"
}
],
"trust": 1.89
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-6950",
"trust": 2.7
},
{
"db": "BID",
"id": "96872",
"trust": 2.7
},
{
"db": "SECTRACK",
"id": "1038122",
"trust": 1.6
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002686",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201703-691",
"trust": 0.6
}
],
"sources": [
{
"db": "BID",
"id": "96872"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002686"
},
{
"db": "NVD",
"id": "CVE-2017-6950"
},
{
"db": "CNNVD",
"id": "CNNVD-201703-691"
}
]
},
"id": "VAR-201703-1156",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.19973545
},
"last_update_date": "2023-12-18T13:34:18.667000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.sap.com/index.html"
},
{
"title": "SAP GUI Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=68525"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-002686"
},
{
"db": "CNNVD",
"id": "CNNVD-201703-691"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-732",
"trust": 1.0
},
{
"problemtype": "CWE-284",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-002686"
},
{
"db": "NVD",
"id": "CVE-2017-6950"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "http://www.securityfocus.com/bid/96872"
},
{
"trust": 1.6,
"url": "http://www.securitytracker.com/id/1038122"
},
{
"trust": 1.6,
"url": "https://erpscan.io/advisories/erpscan-17-011-sap-gui-versions-remote-code-execution-bypass-security-policy/"
},
{
"trust": 1.1,
"url": "https://erpscan.com/advisories/erpscan-17-011-sap-gui-versions-remote-code-execution-bypass-security-policy/"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6950"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-6950"
},
{
"trust": 0.3,
"url": "http://www.sap.com/"
},
{
"trust": 0.3,
"url": "https://threatpost.com/sap-vulnerability-puts-business-data-at-risk-for-thousands-of-companies/124473/"
},
{
"trust": 0.3,
"url": "https://service.sap.com/sap/support/notes/2407616"
},
{
"trust": 0.3,
"url": "https://blogs.sap.com/2017/04/11/sap-security-patch-day-april-2017/"
},
{
"trust": 0.3,
"url": "https://blogs.sap.com/2017/03/14/sap-security-patch-day-march-2017/ "
}
],
"sources": [
{
"db": "BID",
"id": "96872"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002686"
},
{
"db": "NVD",
"id": "CVE-2017-6950"
},
{
"db": "CNNVD",
"id": "CNNVD-201703-691"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "BID",
"id": "96872"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002686"
},
{
"db": "NVD",
"id": "CVE-2017-6950"
},
{
"db": "CNNVD",
"id": "CNNVD-201703-691"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-03-14T00:00:00",
"db": "BID",
"id": "96872"
},
{
"date": "2017-04-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-002686"
},
{
"date": "2017-03-23T20:59:00.877000",
"db": "NVD",
"id": "CVE-2017-6950"
},
{
"date": "2017-03-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201703-691"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-04-18T02:04:00",
"db": "BID",
"id": "96872"
},
{
"date": "2017-04-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-002686"
},
{
"date": "2019-10-03T00:03:26.223000",
"db": "NVD",
"id": "CVE-2017-6950"
},
{
"date": "2019-10-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201703-691"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201703-691"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP GUI In Vulnerabilities that circumvent security policy restrictions",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-002686"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "lack of information",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201703-691"
}
],
"trust": 0.6
}
}
var-200907-0583
Vulnerability from variot
SAP NetWeaver is prone to an information-disclosure vulnerability because it fails to properly secure communication channels between clients and servers. Successful exploits will allow attackers to obtain sensitive information that may aid in further attacks.
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200907-0583",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "ag sapgui patch level",
"scope": "eq",
"trust": 0.6,
"vendor": "sap",
"version": "7.109"
},
{
"model": "ag sapgui patch level",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.108"
},
{
"model": "ag sapgui",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "netweaver application server sp21",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "6.40104329.313"
},
{
"model": "ag sapgui patch level",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "6.4029"
},
{
"model": "ag sapgui patch level",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.105"
},
{
"model": "netweaver application server sp17",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "6.40104329.313"
},
{
"model": "sapgui d for windows",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "4.6"
},
{
"model": "netweaver portal sp21",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "2004"
},
{
"model": "netweaver application server sp17",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "6.40"
},
{
"model": "netweaver nw04s sp9",
"scope": null,
"trust": 0.3,
"vendor": "sap",
"version": null
},
{
"model": "netweaver nw04 sp17",
"scope": null,
"trust": 0.3,
"vendor": "sap",
"version": null
},
{
"model": "gui for windows patch level",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "6.2072"
},
{
"model": "netweaver portal",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "2004.."
},
{
"model": "netweaver nw04 sp15",
"scope": null,
"trust": 0.3,
"vendor": "sap",
"version": null
},
{
"model": "netweaver sp15",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.0"
},
{
"model": "sapgui final release patch",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "6406403.3.11.1004"
},
{
"model": "gui",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.10"
},
{
"model": "gui for windows patch level",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.006"
},
{
"model": "netweaver nw04s sp10",
"scope": null,
"trust": 0.3,
"vendor": "sap",
"version": null
},
{
"model": "netweaver sp20",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "640"
},
{
"model": "netweaver nw04s sp8",
"scope": null,
"trust": 0.3,
"vendor": "sap",
"version": null
},
{
"model": "netweaver nw04s sp11",
"scope": null,
"trust": 0.3,
"vendor": "sap",
"version": null
},
{
"model": "sapgui c for windows",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "4.6"
},
{
"model": "ag sapgui",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "6.4"
},
{
"model": "gui for windows patch level",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "6.4030"
},
{
"model": "netweaver developer studio sp21",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "2004"
},
{
"model": "netweaver nw04s sp7",
"scope": null,
"trust": 0.3,
"vendor": "sap",
"version": null
},
{
"model": "gui pl",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.10"
},
{
"model": "netweaver nw04 sp19",
"scope": null,
"trust": 0.3,
"vendor": "sap",
"version": null
},
{
"model": "netweaver nw04 sp18",
"scope": null,
"trust": 0.3,
"vendor": "sap",
"version": null
},
{
"model": "netweaver sp8",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.0"
},
{
"model": "gui patch",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "6.4029"
},
{
"model": "sapgui b for windows",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "4.6"
},
{
"model": "netweaver nw04 sp16",
"scope": null,
"trust": 0.3,
"vendor": "sap",
"version": null
},
{
"model": "netweaver portal sp17",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "2004"
},
{
"model": "sapgui for windows",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "4.6"
},
{
"model": "sapgui a for windows",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "4.6"
},
{
"model": "netweaver developer studio sp17",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "-2004"
}
],
"sources": [
{
"db": "BID",
"id": "35729"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Andreas Baus and Rene Ledosquet from Secaron AG",
"sources": [
{
"db": "BID",
"id": "35729"
}
],
"trust": 0.3
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP NetWeaver is prone to an information-disclosure vulnerability because it fails to properly secure communication channels between clients and servers.\nSuccessful exploits will allow attackers to obtain sensitive information that may aid in further attacks.",
"sources": [
{
"db": "BID",
"id": "35729"
}
],
"trust": 0.3
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "35729",
"trust": 0.3
}
],
"sources": [
{
"db": "BID",
"id": "35729"
}
]
},
"id": "VAR-200907-0583",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.37810928875
},
"last_update_date": "2022-05-17T01:41:46.141000Z",
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 0.3,
"url": "http://www.secaron.de/content/presse/fachartikel/sniffing_diag.pdf"
},
{
"trust": 0.3,
"url": "http://www.sap.com/platform/netweaver/index.epx"
}
],
"sources": [
{
"db": "BID",
"id": "35729"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "BID",
"id": "35729"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2009-07-17T00:00:00",
"db": "BID",
"id": "35729"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2009-07-17T21:16:00",
"db": "BID",
"id": "35729"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "network",
"sources": [
{
"db": "BID",
"id": "35729"
}
],
"trust": 0.3
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP NetWeaver Password Information Disclosure Vulnerability",
"sources": [
{
"db": "BID",
"id": "35729"
}
],
"trust": 0.3
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Design Error",
"sources": [
{
"db": "BID",
"id": "35729"
}
],
"trust": 0.3
}
}
var-201104-0313
Vulnerability from variot
The SAP GUI is a graphical user interface client for SAP software. An attacker can build a saplogon.ini file containing a specially crafted label that overwrites the files on the user's upgrade server, causing a buffer overflow when the user installs the upgrade. Successful exploitation of a vulnerability can execute arbitrary code in the context of an application. SAP GUI is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Failed attacks will cause denial-of-service conditions
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201104-0313",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "gui",
"scope": "eq",
"trust": 1.1,
"vendor": "sap",
"version": "7.1"
},
{
"model": "gui",
"scope": "eq",
"trust": 0.9,
"vendor": "sap",
"version": "7.2"
},
{
"model": null,
"scope": "eq",
"trust": 0.4,
"vendor": "sap",
"version": "*"
},
{
"model": "gui sp3",
"scope": "ne",
"trust": 0.3,
"vendor": "sap",
"version": "7.20"
},
{
"model": "gui sp21",
"scope": "ne",
"trust": 0.3,
"vendor": "sap",
"version": "7.1"
},
{
"model": "gui",
"scope": "eq",
"trust": 0.2,
"vendor": "sap",
"version": "7.2*"
}
],
"sources": [
{
"db": "IVD",
"id": "87ae49e0-1f98-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-1469"
},
{
"db": "BID",
"id": "47359"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Dmitriy Chastuhin",
"sources": [
{
"db": "BID",
"id": "47359"
}
],
"trust": 0.3
},
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": null,
"accessVector": null,
"authentication": null,
"author": "IVD",
"availabilityImpact": null,
"baseScore": null,
"confidentialityImpact": null,
"exploitabilityScore": null,
"id": "87ae49e0-1f98-11e6-abef-000c29c66e3d",
"impactScore": null,
"integrityImpact": null,
"severity": null,
"trust": 0.2,
"vectorString": null,
"version": "unknown"
}
],
"cvssV3": [],
"severity": [
{
"author": "IVD",
"id": "87ae49e0-1f98-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "87ae49e0-1f98-11e6-abef-000c29c66e3d"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The SAP GUI is a graphical user interface client for SAP software. An attacker can build a saplogon.ini file containing a specially crafted label that overwrites the files on the user\u0027s upgrade server, causing a buffer overflow when the user installs the upgrade. Successful exploitation of a vulnerability can execute arbitrary code in the context of an application. SAP GUI is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Failed attacks will cause denial-of-service conditions",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-1469"
},
{
"db": "BID",
"id": "47359"
},
{
"db": "IVD",
"id": "87ae49e0-1f98-11e6-abef-000c29c66e3d"
}
],
"trust": 0.99
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "47359",
"trust": 0.9
},
{
"db": "CNVD",
"id": "CNVD-2011-1469",
"trust": 0.8
},
{
"db": "IVD",
"id": "87AE49E0-1F98-11E6-ABEF-000C29C66E3D",
"trust": 0.2
}
],
"sources": [
{
"db": "IVD",
"id": "87ae49e0-1f98-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-1469"
},
{
"db": "BID",
"id": "47359"
}
]
},
"id": "VAR-201104-0313",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "87ae49e0-1f98-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-1469"
}
],
"trust": 0.9997354500000001
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "87ae49e0-1f98-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-1469"
}
]
},
"last_update_date": "2022-05-17T02:01:22.331000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SAP GUI \u0027saplogon.ini\u0027 file buffer overflow vulnerability patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/3549"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-1469"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 0.6,
"url": "http://dsecrg.com/pages/vul/show.php?id=317http"
},
{
"trust": 0.3,
"url": "http://dsecrg.com/pages/vul/show.php?id=317"
},
{
"trust": 0.3,
"url": "http://www.sap.com/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-1469"
},
{
"db": "BID",
"id": "47359"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "87ae49e0-1f98-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-1469"
},
{
"db": "BID",
"id": "47359"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-04-15T00:00:00",
"db": "IVD",
"id": "87ae49e0-1f98-11e6-abef-000c29c66e3d"
},
{
"date": "2011-04-15T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-1469"
},
{
"date": "2011-04-14T00:00:00",
"db": "BID",
"id": "47359"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-04-15T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-1469"
},
{
"date": "2011-04-14T00:00:00",
"db": "BID",
"id": "47359"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "network",
"sources": [
{
"db": "BID",
"id": "47359"
}
],
"trust": 0.3
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP GUI \u0027saplogon.ini\u0027 File Buffer Overflow Vulnerability",
"sources": [
{
"db": "IVD",
"id": "87ae49e0-1f98-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-1469"
},
{
"db": "BID",
"id": "47359"
}
],
"trust": 1.1
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Boundary Condition Error",
"sources": [
{
"db": "BID",
"id": "47359"
}
],
"trust": 0.3
}
}
var-200904-0224
Vulnerability from variot
Insecure method vulnerability in the KWEdit ActiveX control in SAP GUI 6.40 Patch 29 (KWEDIT.DLL 6400.1.1.41) and 7.10 Patch 5 (KWEDIT.DLL 7100.1.1.43) allows remote attackers to (1) overwrite arbitrary files via the SaveDocumentAs method or (2) read or execute arbitrary files via the OpenDocument method. SAP AG SAPgui KWEdit ActiveX control is prone to a remote code-execution vulnerability. Successfully exploiting this issue allows an attacker to execute arbitrary code in the context of the application running the affected control (typically Internet Explorer). This issue affects the following: SAPgui 6.40 Patch Level 29 with KWEDIT.DLL 6400.1.1.41 SAPgui 7.10 Patch Level 5 with KWEDIT.DLL 7100.1.1.43 Other versions may be vulnerable as well. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia report for 2008. Other versions may also be affected.
ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2008-56/
SAP Note 1294913: https://service.sap.com/sap/support/notes/1294913
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
.
====================================================================== 2) Severity
Rating: Highly critical Impact: System compromise Where: Remote
====================================================================== 3) Vendor's Description of Software
"SAP GUI is SAP's universal client for accessing SAP functionality in SAP applications such as - SAP ERP, SAP Business Suite (SAP CRM, SAP SCM and SAP PLM), SAP Business Intelligence and so on. SAP GUI functions like a browser. It gets information from the SAP server like what, where, when and how, to display contents in its window.".
Product Link: https://www.sdn.sap.com/irj/sdn/sap-gui
====================================================================== 4) Description of Vulnerability
Secunia Research has discovered a security issue in SAP GUI, which can be exploited by malicious people to gain knowledge of sensitive information, corrupt files, or compromise a user's system.
The problem is that the bundled KWEdit ActiveX control (KWEDIT.DLL) provides the insecure method "SaveDocumentAs()", which saves an HTML document to a specified location. This can be exploited in combination with e.g.
====================================================================== 5) Solution
Update to the latest versions, which reportedly set the kill-bit for the ActiveX control.
====================================================================== 6) Time Table
28/11/2008 - Vendor notified. 28/11/2008 - Vendor response. 14/01/2009 - Vendor provides patch for testing. 16/01/2009 - Vendor informed that patch prevents exploitation. 02/03/2009 - Status update requested. 02/03/2009 - Vendor provides status update. 15/04/2009 - Public disclosure.
====================================================================== 7) Credits
Discovered by Carsten Eiram, Secunia Research.
====================================================================== 8) References
SAP Note 1294913: https://service.sap.com/sap/support/notes/1294913
The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2008-4830 for the vulnerability.
====================================================================== 9) About Secunia
Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
====================================================================== 10) Verification
Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2008-56/
Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/
======================================================================
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200904-0224",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "gui",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": "6.40"
},
{
"model": "gui",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": "7.10"
},
{
"model": "gui",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "6.40 patch 29 and 7.10 patch 5"
},
{
"model": "ag sapgui patch level",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.105"
},
{
"model": "ag sapgui patch level",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "6.4029"
}
],
"sources": [
{
"db": "BID",
"id": "34524"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-005299"
},
{
"db": "NVD",
"id": "CVE-2008-4830"
},
{
"db": "CNNVD",
"id": "CNNVD-200904-336"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:sap_gui:6.40:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:sap_gui:7.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2008-4830"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Carsten Eiram",
"sources": [
{
"db": "BID",
"id": "34524"
},
{
"db": "PACKETSTORM",
"id": "76690"
},
{
"db": "CNNVD",
"id": "CNNVD-200904-336"
}
],
"trust": 1.0
},
"cve": "CVE-2008-4830",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 9.3,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2008-4830",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2008-4830",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-200904-336",
"trust": 0.6,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-005299"
},
{
"db": "NVD",
"id": "CVE-2008-4830"
},
{
"db": "CNNVD",
"id": "CNNVD-200904-336"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Insecure method vulnerability in the KWEdit ActiveX control in SAP GUI 6.40 Patch 29 (KWEDIT.DLL 6400.1.1.41) and 7.10 Patch 5 (KWEDIT.DLL 7100.1.1.43) allows remote attackers to (1) overwrite arbitrary files via the SaveDocumentAs method or (2) read or execute arbitrary files via the OpenDocument method. SAP AG SAPgui KWEdit ActiveX control is prone to a remote code-execution vulnerability. \nSuccessfully exploiting this issue allows an attacker to execute arbitrary code in the context of the application running the affected control (typically Internet Explorer). \nThis issue affects the following:\nSAPgui 6.40 Patch Level 29 with KWEDIT.DLL 6400.1.1.41\nSAPgui 7.10 Patch Level 5 with KWEDIT.DLL 7100.1.1.43\nOther versions may be vulnerable as well. ----------------------------------------------------------------------\n\nSecunia is pleased to announce the release of the annual Secunia\nreport for 2008. Other versions may also be affected. \n\nORIGINAL ADVISORY:\nSecunia Research:\nhttp://secunia.com/secunia_research/2008-56/\n\nSAP Note 1294913:\nhttps://service.sap.com/sap/support/notes/1294913\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n. \n\n====================================================================== \n2) Severity \n\nRating: Highly critical\nImpact: System compromise\nWhere: Remote\n\n====================================================================== \n3) Vendor\u0027s Description of Software \n\n\"SAP GUI is SAP\u0027s universal client for accessing SAP functionality in\nSAP applications such as - SAP ERP, SAP Business Suite (SAP CRM, SAP\nSCM and SAP PLM), SAP Business Intelligence and so on. SAP GUI\nfunctions like a browser. It gets information from the SAP server like\nwhat, where, when and how, to display contents in its window.\". \n\nProduct Link:\nhttps://www.sdn.sap.com/irj/sdn/sap-gui\n\n====================================================================== \n4) Description of Vulnerability\n\nSecunia Research has discovered a security issue in SAP GUI, which can\nbe exploited by malicious people to gain knowledge of sensitive \ninformation, corrupt files, or compromise a user\u0027s system. \n\nThe problem is that the bundled KWEdit ActiveX control (KWEDIT.DLL) \nprovides the insecure method \"SaveDocumentAs()\", which saves an HTML \ndocument to a specified location. This can be exploited in combination\nwith e.g. \n\n====================================================================== \n5) Solution \n\nUpdate to the latest versions, which reportedly set the kill-bit for \nthe ActiveX control. \n\n====================================================================== \n6) Time Table \n\n28/11/2008 - Vendor notified. \n28/11/2008 - Vendor response. \n14/01/2009 - Vendor provides patch for testing. \n16/01/2009 - Vendor informed that patch prevents exploitation. \n02/03/2009 - Status update requested. \n02/03/2009 - Vendor provides status update. \n15/04/2009 - Public disclosure. \n\n====================================================================== \n7) Credits \n\nDiscovered by Carsten Eiram, Secunia Research. \n\n====================================================================== \n8) References\n\nSAP Note 1294913:\nhttps://service.sap.com/sap/support/notes/1294913\n\nThe Common Vulnerabilities and Exposures (CVE) project has assigned \nCVE-2008-4830 for the vulnerability. \n\n====================================================================== \n9) About Secunia\n\nSecunia offers vulnerability management solutions to corporate\ncustomers with verified and reliable vulnerability intelligence\nrelevant to their specific system configuration:\n\nhttp://secunia.com/advisories/business_solutions/\n\nSecunia also provides a publicly accessible and comprehensive advisory\ndatabase as a service to the security community and private \nindividuals, who are interested in or concerned about IT-security. \n\nhttp://secunia.com/advisories/\n\nSecunia believes that it is important to support the community and to\ndo active vulnerability research in order to aid improving the \nsecurity and reliability of software in general:\n\nhttp://secunia.com/secunia_research/\n\nSecunia regularly hires new skilled team members. Check the URL below\nto see currently vacant positions:\n\nhttp://secunia.com/corporate/jobs/\n\nSecunia offers a FREE mailing list called Secunia Security Advisories:\n\nhttp://secunia.com/advisories/mailing_lists/\n\n====================================================================== \n10) Verification \n\nPlease verify this advisory by visiting the Secunia website:\nhttp://secunia.com/secunia_research/2008-56/\n\nComplete list of vulnerability reports published by Secunia Research:\nhttp://secunia.com/secunia_research/\n\n======================================================================\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2008-4830"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-005299"
},
{
"db": "BID",
"id": "34524"
},
{
"db": "PACKETSTORM",
"id": "76718"
},
{
"db": "PACKETSTORM",
"id": "76690"
}
],
"trust": 2.07
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2008-4830",
"trust": 2.8
},
{
"db": "BID",
"id": "34524",
"trust": 1.9
},
{
"db": "SECUNIA",
"id": "32869",
"trust": 1.7
},
{
"db": "VUPEN",
"id": "ADV-2009-1043",
"trust": 1.6
},
{
"db": "SECTRACK",
"id": "1022062",
"trust": 1.6
},
{
"db": "JVNDB",
"id": "JVNDB-2009-005299",
"trust": 0.8
},
{
"db": "BUGTRAQ",
"id": "20090415 SECUNIA RESEARCH: SAP GUI KWEDIT ACTIVEX CONTROL \"SAVEDOCUMENTAS()\" INSECURE METHOD",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200904-336",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "76718",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "76690",
"trust": 0.1
}
],
"sources": [
{
"db": "BID",
"id": "34524"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-005299"
},
{
"db": "PACKETSTORM",
"id": "76718"
},
{
"db": "PACKETSTORM",
"id": "76690"
},
{
"db": "NVD",
"id": "CVE-2008-4830"
},
{
"db": "CNNVD",
"id": "CNNVD-200904-336"
}
]
},
"id": "VAR-200904-0224",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.212367725
},
"last_update_date": "2023-12-18T13:30:20.738000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SAP GUI",
"trust": 0.8,
"url": "http://help.sap.com/saphelp_smehp1/helpdata/ja/4f/472e42e1ef5633e10000000a155106/content.htm"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-005299"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
},
{
"problemtype": "CWE-Other",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-005299"
},
{
"db": "NVD",
"id": "CVE-2008-4830"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.1,
"url": "http://secunia.com/secunia_research/2008-56/"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/32869"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/34524"
},
{
"trust": 1.6,
"url": "http://www.securitytracker.com/id?1022062"
},
{
"trust": 1.6,
"url": "http://www.vupen.com/english/advisories/2009/1043"
},
{
"trust": 1.0,
"url": "http://www.securityfocus.com/archive/1/502698/100/0/threaded"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-4830"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-4830"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/502698/100/0/threaded"
},
{
"trust": 0.5,
"url": "https://service.sap.com/sap/support/notes/1294913"
},
{
"trust": 0.3,
"url": "http://support.microsoft.com/kb/240797"
},
{
"trust": 0.3,
"url": "http://www.sap.com/"
},
{
"trust": 0.3,
"url": "/archive/1/502698"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/32869/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/try_vi/request_2008_report/"
},
{
"trust": 0.1,
"url": "http://secunia.com/secunia_research/"
},
{
"trust": 0.1,
"url": "http://secunia.com/corporate/jobs/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/mailing_lists/"
},
{
"trust": 0.1,
"url": "https://www.sdn.sap.com/irj/sdn/sap-gui"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/business_solutions/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2008-4830"
}
],
"sources": [
{
"db": "BID",
"id": "34524"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-005299"
},
{
"db": "PACKETSTORM",
"id": "76718"
},
{
"db": "PACKETSTORM",
"id": "76690"
},
{
"db": "NVD",
"id": "CVE-2008-4830"
},
{
"db": "CNNVD",
"id": "CNNVD-200904-336"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "BID",
"id": "34524"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-005299"
},
{
"db": "PACKETSTORM",
"id": "76718"
},
{
"db": "PACKETSTORM",
"id": "76690"
},
{
"db": "NVD",
"id": "CVE-2008-4830"
},
{
"db": "CNNVD",
"id": "CNNVD-200904-336"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2009-04-15T00:00:00",
"db": "BID",
"id": "34524"
},
{
"date": "2012-12-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2009-005299"
},
{
"date": "2009-04-16T12:47:33",
"db": "PACKETSTORM",
"id": "76718"
},
{
"date": "2009-04-15T21:04:55",
"db": "PACKETSTORM",
"id": "76690"
},
{
"date": "2009-04-16T15:12:57.297000",
"db": "NVD",
"id": "CVE-2008-4830"
},
{
"date": "2009-04-16T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200904-336"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-12-03T13:55:00",
"db": "BID",
"id": "34524"
},
{
"date": "2012-12-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2009-005299"
},
{
"date": "2018-10-11T20:52:58.997000",
"db": "NVD",
"id": "CVE-2008-4830"
},
{
"date": "2009-04-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200904-336"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200904-336"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP GUI of KWEdit ActiveX Vulnerability to overwrite arbitrary files in Control",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-005299"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200904-336"
}
],
"trust": 0.6
}
}
var-201709-0206
Vulnerability from variot
Cross site scripting (XSS) vulnerability in SAP Enterprise Portal 7.50 allows remote attackers to inject arbitrary web script or HTML, aka SAP Security Notes 2469860, 2471209, and 2488516. Vendors have confirmed this vulnerability SAP Security Note 2469860 , 2471209 , 2488516 It is released as.Information may be obtained and information may be altered. Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. A remote user can conduct cross-site scripting attacks.
The software does not properly filter HTML code from user-supplied input before displaying the input. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the SAP Enterprise Portal, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Link to remedies:
Web Dynpro Java - https://launchpad.support.sap.com/#/notes/2469860 SAPGUI for HTML- https://launchpad.support.sap.com/#/notes/2471209 Web Dynpro ABAP -https://launchpad.support.sap.com/#/notes/2488516
Credits: Imran Khan @Netizen01k reported this vulnerability
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201709-0206",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "enterprise portal",
"scope": "eq",
"trust": 1.7,
"vendor": "sap",
"version": "7.50"
},
{
"model": "enterprise portal",
"scope": "lte",
"trust": 1.0,
"vendor": "sap",
"version": "7.50"
},
{
"model": "web dynpro abap",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "gui",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
}
],
"sources": [
{
"db": "BID",
"id": "100786"
},
{
"db": "BID",
"id": "100788"
},
{
"db": "BID",
"id": "101068"
},
{
"db": "BID",
"id": "100805"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-008516"
},
{
"db": "NVD",
"id": "CVE-2017-10701"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-1309"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:enterprise_portal:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "7.50",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2017-10701"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The vendor reported this issue.",
"sources": [
{
"db": "BID",
"id": "100786"
},
{
"db": "BID",
"id": "100788"
},
{
"db": "BID",
"id": "100805"
}
],
"trust": 0.9
},
"cve": "CVE-2017-10701",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2017-10701",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.1,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2017-10701",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2017-10701",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201709-1309",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-008516"
},
{
"db": "NVD",
"id": "CVE-2017-10701"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-1309"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cross site scripting (XSS) vulnerability in SAP Enterprise Portal 7.50 allows remote attackers to inject arbitrary web script or HTML, aka SAP Security Notes 2469860, 2471209, and 2488516. Vendors have confirmed this vulnerability SAP Security Note 2469860 , 2471209 , 2488516 It is released as.Information may be obtained and information may be altered. \nRemote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. A remote user can conduct cross-site scripting attacks. \n\nThe software does not properly filter HTML code from user-supplied input\nbefore displaying the input. As a result, the code will be able to access\nthe target user\u0027s cookies (including authentication cookies), if any,\nassociated with the site, access data recently submitted by the target user\nvia web form to the site, or take actions on the site acting as the target\nuser. \n\n\n*Impact:* A remote user can access the target user\u0027s cookies (including\nauthentication cookies), if any, associated with the site running the SAP\nEnterprise Portal, access data recently submitted by the target user via\nweb form to the site, or take actions on the site acting as the target user. \n\n\n*Link to remedies:*\n\nWeb Dynpro Java - https://launchpad.support.sap.com/#/notes/2469860\nSAPGUI for HTML- https://launchpad.support.sap.com/#/notes/2471209\nWeb Dynpro ABAP -https://launchpad.support.sap.com/#/notes/2488516\n\n*Credits:* Imran Khan @Netizen01k reported this vulnerability",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-10701"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-008516"
},
{
"db": "BID",
"id": "100786"
},
{
"db": "BID",
"id": "100788"
},
{
"db": "BID",
"id": "101068"
},
{
"db": "BID",
"id": "100805"
},
{
"db": "PACKETSTORM",
"id": "144391"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-10701",
"trust": 2.8
},
{
"db": "CXSECURITY",
"id": "WLB-2017090219",
"trust": 2.4
},
{
"db": "BID",
"id": "100786",
"trust": 1.9
},
{
"db": "BID",
"id": "100788",
"trust": 1.9
},
{
"db": "BID",
"id": "100805",
"trust": 1.9
},
{
"db": "BID",
"id": "101068",
"trust": 1.3
},
{
"db": "JVNDB",
"id": "JVNDB-2017-008516",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201709-1309",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "144391",
"trust": 0.1
}
],
"sources": [
{
"db": "BID",
"id": "100786"
},
{
"db": "BID",
"id": "100788"
},
{
"db": "BID",
"id": "101068"
},
{
"db": "BID",
"id": "100805"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-008516"
},
{
"db": "PACKETSTORM",
"id": "144391"
},
{
"db": "NVD",
"id": "CVE-2017-10701"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-1309"
}
]
},
"id": "VAR-201709-0206",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.24785812333333335
},
"last_update_date": "2023-12-18T14:01:29.681000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "September 2017 (2469860\u30012471209\u30012488516)",
"trust": 0.8,
"url": "https://blogs.sap.com/2017/09/12/sap-security-patch-day-september-2017/"
},
{
"title": "SAP Enterprise Portal Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=75194"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-008516"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-1309"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-008516"
},
{
"db": "NVD",
"id": "CVE-2017-10701"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://cxsecurity.com/issue/wlb-2017090219"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/100786"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/100788"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/100805"
},
{
"trust": 1.2,
"url": "http://www.sap.com"
},
{
"trust": 1.0,
"url": "http://www.securityfocus.com/bid/101068"
},
{
"trust": 0.9,
"url": "https://blogs.sap.com/2017/09/12/sap-security-patch-day-september-2017/"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-10701"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-10701"
},
{
"trust": 0.4,
"url": "https://launchpad.support.sap.com/#/notes/2488516"
},
{
"trust": 0.4,
"url": "https://launchpad.support.sap.com/#/notes/2471209"
},
{
"trust": 0.4,
"url": "https://launchpad.support.sap.com/#/notes/2469860"
},
{
"trust": 0.3,
"url": "https://blogs.sap.com/2017/11/14/sap-security-patch-day-november-2017/"
},
{
"trust": 0.3,
"url": "http://seclists.org/fulldisclosure/2017/sep/80"
}
],
"sources": [
{
"db": "BID",
"id": "100786"
},
{
"db": "BID",
"id": "100788"
},
{
"db": "BID",
"id": "101068"
},
{
"db": "BID",
"id": "100805"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-008516"
},
{
"db": "PACKETSTORM",
"id": "144391"
},
{
"db": "NVD",
"id": "CVE-2017-10701"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-1309"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "BID",
"id": "100786"
},
{
"db": "BID",
"id": "100788"
},
{
"db": "BID",
"id": "101068"
},
{
"db": "BID",
"id": "100805"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-008516"
},
{
"db": "PACKETSTORM",
"id": "144391"
},
{
"db": "NVD",
"id": "CVE-2017-10701"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-1309"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-09-12T00:00:00",
"db": "BID",
"id": "100786"
},
{
"date": "2017-09-12T00:00:00",
"db": "BID",
"id": "100788"
},
{
"date": "2017-09-27T00:00:00",
"db": "BID",
"id": "101068"
},
{
"date": "2017-09-12T00:00:00",
"db": "BID",
"id": "100805"
},
{
"date": "2017-10-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-008516"
},
{
"date": "2017-09-29T17:54:04",
"db": "PACKETSTORM",
"id": "144391"
},
{
"date": "2017-09-29T01:34:48.437000",
"db": "NVD",
"id": "CVE-2017-10701"
},
{
"date": "2017-09-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201709-1309"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-09-12T00:00:00",
"db": "BID",
"id": "100786"
},
{
"date": "2017-12-19T22:37:00",
"db": "BID",
"id": "100788"
},
{
"date": "2017-09-27T00:00:00",
"db": "BID",
"id": "101068"
},
{
"date": "2017-09-12T00:00:00",
"db": "BID",
"id": "100805"
},
{
"date": "2017-10-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-008516"
},
{
"date": "2017-10-06T15:23:45.393000",
"db": "NVD",
"id": "CVE-2017-10701"
},
{
"date": "2017-10-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201709-1309"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "network",
"sources": [
{
"db": "BID",
"id": "100786"
},
{
"db": "BID",
"id": "100788"
},
{
"db": "BID",
"id": "101068"
},
{
"db": "BID",
"id": "100805"
}
],
"trust": 1.2
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP Enterprise Portal Vulnerable to cross-site scripting",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-008516"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Input Validation Error",
"sources": [
{
"db": "BID",
"id": "100786"
},
{
"db": "BID",
"id": "100788"
},
{
"db": "BID",
"id": "101068"
},
{
"db": "BID",
"id": "100805"
}
],
"trust": 1.2
}
}
var-201007-0347
Vulnerability from variot
The SAP GUI is a graphical user interface client for SAP software. The SAPWADMXHTML ActiveX control has an unspecified error when processing the value of the \"tags\" property, constructing a malicious WEB page to entice user access to destroy heap memory. Successful exploitation of a vulnerability can execute arbitrary instructions in an application security context
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201007-0347",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "gui",
"scope": "eq",
"trust": 0.6,
"vendor": "sap",
"version": "7.x"
},
{
"model": "gui sapwadmxhtml activex control",
"scope": "eq",
"trust": 0.6,
"vendor": "sap",
"version": "7.x"
},
{
"model": "gui",
"scope": "eq",
"trust": 0.2,
"vendor": "sap",
"version": "7.x*"
},
{
"model": "gui",
"scope": "eq",
"trust": 0.2,
"vendor": "sap",
"version": "*"
},
{
"model": "activex control",
"scope": "eq",
"trust": 0.2,
"vendor": "sapwadmxhtml",
"version": "7.x"
}
],
"sources": [
{
"db": "IVD",
"id": "3f49dc30-1fb3-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2010-1370"
}
]
},
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": null,
"accessVector": null,
"authentication": null,
"author": "IVD",
"availabilityImpact": null,
"baseScore": null,
"confidentialityImpact": null,
"exploitabilityScore": null,
"id": "3f49dc30-1fb3-11e6-abef-000c29c66e3d",
"impactScore": null,
"integrityImpact": null,
"severity": null,
"trust": 0.2,
"vectorString": null,
"version": "unknown"
}
],
"cvssV3": [],
"severity": [
{
"author": "IVD",
"id": "3f49dc30-1fb3-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "3f49dc30-1fb3-11e6-abef-000c29c66e3d"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The SAP GUI is a graphical user interface client for SAP software. The SAPWADMXHTML ActiveX control has an unspecified error when processing the value of the \\\"tags\\\" property, constructing a malicious WEB page to entice user access to destroy heap memory. Successful exploitation of a vulnerability can execute arbitrary instructions in an application security context",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-1370"
},
{
"db": "IVD",
"id": "3f49dc30-1fb3-11e6-abef-000c29c66e3d"
}
],
"trust": 0.72
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2010-1370",
"trust": 0.8
},
{
"db": "IVD",
"id": "3F49DC30-1FB3-11E6-ABEF-000C29C66E3D",
"trust": 0.2
}
],
"sources": [
{
"db": "IVD",
"id": "3f49dc30-1fb3-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2010-1370"
}
]
},
"id": "VAR-201007-0347",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "3f49dc30-1fb3-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2010-1370"
}
],
"trust": 1.399867725
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "3f49dc30-1fb3-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2010-1370"
}
]
},
"last_update_date": "2022-05-17T01:51:49.346000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SAP GUI SAPWADMXHTML ActiveX control \\\"tags\\\" attribute memory corruption patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/659"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-1370"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 0.6,
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-07/0229.htmlhttp"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-1370"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "3f49dc30-1fb3-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2010-1370"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-07-18T00:00:00",
"db": "IVD",
"id": "3f49dc30-1fb3-11e6-abef-000c29c66e3d"
},
{
"date": "2010-07-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2010-1370"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-07-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2010-1370"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP GUI SAPWADMXHTML ActiveX Control",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-1370"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Access control error",
"sources": [
{
"db": "IVD",
"id": "3f49dc30-1fb3-11e6-abef-000c29c66e3d"
}
],
"trust": 0.2
}
}
var-201506-0131
Vulnerability from variot
The LZH decompression implementation (CsObjectInt::BuildHufTree function in vpa108csulzh.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (out-of-bounds read) via unspecified vectors, related to look-ups of non-simple codes, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316. Vendors have confirmed this vulnerability SAP Security Note 2124806 , 2121661 , 2127995 ,and 2125316 It is released as.Denial of service by attacker (out-of-bounds read) There is a possibility of being put into a state. Multiple SAP Products are prone to a buffer-overflow vulnerability and a denial-of-service vulnerability. Remote attackers can exploit these issues to execute arbitrary code in the context of the application or cause denial-of-service conditions. 1. Advisory Information
Title: SAP LZC/LZH Compression Multiple Vulnerabilities Advisory ID: CORE-2015-0009 Advisory URL: http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities Date published: 2015-05-12 Date of last update: 2015-05-12 Vendors contacted: SAP Release mode: Coordinated release
- Vulnerability Information
Class: Out-of-bounds Write [CWE-787], Out-of-bounds Read [CWE-125] Impact: Denial of service Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2015-2282, CVE-2015-2278
- Vulnerability Description
SAP products make use of a proprietary implementation of the Lempel-Ziv-Thomas (LZC) adaptive dictionary compression algorithm and the Lempel-Ziv-Huffman (LZH) compression algorithm [1] . These compression algorithms are used across several SAP products and programs. Vulnerabilities were found in the decompression routines that could be triggered in different scenarios, and could lead to execution of arbitrary code and denial of service conditions.
- Vulnerable Packages
SAP Netweaver Application Server ABAP. SAP Netweaver Application Server Java. SAP Netweaver RFC SDK SAP RFC SDK SAP GUI SAP MaxDB database SAPCAR archive tool Other products and versions might be affected, but they were not tested.
- Vendor Information, Solutions and Workarounds
SAP published the following Security Notes:
2124806 2121661 2127995 2125316 They can be accessed by SAP clients in their Support Portal [15].
Developers who used the Open Source versions of MaxDB 7.5 and 7.6 for their tools should contact SAP.
- Credits
This vulnerability was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Advisories Team.
- Technical Description / Proof of Concept Code
SAP products make use of LZC and LZH algorithms for compressing in-transit data for different services (Diag protocol, RFC protocol, MaxDB protocol) and for distributing files (SAPCAR program). The implementation of this algorithm was also included in Open Source versions of MaxDB 7.5 and 7.6 [2], and used on multiple Open Source security-related programs [3][4][5][6][7][8][9][10][11].
The code that handles the decompression of LZC and LZH compressed data is prone to two memory corruption vulnerabilities, as described below.
7.1. LZC decompression stack-based buffer overflow
The vulnerability [CVE-2015-2282] is caused by an out-of-bounds write to a stack buffer used by the decompression routine to write the output characters.
The following snippet of code shows the vulnerable function [file vpa106cslzc.cpp in the MaxDB source code [12]]. This piece of code can be reached by decompressing a specially crafted buffer.
[..] int CsObjectInt::CsDecomprLZC (SAP_BYTE * inbuf, SAP_INT inlen, SAP_BYTE * outbuf, SAP_INT outlen, SAP_INT option, SAP_INT * bytes_read, SAP_INT * bytes_written) [..] / Generate output characters in reverse order .................../ while (code >= 256) { *stackp++ = TAB_SUFFIXOF(code); OVERFLOW_CHECK code = TAB_PREFIXOF(code); } [..] Note that the "code" variable contains an attacker controlled value, resulting in a stack overflow if the value is greater than 256 and the value for that code in the prefix table is also greater than 256. It's possible to fill in the stack with arbitrary values by controlling the values stored in the prefix and suffix tables.
It's also worth mentioning that the above code includes a macro for performing some bounds checks on the stack pointer ("OVERFLOW_CHECK"). However, the check implemented by this macro is not sufficient for avoiding this vulnerability and also could lead to fault conditions when decompressing valid buffers. Moreover, vulnerable products and programs were built without this macro enabled ("CS_STACK_CHECK" macro not defined at the time of compilation).
7.2. LZH decompression out-of-bounds read
The vulnerability [CVE-2015-2278] is caused by an out-of-bounds read of a buffer used by the decompression routine when performing look-ups of non-simple codes.
The following piece of code shows the vulnerable function [file vpa108csulzh.cpp in the MaxDB source code [13]]. This piece of code can be reached by decompressing a specially crafted buffer.
[..] int CsObjectInt::BuildHufTree ( unsigned * b, / code lengths in bits (all assumed <= BMAX) / unsigned n, / number of codes (assumed <= N_MAX) / unsigned s, / number of simple-valued codes (0..s-1) / int * d, / list of base values for non-simple codes / int * e, / list of extra bits for non-simple codes / HUFTREE t, / result: starting table / int * m) / maximum lookup bits, returns actual / [..] if (p >= v + n) { r.e = INVALIDCODE; / out of values--invalid code / } else if (p < s) { / 256 is end-of-block code / r.e = (unsigned char)(p < 256 ? LITCODE : EOBCODE); r.v.n = (unsigned short) p; / simple code is just the value/ p++; } else { r.e = (unsigned char) e[p - s]; /non-simple,look up in lists/ r.v.n = (unsigned short) d[*p - s]; p++; } [..]
The "e" and "d" arrays are indexed with the value of "*p - s" which is an attacker-controlled value. When the code is reached, this results in an out-of-bounds read access.
7.3. Attack scenarios
The vulnerabilities affect a varied range of products and programs. The attack scenarios differ based on the way each product makes use of the compression libraries. At very least the following scenarios can be identified:
7.3.1. Attacks against server-side components
SAP Netweaver services like Dispatcher or Gateway handle compressed requests coming from the different clients connecting to them. A remote unauthenticated attacker might be able to connect to the aforementioned services and trigger the vulnerabilities by sending specially crafted packets.
7.3.2. Client-side attacks
An attacker might be able to perform client-side attacks against users of the affected programs that handle compressed data. For instance, an attacker might send a specially crafted .CAR or .SAR archive file aimed at being decompressed using the SAPCAR tool, or mount a rogue SAP server offering Dispatcher and entice users to connect to this malicious server using SAP GUI.
7.3.3. Man-in-the-middle attacks
As most of the services affected by these issues are not encrypted by default, an attacker might be able to perform a man-in-the-middle attack and trigger the vulnerabilities by injecting malicious packets within the communication.
7.4. Looking in binaries for compression routines
The LZC and LZH compression algorithm routines are statically compiled in the different binaries of the affected products and programs. It's possible to check if a binary includes these functions by looking at whether the algorithm's constants are used in the program.
The following Radare [14] command can be used to check if a binary file includes the mentioned constants:
$ rafind2 -x fffefcf8f0e0c080 -x 0103070f1f3f7fff
Example output:
$ rafind2 -X -x fffefcf8f0e0c080 -x 0103070f1f3f7fff SAPCAR64
SAPCAR64: 000 @ 0x1082c1 offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0x001082c1 0103 070f 1f3f 7fff fffe fcf8 f0e0 c080 .....?.......... 0x001082d1 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x001082e1 0000 0000 0000 0000 0000 0000 0000 0004 ................ 0x001082f1 0000 0004 0000 0010 0000 0000 0000 0006 ................ 0x00108301 0000 0008 0000 0010 0000 0000 0000 ..............
- Report Timeline
2015-01-20: Core Security sends an initial notification to SAP. Publication date set to Mar 10, 2015 (Patch Tuesday). 2015-01-21: SAP confirms reception and requests a draft version of the advisory. 2015-01-21: Core Security sends the draft version of the advisory to the vendor. 2015-01-21: SAP confirms reception of the report and assigns the following security message Number: 55318 2015. 2015-01-22: SAP asks if the two vulnerable functions mentioned in the draft are the only ones affected by these vulnerabilities. 2015-01-22: Core Security informs the vendor that researchers were only able to trigger the vulnerabilities in the functions mentioned in the draft advisory. In case they find other instances where the vulnerabilities can be triggered, Core requests to be informed. 2015-01-30: Core Security asks the vendor if they were able to verify the vulnerabilities in order to coordinate a proper release date. 2015-02-02: SAP states that they verified and confirmed the vulnerabilities, are working on a solution, and will provide an update once the solution plan is finished. 2015-02-04: SAP states that they will be able to provide a fix by May's Patch Tuesday, 2015, and not March as requested. They also request to know how the advisory is going to be published and if we have any plans to include them in any upcoming presentations. 2015-02-10: SAP requests confirmation of their previous email in order to coordinate the advisory for the May 12th, 2015. 2015-02-18: Core Security informs SAP that the date is confirmed and that researchers might present something after the publication of the advisory. 2015-02-19: SAP states that it is thankful for Core's commitment to go for a coordinated release. They say they will keep us updated. 2015-05-07: Core Security reminds SAP that the date for the proposed fix to be released is the following week, therefore we would like to resume communications in order to publish our findings in a coordinated manner. 2015-05-07: SAP informs that they are on track to release the security notes as part of their May patch day (May 12th, 2015). 2015-05-11: Core Security asks SAP for the specific time they are planning to publish their security note and requests a tentative link so it can be included in Core's advisory. Additionally, Core sends a tentative fix for the source code that it is planning to add in its advisory for SAP to review, and a list of vulnerable tools that used the vulnerable code so SAP can contact and inform the owners of the fix. 2015-05-12: SAP states that they published 4 security notes regarding the issues we reported. They requested for us to wait 3 months to publish our findings and to send them the advisory before is published. 2015-05-12: Core Security requests that SAP fixes the external ID (Core's ID) they used and offer Core's publication link. Additionally, Core explained that is their policy to release their findings the same day the vendor does. Core also reminded SAP that they were still waiting for a reply to their previous email. 2015-05-12: Advisory CORE-2015-0009 published.
- References
[1] http://en.wikipedia.org/wiki/LZ77_and_LZ78. [2] ftp://ftp.sap.com/pub/maxdb/current/7.6.00/. [3] http://conus.info/utils/SAP_pkt_decompr.txt. [4] https://github.com/sensepost/SAPProx. [5] https://github.com/sensepost/SapCap. [6] http://blog.ptsecurity.com/2011/10/sap-diag-decompress-plugin-for.html. [7] https://github.com/CoreSecurity/pysap. [8] https://github.com/CoreSecurity/SAP-Dissection-plug-in-for-Wireshark. [9] https://github.com/daberlin/sap-reposrc-decompressor. [10] https://labs.mwrinfosecurity.com/tools/sap-decom/. [11] http://www.oxid.it/cain.html. [12] http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa106cslzc_8cpp-source.html. [13] http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa108csulzh_8cpp-source.html. [14] http://radare.org/y/. [15] https://service.sap.com/securitynotes.
- About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security
Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
- Disclaimer
The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201506-0131",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "maxdb",
"scope": "eq",
"trust": 2.4,
"vendor": "sap",
"version": "7.5"
},
{
"model": "maxdb",
"scope": "eq",
"trust": 2.4,
"vendor": "sap",
"version": "7.6"
},
{
"model": "gui",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": null
},
{
"model": "netweaver rfc sdk",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": null
},
{
"model": "netweaver java application server",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": null
},
{
"model": "netweaver abap application server",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": null
},
{
"model": "rfc library",
"scope": "eq",
"trust": 1.0,
"vendor": "sap",
"version": "*"
},
{
"model": "gui",
"scope": null,
"trust": 0.8,
"vendor": "sap",
"version": null
},
{
"model": "netweaver application server abap",
"scope": null,
"trust": 0.8,
"vendor": "sap",
"version": null
},
{
"model": "netweaver application server java",
"scope": null,
"trust": 0.8,
"vendor": "sap",
"version": null
},
{
"model": "netweaver rfc sdk",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "\\u3000"
},
{
"model": "rfc library",
"scope": null,
"trust": 0.6,
"vendor": "sap",
"version": null
},
{
"model": "sapcar archive tool",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "rfc sdk",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "netweaver rfc sdk",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "netweaver application server java",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "netweaver application server abap",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "maxdb database",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "gui",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
}
],
"sources": [
{
"db": "BID",
"id": "74643"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002925"
},
{
"db": "NVD",
"id": "CVE-2015-2278"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-482"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:maxdb:7.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver_java_application_server:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver_rfc_sdk:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:gui:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:rfc_library:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:maxdb:7.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver_abap_application_server:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2015-2278"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Martin Gallo of Core Security Consulting Services.",
"sources": [
{
"db": "BID",
"id": "74643"
}
],
"trust": 0.3
},
"cve": "CVE-2015-2278",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 5.0,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2015-2278",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2015-2278",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201505-482",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2015-2278",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-2278"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002925"
},
{
"db": "NVD",
"id": "CVE-2015-2278"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-482"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The LZH decompression implementation (CsObjectInt::BuildHufTree function in vpa108csulzh.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (out-of-bounds read) via unspecified vectors, related to look-ups of non-simple codes, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316. Vendors have confirmed this vulnerability SAP Security Note 2124806 , 2121661 , 2127995 ,and 2125316 It is released as.Denial of service by attacker (out-of-bounds read) There is a possibility of being put into a state. Multiple SAP Products are prone to a buffer-overflow vulnerability and a denial-of-service vulnerability. \nRemote attackers can exploit these issues to execute arbitrary code in the context of the application or cause denial-of-service conditions. 1. Advisory Information\n\nTitle: SAP LZC/LZH Compression Multiple Vulnerabilities\nAdvisory ID: CORE-2015-0009\nAdvisory URL: http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities\nDate published: 2015-05-12\nDate of last update: 2015-05-12\nVendors contacted: SAP\nRelease mode: Coordinated release\n\n2. Vulnerability Information\n\nClass: Out-of-bounds Write [CWE-787], Out-of-bounds Read [CWE-125]\nImpact: Denial of service\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2015-2282, CVE-2015-2278\n\n\n3. Vulnerability Description\n\nSAP products make use of a proprietary implementation of the Lempel-Ziv-Thomas (LZC) adaptive dictionary compression algorithm and the Lempel-Ziv-Huffman (LZH) compression algorithm [1] . These compression algorithms are used across several SAP products and programs. Vulnerabilities were found in the decompression routines that could be triggered in different scenarios, and could lead to execution of arbitrary code and denial of service conditions. \n\n\n4. Vulnerable Packages\n\nSAP Netweaver Application Server ABAP. \nSAP Netweaver Application Server Java. \nSAP Netweaver RFC SDK\nSAP RFC SDK\nSAP GUI\nSAP MaxDB database\nSAPCAR archive tool\nOther products and versions might be affected, but they were not tested. \n\n\n5. Vendor Information, Solutions and Workarounds\n\nSAP published the following Security Notes:\n\n2124806\n2121661\n2127995\n2125316\nThey can be accessed by SAP clients in their Support Portal [15]. \n\nDevelopers who used the Open Source versions of MaxDB 7.5 and 7.6 for their tools should contact SAP. \n\n\n6. Credits\n\nThis vulnerability was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Joaqu\u00edn Rodr\u00edguez Varela from Core Advisories Team. \n\n\n\n7. Technical Description / Proof of Concept Code\n\nSAP products make use of LZC and LZH algorithms for compressing in-transit data for different services (Diag protocol, RFC protocol, MaxDB protocol) and for distributing files (SAPCAR program). The implementation of this algorithm was also included in Open Source versions of MaxDB 7.5 and 7.6 [2], and used on multiple Open Source security-related programs [3][4][5][6][7][8][9][10][11]. \n\nThe code that handles the decompression of LZC and LZH compressed data is prone to two memory corruption vulnerabilities, as described below. \n\n7.1. LZC decompression stack-based buffer overflow\n\nThe vulnerability [CVE-2015-2282] is caused by an out-of-bounds write to a stack buffer used by the decompression routine to write the output characters. \n\nThe following snippet of code shows the vulnerable function [file vpa106cslzc.cpp in the MaxDB source code [12]]. This piece of code can be reached by decompressing a specially crafted buffer. \n\n \n[..]\nint CsObjectInt::CsDecomprLZC (SAP_BYTE * inbuf,\n SAP_INT inlen,\n SAP_BYTE * outbuf,\n SAP_INT outlen,\n SAP_INT option,\n SAP_INT * bytes_read,\n SAP_INT * bytes_written)\n [..]\n /* Generate output characters in reverse order ...................*/\n while (code \u003e= 256)\n {\n *stackp++ = TAB_SUFFIXOF(code);\n OVERFLOW_CHECK\n code = TAB_PREFIXOF(code);\n }\n[..]\nNote that the \"code\" variable contains an attacker controlled value, resulting in a stack overflow if the value is greater than 256 and the value for that code in the prefix table is also greater than 256. It\u0027s possible to fill in the stack with arbitrary values by controlling the values stored in the prefix and suffix tables. \n\nIt\u0027s also worth mentioning that the above code includes a macro for performing some bounds checks on the stack pointer (\"OVERFLOW_CHECK\"). However, the check implemented by this macro is not sufficient for avoiding this vulnerability and also could lead to fault conditions when decompressing valid buffers. Moreover, vulnerable products and programs were built without this macro enabled (\"CS_STACK_CHECK\" macro not defined at the time of compilation). \n\n7.2. LZH decompression out-of-bounds read\n\nThe vulnerability [CVE-2015-2278] is caused by an out-of-bounds read of a buffer used by the decompression routine when performing look-ups of non-simple codes. \n\nThe following piece of code shows the vulnerable function [file vpa108csulzh.cpp in the MaxDB source code [13]]. This piece of code can be reached by decompressing a specially crafted buffer. \n\n \n[..]\nint CsObjectInt::BuildHufTree (\n unsigned * b, /* code lengths in bits (all assumed \u003c= BMAX) */\n unsigned n, /* number of codes (assumed \u003c= N_MAX) */\n unsigned s, /* number of simple-valued codes (0..s-1) */\n int * d, /* list of base values for non-simple codes */\n int * e, /* list of extra bits for non-simple codes */\n HUFTREE **t, /* result: starting table */\n int * m) /* maximum lookup bits, returns actual */\n [..]\n if (p \u003e= v + n)\n {\n r.e = INVALIDCODE; /* out of values--invalid code */\n }\n else if (*p \u003c s)\n { /* 256 is end-of-block code */\n r.e = (unsigned char)(*p \u003c 256 ? LITCODE : EOBCODE);\n r.v.n = (unsigned short) *p; /* simple code is just the value*/\n p++;\n }\n else\n {\n r.e = (unsigned char) e[*p - s]; /*non-simple,look up in lists*/\n r.v.n = (unsigned short) d[*p - s];\n p++;\n }\n[..]\n \nThe \"e\" and \"d\" arrays are indexed with the value of \"*p - s\" which is an attacker-controlled value. When the code is reached, this results in an out-of-bounds read access. \n\n7.3. Attack scenarios\n\nThe vulnerabilities affect a varied range of products and programs. The attack scenarios differ based on the way each product makes use of the compression libraries. At very least the following scenarios can be identified:\n\n7.3.1. Attacks against server-side components\n\nSAP Netweaver services like Dispatcher or Gateway handle compressed requests coming from the different clients connecting to them. A remote unauthenticated attacker might be able to connect to the aforementioned services and trigger the vulnerabilities by sending specially crafted packets. \n\n7.3.2. Client-side attacks\n\nAn attacker might be able to perform client-side attacks against users of the affected programs that handle compressed data. For instance, an attacker might send a specially crafted .CAR or .SAR archive file aimed at being decompressed using the SAPCAR tool, or mount a rogue SAP server offering Dispatcher and entice users to connect to this malicious server using SAP GUI. \n\n7.3.3. Man-in-the-middle attacks\n\nAs most of the services affected by these issues are not encrypted by default, an attacker might be able to perform a man-in-the-middle attack and trigger the vulnerabilities by injecting malicious packets within the communication. \n\n7.4. Looking in binaries for compression routines\n\nThe LZC and LZH compression algorithm routines are statically compiled in the different binaries of the affected products and programs. It\u0027s possible to check if a binary includes these functions by looking at whether the algorithm\u0027s constants are used in the program. \n\nThe following Radare [14] command can be used to check if a binary file includes the mentioned constants:\n\n \n$ rafind2 -x fffefcf8f0e0c080 -x 0103070f1f3f7fff \u003cbinary_file\u003e\n \nExample output:\n\n \n$ rafind2 -X -x fffefcf8f0e0c080 -x 0103070f1f3f7fff SAPCAR64 \n\nSAPCAR64: 000 @ 0x1082c1\n offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF\n0x001082c1 0103 070f 1f3f 7fff fffe fcf8 f0e0 c080 .....?.......... \n0x001082d1 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n0x001082e1 0000 0000 0000 0000 0000 0000 0000 0004 ................ \n0x001082f1 0000 0004 0000 0010 0000 0000 0000 0006 ................ \n0x00108301 0000 0008 0000 0010 0000 0000 0000 .............. \n \n\n\n8. Report Timeline\n\n2015-01-20: Core Security sends an initial notification to SAP. Publication date set to Mar 10, 2015 (Patch Tuesday). \n2015-01-21: SAP confirms reception and requests a draft version of the advisory. \n2015-01-21: Core Security sends the draft version of the advisory to the vendor. \n2015-01-21: SAP confirms reception of the report and assigns the following security message Number: 55318 2015. \n2015-01-22: SAP asks if the two vulnerable functions mentioned in the draft are the only ones affected by these vulnerabilities. \n2015-01-22: Core Security informs the vendor that researchers were only able to trigger the vulnerabilities in the functions mentioned in the draft advisory. In case they find other instances where the vulnerabilities can be triggered, Core requests to be informed. \n2015-01-30: Core Security asks the vendor if they were able to verify the vulnerabilities in order to coordinate a proper release date. \n2015-02-02: SAP states that they verified and confirmed the vulnerabilities, are working on a solution, and will provide an update once the solution plan is finished. \n2015-02-04: SAP states that they will be able to provide a fix by May\u0027s Patch Tuesday, 2015, and not March as requested. They also request to know how the advisory is going to be published and if we have any plans to include them in any upcoming presentations. \n2015-02-10: SAP requests confirmation of their previous email in order to coordinate the advisory for the May 12th, 2015. \n2015-02-18: Core Security informs SAP that the date is confirmed and that researchers might present something after the publication of the advisory. \n2015-02-19: SAP states that it is thankful for Core\u0027s commitment to go for a coordinated release. They say they will keep us updated. \n2015-05-07: Core Security reminds SAP that the date for the proposed fix to be released is the following week, therefore we would like to resume communications in order to publish our findings in a coordinated manner. \n2015-05-07: SAP informs that they are on track to release the security notes as part of their May patch day (May 12th, 2015). \n2015-05-11: Core Security asks SAP for the specific time they are planning to publish their security note and requests a tentative link so it can be included in Core\u0027s advisory. Additionally, Core sends a tentative fix for the source code that it is planning to add in its advisory for SAP to review, and a list of vulnerable tools that used the vulnerable code so SAP can contact and inform the owners of the fix. \n2015-05-12: SAP states that they published 4 security notes regarding the issues we reported. They requested for us to wait 3 months to publish our findings and to send them the advisory before is published. \n2015-05-12: Core Security requests that SAP fixes the external ID (Core\u0027s ID) they used and offer Core\u0027s publication link. Additionally, Core explained that is their policy to release their findings the same day the vendor does. Core also reminded SAP that they were still waiting for a reply to their previous email. \n2015-05-12: Advisory CORE-2015-0009 published. \n\n\n9. References\n\n[1] http://en.wikipedia.org/wiki/LZ77_and_LZ78. \n[2] ftp://ftp.sap.com/pub/maxdb/current/7.6.00/. \n[3] http://conus.info/utils/SAP_pkt_decompr.txt. \n[4] https://github.com/sensepost/SAPProx. \n[5] https://github.com/sensepost/SapCap. \n[6] http://blog.ptsecurity.com/2011/10/sap-diag-decompress-plugin-for.html. \n[7] https://github.com/CoreSecurity/pysap. \n[8] https://github.com/CoreSecurity/SAP-Dissection-plug-in-for-Wireshark. \n[9] https://github.com/daberlin/sap-reposrc-decompressor. \n[10] https://labs.mwrinfosecurity.com/tools/sap-decom/. \n[11] http://www.oxid.it/cain.html. \n[12] http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa106cslzc_8cpp-source.html. \n[13] http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa108csulzh_8cpp-source.html. \n[14] http://radare.org/y/. \n[15] https://service.sap.com/securitynotes. \n\n\n10. About CoreLabs\n\nCoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. \n\n\n11. About Core Security\n\nCore Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. \n\nCore Security\u0027s software solutions build on over a decade of trusted research and leading-edge threat expertise from the company\u0027s Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. \n\n\n12. Disclaimer\n\nThe contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n\n13. PGP/GPG Keys\n\nThis advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc",
"sources": [
{
"db": "NVD",
"id": "CVE-2015-2278"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002925"
},
{
"db": "BID",
"id": "74643"
},
{
"db": "VULMON",
"id": "CVE-2015-2278"
},
{
"db": "PACKETSTORM",
"id": "131883"
}
],
"trust": 2.07
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2015-2278",
"trust": 2.9
},
{
"db": "PACKETSTORM",
"id": "131883",
"trust": 1.8
},
{
"db": "BID",
"id": "74643",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002925",
"trust": 0.8
},
{
"db": "SECUNIA",
"id": "64440",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201505-482",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2015-2278",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-2278"
},
{
"db": "BID",
"id": "74643"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002925"
},
{
"db": "PACKETSTORM",
"id": "131883"
},
{
"db": "NVD",
"id": "CVE-2015-2278"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-482"
}
]
},
"id": "VAR-201506-0131",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.167840075
},
"last_update_date": "2023-12-18T13:24:46.085000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SAP Security Note 2124806/2121661/2127995/2125316",
"trust": 0.8,
"url": "http://scn.sap.com/docs/doc-55451"
},
{
"title": "martingalloar",
"trust": 0.1,
"url": "https://github.com/martingalloar/martingalloar "
},
{
"title": "publications",
"trust": 0.1,
"url": "https://github.com/martingalloar/publications "
},
{
"title": "The Register",
"trust": 0.1,
"url": "https://www.theregister.co.uk/2015/05/14/saps_compression_is_buggy_and_insecure/"
},
{
"title": "Threatpost",
"trust": 0.1,
"url": "https://threatpost.com/remotely-exploitable-vulnerabilities-in-sap-compression-algorithms/112808/"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-2278"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002925"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-002925"
},
{
"db": "NVD",
"id": "CVE-2015-2278"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
},
{
"trust": 1.7,
"url": "http://packetstormsecurity.com/files/131883/sap-lzc-lzh-compression-denial-of-service.html"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2015/may/50"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2015/may/96"
},
{
"trust": 1.2,
"url": "http://www.securityfocus.com/bid/74643"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2278"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2278"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/535535/100/0/threaded"
},
{
"trust": 0.6,
"url": "http://secunia.com/advisories/64440"
},
{
"trust": 0.3,
"url": "http://www.sap.com"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://threatpost.com/remotely-exploitable-vulnerabilities-in-sap-compression-algorithms/112808/"
},
{
"trust": 0.1,
"url": "http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa108csulzh_8cpp-source.html."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://github.com/sensepost/sapcap."
},
{
"trust": 0.1,
"url": "https://github.com/coresecurity/sap-dissection-plug-in-for-wireshark."
},
{
"trust": 0.1,
"url": "https://github.com/sensepost/sapprox."
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa106cslzc_8cpp-source.html."
},
{
"trust": 0.1,
"url": "https://service.sap.com/securitynotes."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "https://github.com/coresecurity/pysap."
},
{
"trust": 0.1,
"url": "http://conus.info/utils/sap_pkt_decompr.txt."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-2282"
},
{
"trust": 0.1,
"url": "http://www.oxid.it/cain.html."
},
{
"trust": 0.1,
"url": "https://labs.mwrinfosecurity.com/tools/sap-decom/."
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://github.com/daberlin/sap-reposrc-decompressor."
},
{
"trust": 0.1,
"url": "http://blog.ptsecurity.com/2011/10/sap-diag-decompress-plugin-for.html."
},
{
"trust": 0.1,
"url": "http://radare.org/y/."
},
{
"trust": 0.1,
"url": "http://en.wikipedia.org/wiki/lz77_and_lz78."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-2278"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-2278"
},
{
"db": "BID",
"id": "74643"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002925"
},
{
"db": "PACKETSTORM",
"id": "131883"
},
{
"db": "NVD",
"id": "CVE-2015-2278"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-482"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2015-2278"
},
{
"db": "BID",
"id": "74643"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002925"
},
{
"db": "PACKETSTORM",
"id": "131883"
},
{
"db": "NVD",
"id": "CVE-2015-2278"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-482"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-06-02T00:00:00",
"db": "VULMON",
"id": "CVE-2015-2278"
},
{
"date": "2015-05-13T00:00:00",
"db": "BID",
"id": "74643"
},
{
"date": "2015-06-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-002925"
},
{
"date": "2015-05-13T17:48:36",
"db": "PACKETSTORM",
"id": "131883"
},
{
"date": "2015-06-02T14:59:07.537000",
"db": "NVD",
"id": "CVE-2015-2278"
},
{
"date": "2015-05-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201505-482"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-09T00:00:00",
"db": "VULMON",
"id": "CVE-2015-2278"
},
{
"date": "2015-05-13T00:00:00",
"db": "BID",
"id": "74643"
},
{
"date": "2015-06-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-002925"
},
{
"date": "2018-10-09T19:56:11.780000",
"db": "NVD",
"id": "CVE-2015-2278"
},
{
"date": "2015-06-03T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201505-482"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201505-482"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural SAP Product LZH Service disruption in decompression implementation (DoS) Vulnerabilities",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-002925"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201505-482"
}
],
"trust": 0.6
}
}
var-202101-1438
Vulnerability from variot
SAP GUI for Windows, version - 7.60, allows an attacker to spoof logon credentials for Application Server ABAP backend systems in the client PCs memory. Under certain conditions the attacker can access information which would otherwise be restricted. The exploit can only be executed locally on the client PC and not via Network and the attacker needs at least user authorization of the Operating System user of the victim. Windows for SAP GUI Exists in an inadequate protection of credentials.Information may be obtained
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202101-1438",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "graphical user interface",
"scope": "eq",
"trust": 1.0,
"vendor": "sap",
"version": "7.60"
},
{
"model": "gui",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "7.60"
},
{
"model": "gui",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-002436"
},
{
"db": "NVD",
"id": "CVE-2021-21448"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:graphical_user_interface:7.60:*:*:*:*:windows:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-21448"
}
]
},
"cve": "CVE-2021-21448",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Local",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 2.1,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2021-21448",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Low",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.0,
"impactScore": 4.0,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"author": "cna@sap.com",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.8,
"impactScore": 4.0,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.5,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2021-21448",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-21448",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "cna@sap.com",
"id": "CVE-2021-21448",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202101-786",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-002436"
},
{
"db": "NVD",
"id": "CVE-2021-21448"
},
{
"db": "NVD",
"id": "CVE-2021-21448"
},
{
"db": "CNNVD",
"id": "CNNVD-202101-786"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP GUI for Windows, version - 7.60, allows an attacker to spoof logon credentials for Application Server ABAP backend systems in the client PCs memory. Under certain conditions the attacker can access information which would otherwise be restricted. The exploit can only be executed locally on the client PC and not via Network and the attacker needs at least user authorization of the Operating System user of the victim. Windows for SAP GUI Exists in an inadequate protection of credentials.Information may be obtained",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-21448"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002436"
}
],
"trust": 1.62
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-21448",
"trust": 2.4
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002436",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202101-786",
"trust": 0.6
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-002436"
},
{
"db": "NVD",
"id": "CVE-2021-21448"
},
{
"db": "CNNVD",
"id": "CNNVD-202101-786"
}
]
},
"id": "VAR-202101-1438",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.19973545
},
"last_update_date": "2023-12-18T14:04:29.504000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SAP\u00a0Security\u00a0Patch\u00a0Day\u00a0-\u00a0January\u00a02021",
"trust": 0.8,
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=564760476"
},
{
"title": "SAP GUI for Windows Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=139711"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-002436"
},
{
"db": "CNNVD",
"id": "CNNVD-202101-786"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-noinfo",
"trust": 1.0
},
{
"problemtype": "Inadequate protection of credentials (CWE-522) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-002436"
},
{
"db": "NVD",
"id": "CVE-2021-21448"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.6,
"url": "https://launchpad.support.sap.com/#/notes/2992269"
},
{
"trust": 1.6,
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=564760476"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-21448"
},
{
"trust": 0.6,
"url": "https://i7p.wdf.sap.corp/sap/support/notes/2992269"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/sap-multiple-vulnerabilities-of-january-2021-34277"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-002436"
},
{
"db": "NVD",
"id": "CVE-2021-21448"
},
{
"db": "CNNVD",
"id": "CNNVD-202101-786"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "JVNDB",
"id": "JVNDB-2021-002436"
},
{
"db": "NVD",
"id": "CVE-2021-21448"
},
{
"db": "CNNVD",
"id": "CNNVD-202101-786"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-09-15T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-002436"
},
{
"date": "2021-01-12T15:15:14.610000",
"db": "NVD",
"id": "CVE-2021-21448"
},
{
"date": "2021-01-12T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202101-786"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-09-15T08:57:00",
"db": "JVNDB",
"id": "JVNDB-2021-002436"
},
{
"date": "2022-07-12T17:42:04.277000",
"db": "NVD",
"id": "CVE-2021-21448"
},
{
"date": "2022-07-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202101-786"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202101-786"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Windows\u00a0 for \u00a0SAP\u00a0GUI\u00a0 Vulnerability regarding inadequate protection of credentials in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-002436"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202101-786"
}
],
"trust": 0.6
}
}
var-201209-0611
Vulnerability from variot
Multiple untrusted search path vulnerabilities in (1) SAPGui.exe and (2) BExAnalyzer.exe in SAP GUI 6.4 through 7.2 allow local users to gain privileges via a Trojan horse MFC80LOC.DLL file in the current working directory, as demonstrated by a directory that contains a .sap file. NOTE: some of these details are obtained from third party information. SAP GUI of (1) SAPGui.exe Or (2) BExAnalyzer.exe Contains a vulnerability that allows it to get permission due to a flaw in search path processing. Supplementary information : CWE Vulnerability type by CWE-426: Untrusted Search Path ( Unreliable search path ) Has been identified. MFC80LOC.DLL It may be possible to get permission through the file. The SAP GUI is a graphical user interface client for SAP software. SAP GUI applications (such as SAPGui.exe and BExAnalyzer.exe) load libraries (such as MFC80LOC.DLL) in an unsafe manner, and an attacker can entice a user to open an SAP GUI shortcut on a remote WebDAV or SMB share (\".sap\" A file that causes arbitrary code to be executed in the login user security context. An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. SAP GUI versions 6.4 through 7.2 are vulnerable; other versions may also be affected. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/
TITLE: SAP GUI Insecure Library Loading Vulnerability
SECUNIA ADVISORY ID: SA43707
VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43707/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43707
RELEASE DATE: 2011-03-16
DISCUSS ADVISORY: http://secunia.com/advisories/43707/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s)
http://secunia.com/advisories/43707/
ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43707
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION: A vulnerability has been reported in SAP GUI, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to the application (e.g SAPGui.exe and BExAnalyzer.exe) loading libraries (e.g. MFC80LOC.DLL) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into e.g.
Successful exploitation allows execution of arbitrary code.
SOLUTION: Apply fixes (please see the vendor's advisory for details).
PROVIDED AND/OR DISCOVERED BY: Alexey Sintsov and Alexandr Polyakov, Digital Security Research Group (DSecRG)
ORIGINAL ADVISORY: SAP: https://service.sap.com/sap/support/notes/1511179
Digital Security Research Group (DSECRG-11-014): http://dsecrg.com/pages/vul/show.php?id=314
OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201209-0611",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "gui",
"scope": "eq",
"trust": 1.5,
"vendor": "sap",
"version": "6.4"
},
{
"model": "gui",
"scope": "eq",
"trust": 1.5,
"vendor": "sap",
"version": "7.2"
},
{
"model": "graphical user interface",
"scope": "eq",
"trust": 1.0,
"vendor": "sap",
"version": "6.4"
},
{
"model": "graphical user interface",
"scope": "eq",
"trust": 1.0,
"vendor": "sap",
"version": "7.2"
},
{
"model": "gui for windows patch level",
"scope": "eq",
"trust": 0.9,
"vendor": "sap",
"version": "6.4030"
},
{
"model": "gui for windows patch level",
"scope": "eq",
"trust": 0.9,
"vendor": "sap",
"version": "7.006"
},
{
"model": "gui patch",
"scope": "eq",
"trust": 0.9,
"vendor": "sap",
"version": "6.4029"
},
{
"model": "gui",
"scope": "eq",
"trust": 0.9,
"vendor": "sap",
"version": "7.0"
},
{
"model": "gui",
"scope": "eq",
"trust": 0.9,
"vendor": "sap",
"version": "7.10"
},
{
"model": "gui pl",
"scope": "eq",
"trust": 0.9,
"vendor": "sap",
"version": "7.10"
},
{
"model": "ag sapgui",
"scope": "eq",
"trust": 0.9,
"vendor": "sap",
"version": "6.4"
},
{
"model": "ag sapgui patch level",
"scope": "eq",
"trust": 0.9,
"vendor": "sap",
"version": "6.4029"
},
{
"model": "ag sapgui patch level",
"scope": "eq",
"trust": 0.9,
"vendor": "sap",
"version": "7.105"
},
{
"model": "ag sapgui patch level",
"scope": "eq",
"trust": 0.9,
"vendor": "sap",
"version": "7.108"
},
{
"model": "ag sapgui patch level",
"scope": "eq",
"trust": 0.9,
"vendor": "sap",
"version": "7.109"
},
{
"model": "gui",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "6.4 to 7.2"
},
{
"model": "ag sapgui",
"scope": null,
"trust": 0.6,
"vendor": "sap",
"version": null
},
{
"model": "ag sapgui",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "gui",
"version": "6.4"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "gui",
"version": "7.2"
}
],
"sources": [
{
"db": "IVD",
"id": "ce40b5e8-1f9b-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-1088"
},
{
"db": "BID",
"id": "46857"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-004149"
},
{
"db": "NVD",
"id": "CVE-2011-5154"
},
{
"db": "CNNVD",
"id": "CNNVD-201209-069"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:graphical_user_interface:6.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:graphical_user_interface:7.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2011-5154"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Digital Security Research Group",
"sources": [
{
"db": "BID",
"id": "46857"
}
],
"trust": 0.3
},
"cve": "CVE-2011-5154",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 6.9,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.4,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Local",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 6.9,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2011-5154",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "COMPLETE",
"baseScore": 6.9,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.4,
"id": "ce40b5e8-1f9b-11e6-abef-000c29c66e3d",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.9 [IVD]"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2011-5154",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201209-069",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "ce40b5e8-1f9b-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "ce40b5e8-1f9b-11e6-abef-000c29c66e3d"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-004149"
},
{
"db": "NVD",
"id": "CVE-2011-5154"
},
{
"db": "CNNVD",
"id": "CNNVD-201209-069"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Multiple untrusted search path vulnerabilities in (1) SAPGui.exe and (2) BExAnalyzer.exe in SAP GUI 6.4 through 7.2 allow local users to gain privileges via a Trojan horse MFC80LOC.DLL file in the current working directory, as demonstrated by a directory that contains a .sap file. NOTE: some of these details are obtained from third party information. SAP GUI of (1) SAPGui.exe Or (2) BExAnalyzer.exe Contains a vulnerability that allows it to get permission due to a flaw in search path processing. Supplementary information : CWE Vulnerability type by CWE-426: Untrusted Search Path ( Unreliable search path ) Has been identified. MFC80LOC.DLL It may be possible to get permission through the file. The SAP GUI is a graphical user interface client for SAP software. SAP GUI applications (such as SAPGui.exe and BExAnalyzer.exe) load libraries (such as MFC80LOC.DLL) in an unsafe manner, and an attacker can entice a user to open an SAP GUI shortcut on a remote WebDAV or SMB share (\\\".sap\\\" A file that causes arbitrary code to be executed in the login user security context. \nAn attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. \nSAP GUI versions 6.4 through 7.2 are vulnerable; other versions may also be affected. ----------------------------------------------------------------------\n\n\nGet a tax break on purchases of Secunia Solutions!\n\nIf you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:\nhttp://secunia.com/products/corporate/vim/section_179/\n\n\n----------------------------------------------------------------------\n\nTITLE:\nSAP GUI Insecure Library Loading Vulnerability\n\nSECUNIA ADVISORY ID:\nSA43707\n\nVERIFY ADVISORY:\nSecunia.com\nhttp://secunia.com/advisories/43707/\nCustomer Area (Credentials Required)\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=43707\n\nRELEASE DATE:\n2011-03-16\n\nDISCUSS ADVISORY:\nhttp://secunia.com/advisories/43707/#comments\n\nAVAILABLE ON SITE AND IN CUSTOMER AREA:\n * Last Update\n * Popularity\n * Comments\n * Criticality Level\n * Impact\n * Where\n * Solution Status\n * Operating System / Software\n * CVE Reference(s)\n\nhttp://secunia.com/advisories/43707/\n\nONLY AVAILABLE IN CUSTOMER AREA:\n * Authentication Level\n * Report Reliability\n * Secunia PoC\n * Secunia Analysis\n * Systems Affected\n * Approve Distribution\n * Remediation Status\n * Secunia CVSS Score\n * CVSS\n\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=43707\n\nONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:\n * AUTOMATED SCANNING\n\nhttp://secunia.com/vulnerability_scanning/personal/\nhttp://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/\n\nDESCRIPTION:\nA vulnerability has been reported in SAP GUI, which can be exploited\nby malicious people to compromise a user\u0027s system. \n\nThe vulnerability is caused due to the application (e.g SAPGui.exe\nand BExAnalyzer.exe) loading libraries (e.g. MFC80LOC.DLL) in an\ninsecure manner. This can be exploited to load arbitrary libraries by\ntricking a user into e.g. \n\nSuccessful exploitation allows execution of arbitrary code. \n\nSOLUTION:\nApply fixes (please see the vendor\u0027s advisory for details). \n\nPROVIDED AND/OR DISCOVERED BY:\nAlexey Sintsov and Alexandr Polyakov, Digital Security Research Group\n(DSecRG)\n\nORIGINAL ADVISORY:\nSAP:\nhttps://service.sap.com/sap/support/notes/1511179\n\nDigital Security Research Group (DSECRG-11-014):\nhttp://dsecrg.com/pages/vul/show.php?id=314\n\nOTHER REFERENCES:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nDEEP LINKS:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED DESCRIPTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED SOLUTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXPLOIT:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\nprivate users keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2011-5154"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-004149"
},
{
"db": "CNVD",
"id": "CNVD-2011-1088"
},
{
"db": "BID",
"id": "46857"
},
{
"db": "IVD",
"id": "ce40b5e8-1f9b-11e6-abef-000c29c66e3d"
},
{
"db": "PACKETSTORM",
"id": "99359"
}
],
"trust": 2.7
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2011-5154",
"trust": 2.9
},
{
"db": "SECUNIA",
"id": "43707",
"trust": 2.3
},
{
"db": "BID",
"id": "46857",
"trust": 0.9
},
{
"db": "CNVD",
"id": "CNVD-2011-1088",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201209-069",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2012-004149",
"trust": 0.8
},
{
"db": "IVD",
"id": "CE40B5E8-1F9B-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "99359",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "ce40b5e8-1f9b-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-1088"
},
{
"db": "BID",
"id": "46857"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-004149"
},
{
"db": "PACKETSTORM",
"id": "99359"
},
{
"db": "NVD",
"id": "CVE-2011-5154"
},
{
"db": "CNNVD",
"id": "CNNVD-201209-069"
}
]
},
"id": "VAR-201209-0611",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "ce40b5e8-1f9b-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-1088"
}
],
"trust": 1.102733685
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "ce40b5e8-1f9b-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-1088"
}
]
},
"last_update_date": "2023-12-18T12:31:06.446000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Acknowledgments to Security Researchers",
"trust": 0.8,
"url": "http://scn.sap.com/docs/doc-8218"
},
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.sap.com/index.epx"
},
{
"title": "SAP GUI DLL loads patches for arbitrary code execution vulnerabilities",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/3294"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-1088"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-004149"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
},
{
"problemtype": "CWE-Other",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2012-004149"
},
{
"db": "NVD",
"id": "CVE-2011-5154"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.0,
"url": "http://dsecrg.com/pages/vul/show.php?id=314"
},
{
"trust": 2.0,
"url": "https://service.sap.com/sap/support/notes/1511179"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/43707"
},
{
"trust": 1.6,
"url": "http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-5154"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-5154"
},
{
"trust": 0.7,
"url": "http://secunia.com/advisories/43707/"
},
{
"trust": 0.3,
"url": "http://blog.rapid7.com/?p=5325"
},
{
"trust": 0.3,
"url": "http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html"
},
{
"trust": 0.3,
"url": "http://blogs.technet.com/b/msrc/archive/2010/08/21/microsoft-security-advisory-2269637-released.aspx"
},
{
"trust": 0.3,
"url": "http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx"
},
{
"trust": 0.3,
"url": "https://www.sdn.sap.com/irj/sdn/sap-gui"
},
{
"trust": 0.3,
"url": "http://www.microsoft.com/technet/security/advisory/2269637.mspx"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/43707/#comments"
},
{
"trust": 0.1,
"url": "http://secunia.com/products/corporate/evm/"
},
{
"trust": 0.1,
"url": "http://secunia.com/products/corporate/vim/section_179/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/"
},
{
"trust": 0.1,
"url": "https://ca.secunia.com/?page=viewadvisory\u0026vuln_id=43707"
},
{
"trust": 0.1,
"url": "http://secunia.com/vulnerability_scanning/personal/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/about_secunia_advisories/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-1088"
},
{
"db": "BID",
"id": "46857"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-004149"
},
{
"db": "PACKETSTORM",
"id": "99359"
},
{
"db": "NVD",
"id": "CVE-2011-5154"
},
{
"db": "CNNVD",
"id": "CNNVD-201209-069"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "ce40b5e8-1f9b-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-1088"
},
{
"db": "BID",
"id": "46857"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-004149"
},
{
"db": "PACKETSTORM",
"id": "99359"
},
{
"db": "NVD",
"id": "CVE-2011-5154"
},
{
"db": "CNNVD",
"id": "CNNVD-201209-069"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-03-15T00:00:00",
"db": "IVD",
"id": "ce40b5e8-1f9b-11e6-abef-000c29c66e3d"
},
{
"date": "2011-03-15T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-1088"
},
{
"date": "2011-03-14T00:00:00",
"db": "BID",
"id": "46857"
},
{
"date": "2012-09-10T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2012-004149"
},
{
"date": "2011-03-15T08:23:15",
"db": "PACKETSTORM",
"id": "99359"
},
{
"date": "2012-09-06T10:41:57.877000",
"db": "NVD",
"id": "CVE-2011-5154"
},
{
"date": "2012-09-12T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201209-069"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-03-15T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-1088"
},
{
"date": "2012-09-06T22:40:00",
"db": "BID",
"id": "46857"
},
{
"date": "2012-09-10T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2012-004149"
},
{
"date": "2021-01-15T13:29:24.540000",
"db": "NVD",
"id": "CVE-2011-5154"
},
{
"date": "2021-01-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201209-069"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201209-069"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP GUI DLL Load arbitrary code execution vulnerability",
"sources": [
{
"db": "IVD",
"id": "ce40b5e8-1f9b-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-1088"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "IVD",
"id": "ce40b5e8-1f9b-11e6-abef-000c29c66e3d"
},
{
"db": "CNNVD",
"id": "CNNVD-201209-069"
}
],
"trust": 0.8
}
}
var-201705-4230
Vulnerability from variot
SAP GUI is prone to a security-bypass vulnerability. Remote attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions.
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201705-4230",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "gui",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
}
],
"sources": [
{
"db": "BID",
"id": "98352"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The vendor reported this issue.",
"sources": [
{
"db": "BID",
"id": "98352"
}
],
"trust": 0.3
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP GUI is prone to a security-bypass vulnerability.\nRemote attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions.",
"sources": [
{
"db": "BID",
"id": "98352"
}
],
"trust": 0.3
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "98352",
"trust": 0.3
}
],
"sources": [
{
"db": "BID",
"id": "98352"
}
]
},
"id": "VAR-201705-4230",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.19973545
},
"last_update_date": "2022-05-17T01:57:41.521000Z",
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 0.3,
"url": "http://www.sap.com"
},
{
"trust": 0.3,
"url": "https://blogs.sap.com/2017/05/09/sap-security-patch-day-may-2017"
},
{
"trust": 0.3,
"url": "https://launchpad.support.sap.com/#/notes/2448972"
}
],
"sources": [
{
"db": "BID",
"id": "98352"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "BID",
"id": "98352"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-05-09T00:00:00",
"db": "BID",
"id": "98352"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-05-23T16:23:00",
"db": "BID",
"id": "98352"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "network",
"sources": [
{
"db": "BID",
"id": "98352"
}
],
"trust": 0.3
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP GUI Unspecified Security Bypass Vulnerability",
"sources": [
{
"db": "BID",
"id": "98352"
}
],
"trust": 0.3
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Configuration Error",
"sources": [
{
"db": "BID",
"id": "98352"
}
],
"trust": 0.3
}
}
var-200901-0399
Vulnerability from variot
Multiple heap-based buffer overflows in the AddTab method in the (1) Tab and (2) CTab ActiveX controls in c1sizer.ocx and the (3) TabOne ActiveX control in sizerone.ocx in ComponentOne SizerOne 8.0.20081.140, as used in ComponentOne Studio for ActiveX 2008, TSC2 Help Desk 4.1.8, SAP GUI 6.40 Patch 29 and 7.10, and possibly other products, allow remote attackers to execute arbitrary code by adding many tabs, or adding tabs with long tab captions. The SizerOne ActiveX control used in products by multiple vendors is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer. An attacker can exploit this issue to execute arbitrary code within the context of the application that uses the ActiveX control (typically Internet Explorer). Failed exploit attempts will result in denial-of-service conditions.
====================================================================== 2) Severity
Rating: Highly critical Impact: System compromise Where: Remote
====================================================================== 3) Vendor's Description of Software
"SAP GUI is SAP's universal client for accessing SAP functionality in SAP applications such as - SAP ERP, SAP Business Suite (SAP CRM, SAP SCM and SAP PLM), SAP Business Intelligence and so on. SAP GUI functions like a browser. It gets information from the SAP server like what, where, when and how, to display contents in its window.".
Users can also set the kill-bit manually by following the procedure explained in SAP note 1092631. ======================================================================
Secunia Research 07/01/2009
- ComponentOne SizerOne ActiveX Control Buffer Overflow -
====================================================================== Table of Contents
Affected Software....................................................1 Severity.............................................................2 Vendor's Description of Software.....................................3 Description of Vulnerability.........................................4 Solution.............................................................5 Time Table...........................................................6 Credits..............................................................7 References...........................................................8 About Secunia........................................................9 Verification........................................................10
====================================================================== 1) Affected Software
- ComponentOne SizerOne 8.0.20081.140
NOTE: Other versions may also be affected.
====================================================================== 2) Severity
Rating: Highly critical Impact: System compromise Where: Remote
====================================================================== 3) Vendor's Description of Software
"ComponentOne SizerOne 8.0 is a four-in-one tool that includes two resizing controls to easily handle both simple and complex sizing. The tabbing control enables you to quickly create notebook-style and Microsoft Outlook-style tabs. And with the parsing control, you can automatically slice and dice strings."
Product Link: http://www.componentone.com/SuperProducts/SizerOne/
====================================================================== 4) Description of Vulnerability
Secunia Research has discovered a vulnerability in ComponentOne SizerOne, which can be exploited by malicious people to potentially compromise a user's system.
The vulnerability is caused by a boundary error in the included Tab ActiveX control (c1sizer.ocx) when copying tab captions. This can be exploited to cause a heap-based buffer overflow by e.g. adding tabs with overly long captions via the "AddTab()" method.
Successful exploitation may allow execution of arbitrary code.
====================================================================== 5) Solution
Update to version 8.0.20081.142 of the ActiveX control.
====================================================================== 6) Time Table
13/11/2008 - Vendor notified. 19/11/2008 - Vendor response. 25/11/2008 - Vendor informs that vulnerability has been fixed and offers to provide test version. 26/11/2008 - Copy of fixed test version requested. 01/12/2008 - Test version provided by the vendor. 02/12/2008 - Vendor informed that patch fixes vulnerability nicely. 02/12/2008 - Vendor informs that fix will be available within a week. 05/01/2008 - Status update requested. 05/01/2008 - Vendor informs that fix has been made available. 07/01/2009 - Public disclosure.
====================================================================== 7) Credits
Discovered by Carsten Eiram, Secunia Research.
====================================================================== 8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2008-4827 for the vulnerability.
====================================================================== 9) About Secunia
Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
====================================================================== 10) Verification
Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2008-52/
Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/
======================================================================
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . Other versions may also be affected.
ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2008-53/
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200901-0399",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "gui",
"scope": "eq",
"trust": 2.1,
"vendor": "sap",
"version": "7.10"
},
{
"model": "sizerone",
"scope": "eq",
"trust": 2.1,
"vendor": "componentone",
"version": "8.0.20081.140"
},
{
"model": "tsc2 help desk",
"scope": "eq",
"trust": 1.6,
"vendor": "servantix",
"version": "4.18"
},
{
"model": "tsc2 help desk",
"scope": "eq",
"trust": 1.1,
"vendor": "servantix",
"version": "4.1.8"
},
{
"model": "tabone",
"scope": "eq",
"trust": 1.0,
"vendor": "sap",
"version": "7.0.0.16"
},
{
"model": "gui",
"scope": "eq",
"trust": 1.0,
"vendor": "sap",
"version": "6.40"
},
{
"model": "gui",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "6.40 patch 29"
},
{
"model": "gui patch",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "6.4029"
},
{
"model": "studio for activex",
"scope": "eq",
"trust": 0.3,
"vendor": "componentone",
"version": "20080"
},
{
"model": "studio enterprise",
"scope": "eq",
"trust": 0.3,
"vendor": "componentone",
"version": "20080"
},
{
"model": "tsc2 help desk",
"scope": "ne",
"trust": 0.3,
"vendor": "servantix",
"version": "4.3.1"
},
{
"model": "gui pl",
"scope": "ne",
"trust": 0.3,
"vendor": "sap",
"version": "7.10"
},
{
"model": "sizerone",
"scope": "ne",
"trust": 0.3,
"vendor": "componentone",
"version": "8.0.20081.142"
}
],
"sources": [
{
"db": "BID",
"id": "33148"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001617"
},
{
"db": "NVD",
"id": "CVE-2008-4827"
},
{
"db": "CNNVD",
"id": "CNNVD-200901-072"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:sap_gui:6.40:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:sap_gui:7.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:servantix:tsc2_help_desk:4.18:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:tabone:7.0.0.16:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:componentone:sizerone:8.0.20081.140:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2008-4827"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Carsten Eiram",
"sources": [
{
"db": "BID",
"id": "33148"
},
{
"db": "PACKETSTORM",
"id": "73654"
},
{
"db": "PACKETSTORM",
"id": "73653"
},
{
"db": "PACKETSTORM",
"id": "73652"
},
{
"db": "CNNVD",
"id": "CNNVD-200901-072"
}
],
"trust": 1.2
},
"cve": "CVE-2008-4827",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 9.3,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2008-4827",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2008-4827",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-200901-072",
"trust": 0.6,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-001617"
},
{
"db": "NVD",
"id": "CVE-2008-4827"
},
{
"db": "CNNVD",
"id": "CNNVD-200901-072"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Multiple heap-based buffer overflows in the AddTab method in the (1) Tab and (2) CTab ActiveX controls in c1sizer.ocx and the (3) TabOne ActiveX control in sizerone.ocx in ComponentOne SizerOne 8.0.20081.140, as used in ComponentOne Studio for ActiveX 2008, TSC2 Help Desk 4.1.8, SAP GUI 6.40 Patch 29 and 7.10, and possibly other products, allow remote attackers to execute arbitrary code by adding many tabs, or adding tabs with long tab captions. The SizerOne ActiveX control used in products by multiple vendors is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer. \nAn attacker can exploit this issue to execute arbitrary code within the context of the application that uses the ActiveX control (typically Internet Explorer). Failed exploit attempts will result in denial-of-service conditions. \n\n====================================================================== \n2) Severity \n\nRating: Highly critical\nImpact: System compromise\nWhere: Remote\n\n====================================================================== \n3) Vendor\u0027s Description of Software \n\n\"SAP GUI is SAP\u0027s universal client for accessing SAP functionality in\nSAP applications such as - SAP ERP, SAP Business Suite (SAP CRM, SAP\nSCM and SAP PLM), SAP Business Intelligence and so on. SAP GUI\nfunctions like a browser. It gets information from the SAP server like\nwhat, where, when and how, to display contents in its window.\". \n\nUsers can also set the kill-bit manually by following the procedure \nexplained in SAP note 1092631. ====================================================================== \n\n Secunia Research 07/01/2009\n\n - ComponentOne SizerOne ActiveX Control Buffer Overflow -\n\n====================================================================== \nTable of Contents\n\nAffected Software....................................................1\nSeverity.............................................................2\nVendor\u0027s Description of Software.....................................3\nDescription of Vulnerability.........................................4\nSolution.............................................................5\nTime Table...........................................................6\nCredits..............................................................7\nReferences...........................................................8\nAbout Secunia........................................................9\nVerification........................................................10\n\n====================================================================== \n1) Affected Software \n\n* ComponentOne SizerOne 8.0.20081.140\n\nNOTE: Other versions may also be affected. \n\n====================================================================== \n2) Severity \n\nRating: Highly critical\nImpact: System compromise\nWhere: Remote\n\n====================================================================== \n3) Vendor\u0027s Description of Software \n\n\"ComponentOne SizerOne 8.0 is a four-in-one tool that includes two \nresizing controls to easily handle both simple and complex sizing. The\ntabbing control enables you to quickly create notebook-style and \nMicrosoft Outlook-style tabs. And with the parsing control, you can \nautomatically slice and dice strings.\"\n\nProduct Link:\nhttp://www.componentone.com/SuperProducts/SizerOne/\n\n====================================================================== \n4) Description of Vulnerability\n\nSecunia Research has discovered a vulnerability in ComponentOne \nSizerOne, which can be exploited by malicious people to potentially \ncompromise a user\u0027s system. \n\nThe vulnerability is caused by a boundary error in the included Tab \nActiveX control (c1sizer.ocx) when copying tab captions. This can be \nexploited to cause a heap-based buffer overflow by e.g. adding tabs \nwith overly long captions via the \"AddTab()\" method. \n\nSuccessful exploitation may allow execution of arbitrary code. \n\n====================================================================== \n5) Solution \n\nUpdate to version 8.0.20081.142 of the ActiveX control. \n\n====================================================================== \n6) Time Table \n\n13/11/2008 - Vendor notified. \n19/11/2008 - Vendor response. \n25/11/2008 - Vendor informs that vulnerability has been fixed and \n offers to provide test version. \n26/11/2008 - Copy of fixed test version requested. \n01/12/2008 - Test version provided by the vendor. \n02/12/2008 - Vendor informed that patch fixes vulnerability nicely. \n02/12/2008 - Vendor informs that fix will be available within a week. \n05/01/2008 - Status update requested. \n05/01/2008 - Vendor informs that fix has been made available. \n07/01/2009 - Public disclosure. \n\n====================================================================== \n7) Credits \n\nDiscovered by Carsten Eiram, Secunia Research. \n\n====================================================================== \n8) References\n\nThe Common Vulnerabilities and Exposures (CVE) project has assigned \nCVE-2008-4827 for the vulnerability. \n\n====================================================================== \n9) About Secunia\n\nSecunia offers vulnerability management solutions to corporate\ncustomers with verified and reliable vulnerability intelligence\nrelevant to their specific system configuration:\n\nhttp://secunia.com/advisories/business_solutions/\n\nSecunia also provides a publicly accessible and comprehensive advisory\ndatabase as a service to the security community and private \nindividuals, who are interested in or concerned about IT-security. \n\nhttp://secunia.com/advisories/\n\nSecunia believes that it is important to support the community and to\ndo active vulnerability research in order to aid improving the \nsecurity and reliability of software in general:\n\nhttp://secunia.com/secunia_research/\n\nSecunia regularly hires new skilled team members. Check the URL below\nto see currently vacant positions:\n\nhttp://secunia.com/corporate/jobs/\n\nSecunia offers a FREE mailing list called Secunia Security Advisories:\n\nhttp://secunia.com/advisories/mailing_lists/\n\n====================================================================== \n10) Verification \n\nPlease verify this advisory by visiting the Secunia website:\nhttp://secunia.com/secunia_research/2008-52/\n\nComplete list of vulnerability reports published by Secunia Research:\nhttp://secunia.com/secunia_research/\n\n======================================================================\n\n_______________________________________________\nFull-Disclosure - We believe in it. \nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\nHosted and sponsored by Secunia - http://secunia.com/\n. Other versions may also\nbe affected. \n\nORIGINAL ADVISORY:\nSecunia Research:\nhttp://secunia.com/secunia_research/2008-53/\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2008-4827"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001617"
},
{
"db": "BID",
"id": "33148"
},
{
"db": "PACKETSTORM",
"id": "73654"
},
{
"db": "PACKETSTORM",
"id": "73653"
},
{
"db": "PACKETSTORM",
"id": "73652"
},
{
"db": "PACKETSTORM",
"id": "73673"
},
{
"db": "PACKETSTORM",
"id": "73675"
},
{
"db": "PACKETSTORM",
"id": "73676"
}
],
"trust": 2.43
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2008-4827",
"trust": 3.0
},
{
"db": "BID",
"id": "33148",
"trust": 1.9
},
{
"db": "SECUNIA",
"id": "32672",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "32609",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "32648",
"trust": 1.7
},
{
"db": "SECTRACK",
"id": "1021529",
"trust": 1.6
},
{
"db": "VUPEN",
"id": "ADV-2009-0036",
"trust": 1.6
},
{
"db": "VUPEN",
"id": "ADV-2009-0037",
"trust": 1.6
},
{
"db": "SREASON",
"id": "4879",
"trust": 1.6
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001617",
"trust": 0.8
},
{
"db": "XF",
"id": "2",
"trust": 0.6
},
{
"db": "XF",
"id": "47770",
"trust": 0.6
},
{
"db": "XF",
"id": "47771",
"trust": 0.6
},
{
"db": "XF",
"id": "47769",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20090107 SECUNIA RESEARCH: TSC2 HELP DESK CTAB ACTIVEX CONTROL BUFFER OVERFLOW",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200901-072",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "73654",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "73653",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "73652",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "73673",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "73675",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "73676",
"trust": 0.1
}
],
"sources": [
{
"db": "BID",
"id": "33148"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001617"
},
{
"db": "PACKETSTORM",
"id": "73654"
},
{
"db": "PACKETSTORM",
"id": "73653"
},
{
"db": "PACKETSTORM",
"id": "73652"
},
{
"db": "PACKETSTORM",
"id": "73673"
},
{
"db": "PACKETSTORM",
"id": "73675"
},
{
"db": "PACKETSTORM",
"id": "73676"
},
{
"db": "NVD",
"id": "CVE-2008-4827"
},
{
"db": "CNNVD",
"id": "CNNVD-200901-072"
}
]
},
"id": "VAR-200901-0399",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.33046737000000004
},
"last_update_date": "2023-12-18T11:46:51.587000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.componentsource.co.jp/"
},
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.sap.com/"
},
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.servantix.com/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-001617"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-001617"
},
{
"db": "NVD",
"id": "CVE-2008-4827"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.1,
"url": "http://secunia.com/secunia_research/2008-52/"
},
{
"trust": 2.1,
"url": "http://secunia.com/secunia_research/2008-53/"
},
{
"trust": 2.1,
"url": "http://secunia.com/secunia_research/2008-54/"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/32609"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/32648"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/32672"
},
{
"trust": 1.6,
"url": "http://securityreason.com/securityalert/4879"
},
{
"trust": 1.6,
"url": "http://securitytracker.com/id?1021529"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/33148"
},
{
"trust": 1.0,
"url": "http://www.securityfocus.com/archive/1/499830/100/0/threaded"
},
{
"trust": 1.0,
"url": "http://www.vupen.com/english/advisories/2009/0036"
},
{
"trust": 1.0,
"url": "http://www.vupen.com/english/advisories/2009/0037"
},
{
"trust": 1.0,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47769"
},
{
"trust": 1.0,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47770"
},
{
"trust": 1.0,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47771"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-4827"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-4827"
},
{
"trust": 0.6,
"url": "http://secunia.com/advisories/business_solutions/"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/47771"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/47770"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/47769"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/499830/100/0/threaded"
},
{
"trust": 0.6,
"url": "http://www.frsirt.com/english/advisories/2009/0037"
},
{
"trust": 0.6,
"url": "http://www.frsirt.com/english/advisories/2009/0036"
},
{
"trust": 0.4,
"url": "https://www.sdn.sap.com/irj/sdn/sap-gui"
},
{
"trust": 0.4,
"url": "http://www.componentone.com/superproducts/sizerone/"
},
{
"trust": 0.4,
"url": "http://www.tsc2-helpdesk.com/"
},
{
"trust": 0.3,
"url": "http://support.microsoft.com/kb/240797"
},
{
"trust": 0.3,
"url": "/archive/1/508728"
},
{
"trust": 0.3,
"url": "/archive/1/499830"
},
{
"trust": 0.3,
"url": "msg://bugtraq/200901071252.n07cqvck024883@ca.secunia.com"
},
{
"trust": 0.3,
"url": "http://secunia.com/secunia_research/"
},
{
"trust": 0.3,
"url": "http://secunia.com/corporate/jobs/"
},
{
"trust": 0.3,
"url": "http://secunia.com/advisories/mailing_lists/"
},
{
"trust": 0.3,
"url": "http://secunia.com/advisories/"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2008-4827"
},
{
"trust": 0.3,
"url": "http://secunia.com/advisories/secunia_security_advisories/"
},
{
"trust": 0.3,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.3,
"url": "http://secunia.com/advisories/about_secunia_advisories/"
},
{
"trust": 0.2,
"url": "http://secunia.com/"
},
{
"trust": 0.2,
"url": "http://lists.grok.org.uk/full-disclosure-charter.html"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/product/16959/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/32672/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/product/3337/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/product/19930/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/32609/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/product/20923/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/product/20924/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/product/20925/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/product/9673/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/32648/"
}
],
"sources": [
{
"db": "BID",
"id": "33148"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001617"
},
{
"db": "PACKETSTORM",
"id": "73654"
},
{
"db": "PACKETSTORM",
"id": "73653"
},
{
"db": "PACKETSTORM",
"id": "73652"
},
{
"db": "PACKETSTORM",
"id": "73673"
},
{
"db": "PACKETSTORM",
"id": "73675"
},
{
"db": "PACKETSTORM",
"id": "73676"
},
{
"db": "NVD",
"id": "CVE-2008-4827"
},
{
"db": "CNNVD",
"id": "CNNVD-200901-072"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "BID",
"id": "33148"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001617"
},
{
"db": "PACKETSTORM",
"id": "73654"
},
{
"db": "PACKETSTORM",
"id": "73653"
},
{
"db": "PACKETSTORM",
"id": "73652"
},
{
"db": "PACKETSTORM",
"id": "73673"
},
{
"db": "PACKETSTORM",
"id": "73675"
},
{
"db": "PACKETSTORM",
"id": "73676"
},
{
"db": "NVD",
"id": "CVE-2008-4827"
},
{
"db": "CNNVD",
"id": "CNNVD-200901-072"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2009-01-07T00:00:00",
"db": "BID",
"id": "33148"
},
{
"date": "2009-07-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2009-001617"
},
{
"date": "2009-01-07T20:02:45",
"db": "PACKETSTORM",
"id": "73654"
},
{
"date": "2009-01-07T20:01:12",
"db": "PACKETSTORM",
"id": "73653"
},
{
"date": "2009-01-07T19:59:14",
"db": "PACKETSTORM",
"id": "73652"
},
{
"date": "2009-01-07T15:31:14",
"db": "PACKETSTORM",
"id": "73673"
},
{
"date": "2009-01-07T15:31:20",
"db": "PACKETSTORM",
"id": "73675"
},
{
"date": "2009-01-07T15:31:23",
"db": "PACKETSTORM",
"id": "73676"
},
{
"date": "2009-01-08T19:30:11.063000",
"db": "NVD",
"id": "CVE-2008-4827"
},
{
"date": "2009-01-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200901-072"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-01-05T21:02:00",
"db": "BID",
"id": "33148"
},
{
"date": "2009-07-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2009-001617"
},
{
"date": "2018-10-11T20:52:55.793000",
"db": "NVD",
"id": "CVE-2008-4827"
},
{
"date": "2009-01-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200901-072"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200901-072"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "AddTab Multiple heap overflow vulnerabilities in methods",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-001617"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200901-072"
}
],
"trust": 0.6
}
}
var-201506-0584
Vulnerability from variot
SAP GUI is prone to a remote buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized memory buffer. Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed exploit attempts may result in a denial-of-service condition.
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201506-0584",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "gui",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
}
],
"sources": [
{
"db": "BID",
"id": "75169"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Darya Maenkova (ERPScan)",
"sources": [
{
"db": "BID",
"id": "75169"
}
],
"trust": 0.3
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP GUI is prone to a remote buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.\nAttackers may leverage this issue to execute arbitrary code in the context of the application. Failed exploit attempts may result in a denial-of-service condition.",
"sources": [
{
"db": "BID",
"id": "75169"
}
],
"trust": 0.3
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "75169",
"trust": 0.3
}
],
"sources": [
{
"db": "BID",
"id": "75169"
}
]
},
"id": "VAR-201506-0584",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.19973545
},
"last_update_date": "2022-05-17T02:01:10.432000Z",
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 0.3,
"url": "https://service.sap.com/sap/support/notes/2151237"
},
{
"trust": 0.3,
"url": "http://www.sap.com"
},
{
"trust": 0.3,
"url": "http://seclists.org/fulldisclosure/2015/jun/33"
}
],
"sources": [
{
"db": "BID",
"id": "75169"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "BID",
"id": "75169"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-06-11T00:00:00",
"db": "BID",
"id": "75169"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-06-11T00:00:00",
"db": "BID",
"id": "75169"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "network",
"sources": [
{
"db": "BID",
"id": "75169"
}
],
"trust": 0.3
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP GUI Remote Buffer Overflow Vulnerability",
"sources": [
{
"db": "BID",
"id": "75169"
}
],
"trust": 0.3
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Boundary Condition Error",
"sources": [
{
"db": "BID",
"id": "75169"
}
],
"trust": 0.3
}
}
var-200904-0568
Vulnerability from variot
Stack-based buffer overflow in EAI WebViewer3D ActiveX control (webviewer3d.dll) in SAP AG SAPgui before 7.10 Patch Level 9 allows remote attackers to execute arbitrary code via a long argument to the SaveViewToSessionFile method. The Siemens Unigraphics Solutions Teamcenter Visualization EAI WebViewer3D ActiveX control, which comes with SAPgui, contains a stack buffer overflow. This may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. SAP AG SAPgui is prone to a remote stack-based buffer-overflow vulnerability. Failed exploit attempts will result in a denial-of-service condition. Versions prior to SAPgui 7.10 Patch Level 9 are vulnerable. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia report for 2008.
Highlights from the 2008 report: * Vulnerability Research * Software Inspection Results * Secunia Research Highlights * Secunia Advisory Statistics
Request the full 2008 Report here: http://secunia.com/advisories/try_vi/request_2008_report/
Stay Secure,
Secunia
TITLE: SAP GUI EAI WebViewer3D ActiveX Control Buffer Overflow
SECUNIA ADVISORY ID: SA34559
VERIFY ADVISORY: http://secunia.com/advisories/34559/
DESCRIPTION: Will Dormann has discovered a vulnerability in SAP GUI, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a boundary error in the bundled EAI WebViewer3D ActiveX control (webviewer3d.dll) when processing arguments passed to the "SaveViewToSessionFile()" method. This can be exploited to cause a stack-based buffer overflow via an overly long argument.
The vulnerability is confirmed in versions 6.40 LP29 and 7.10 PL5. Other versions may also be affected.
SOLUTION: Update to version 7.10 PL9 or later.
PROVIDED AND/OR DISCOVERED BY: Will Dormann, CERT/CC.
ORIGINAL ADVISORY: US-CERT VU#985449: http://www.kb.cert.org/vuls/id/985449
SAP Note 1153794: https://service.sap.com/sap/support/notes/1153794
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200904-0568",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "sapgui",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": "4.6b"
},
{
"model": "sapgui",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": "4.6a"
},
{
"model": "sapgui",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": "4.6c"
},
{
"model": "sapgui",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": "4.6"
},
{
"model": "sapgui",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": "4.6d"
},
{
"model": "sapgui",
"scope": "eq",
"trust": 1.0,
"vendor": "sap",
"version": "*"
},
{
"model": "sapgui",
"scope": "lte",
"trust": 1.0,
"vendor": "sap",
"version": "7.10"
},
{
"model": "sapgui",
"scope": "eq",
"trust": 1.0,
"vendor": "sap",
"version": "6.40"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "sap",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "siemens cert",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "unigraphics",
"version": null
},
{
"model": "gui",
"scope": "lt",
"trust": 0.8,
"vendor": "sap",
"version": "7.10 patch level 9"
},
{
"model": "sapgui",
"scope": null,
"trust": 0.6,
"vendor": "sap",
"version": null
},
{
"model": "ag sapgui patch level",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.108"
},
{
"model": "ag sapgui patch level",
"scope": "ne",
"trust": 0.3,
"vendor": "sap",
"version": "7.109"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#985449"
},
{
"db": "BID",
"id": "34310"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001517"
},
{
"db": "NVD",
"id": "CVE-2007-4475"
},
{
"db": "CNNVD",
"id": "CNNVD-200904-017"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:sapgui:4.6a:*:windows:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:sapgui:4.6c:*:windows:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:sapgui:4.6a:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:sapgui:4.6d:*:windows:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:sapgui:4.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:sapgui:4.6d:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:sapgui:4.6c:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:sapgui:4.6b:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:sapgui:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:sapgui:4.6b:*:windows:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:sapgui:4.6:*:windows:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:sapgui:6.40:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:sapgui:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "7.10",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2007-4475"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Will Dormann",
"sources": [
{
"db": "BID",
"id": "34310"
},
{
"db": "CNNVD",
"id": "CNNVD-200904-017"
}
],
"trust": 0.9
},
"cve": "CVE-2007-4475",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 9.3,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2007-4475",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2007-4475",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#985449",
"trust": 0.8,
"value": "10.48"
},
{
"author": "CNNVD",
"id": "CNNVD-200904-017",
"trust": 0.6,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#985449"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001517"
},
{
"db": "NVD",
"id": "CVE-2007-4475"
},
{
"db": "CNNVD",
"id": "CNNVD-200904-017"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Stack-based buffer overflow in EAI WebViewer3D ActiveX control (webviewer3d.dll) in SAP AG SAPgui before 7.10 Patch Level 9 allows remote attackers to execute arbitrary code via a long argument to the SaveViewToSessionFile method. The Siemens Unigraphics Solutions Teamcenter Visualization EAI WebViewer3D ActiveX control, which comes with SAPgui, contains a stack buffer overflow. This may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. SAP AG SAPgui is prone to a remote stack-based buffer-overflow vulnerability. Failed exploit attempts will result in a denial-of-service condition. \nVersions prior to SAPgui 7.10 Patch Level 9 are vulnerable. ----------------------------------------------------------------------\n\nSecunia is pleased to announce the release of the annual Secunia\nreport for 2008. \n\nHighlights from the 2008 report:\n * Vulnerability Research\n * Software Inspection Results\n * Secunia Research Highlights\n * Secunia Advisory Statistics\n\nRequest the full 2008 Report here:\nhttp://secunia.com/advisories/try_vi/request_2008_report/\n\nStay Secure,\n\nSecunia\n\n\n----------------------------------------------------------------------\n\nTITLE:\nSAP GUI EAI WebViewer3D ActiveX Control Buffer Overflow\n\nSECUNIA ADVISORY ID:\nSA34559\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/34559/\n\nDESCRIPTION:\nWill Dormann has discovered a vulnerability in SAP GUI, which can be\nexploited by malicious people to compromise a user\u0027s system. \n\nThe vulnerability is caused due to a boundary error in the bundled\nEAI WebViewer3D ActiveX control (webviewer3d.dll) when processing\narguments passed to the \"SaveViewToSessionFile()\" method. This can be\nexploited to cause a stack-based buffer overflow via an overly long\nargument. \n\nThe vulnerability is confirmed in versions 6.40 LP29 and 7.10 PL5. \nOther versions may also be affected. \n\nSOLUTION:\nUpdate to version 7.10 PL9 or later. \n\nPROVIDED AND/OR DISCOVERED BY:\nWill Dormann, CERT/CC. \n\nORIGINAL ADVISORY:\nUS-CERT VU#985449:\nhttp://www.kb.cert.org/vuls/id/985449\n\nSAP Note 1153794:\nhttps://service.sap.com/sap/support/notes/1153794\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2007-4475"
},
{
"db": "CERT/CC",
"id": "VU#985449"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001517"
},
{
"db": "BID",
"id": "34310"
},
{
"db": "PACKETSTORM",
"id": "76252"
}
],
"trust": 2.7
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#985449",
"trust": 2.8
},
{
"db": "NVD",
"id": "CVE-2007-4475",
"trust": 2.7
},
{
"db": "BID",
"id": "34310",
"trust": 1.9
},
{
"db": "SECUNIA",
"id": "34559",
"trust": 1.8
},
{
"db": "VUPEN",
"id": "ADV-2009-0892",
"trust": 1.6
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001517",
"trust": 0.8
},
{
"db": "XF",
"id": "3",
"trust": 0.6
},
{
"db": "XF",
"id": "49543",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200904-017",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "76252",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#985449"
},
{
"db": "BID",
"id": "34310"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001517"
},
{
"db": "PACKETSTORM",
"id": "76252"
},
{
"db": "NVD",
"id": "CVE-2007-4475"
},
{
"db": "CNNVD",
"id": "CNNVD-200904-017"
}
]
},
"id": "VAR-200904-0568",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.212367725
},
"last_update_date": "2023-12-18T11:50:36.948000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.sap.com/index.epx"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-001517"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-001517"
},
{
"db": "NVD",
"id": "CVE-2007-4475"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.8,
"url": "https://service.sap.com/sap/support/notes/1153794"
},
{
"trust": 2.0,
"url": "http://www.kb.cert.org/vuls/id/985449"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/34559"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/34310"
},
{
"trust": 1.6,
"url": "http://www.vupen.com/english/advisories/2009/0892"
},
{
"trust": 1.1,
"url": "http://support.microsoft.com/kb/240797"
},
{
"trust": 1.0,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49543"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-4475"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-4475"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/49543"
},
{
"trust": 0.3,
"url": "http://www.sap.com"
},
{
"trust": 0.3,
"url": "/archive/1/506743"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/34559/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/try_vi/request_2008_report/"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#985449"
},
{
"db": "BID",
"id": "34310"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001517"
},
{
"db": "PACKETSTORM",
"id": "76252"
},
{
"db": "NVD",
"id": "CVE-2007-4475"
},
{
"db": "CNNVD",
"id": "CNNVD-200904-017"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#985449"
},
{
"db": "BID",
"id": "34310"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001517"
},
{
"db": "PACKETSTORM",
"id": "76252"
},
{
"db": "NVD",
"id": "CVE-2007-4475"
},
{
"db": "CNNVD",
"id": "CNNVD-200904-017"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2009-03-31T00:00:00",
"db": "CERT/CC",
"id": "VU#985449"
},
{
"date": "2009-03-31T00:00:00",
"db": "BID",
"id": "34310"
},
{
"date": "2009-06-30T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2009-001517"
},
{
"date": "2009-04-01T14:13:17",
"db": "PACKETSTORM",
"id": "76252"
},
{
"date": "2009-04-01T18:30:00.547000",
"db": "NVD",
"id": "CVE-2007-4475"
},
{
"date": "2009-03-31T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200904-017"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2009-04-13T00:00:00",
"db": "CERT/CC",
"id": "VU#985449"
},
{
"date": "2010-03-09T06:02:00",
"db": "BID",
"id": "34310"
},
{
"date": "2009-06-30T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2009-001517"
},
{
"date": "2017-07-29T01:32:57.897000",
"db": "NVD",
"id": "CVE-2007-4475"
},
{
"date": "2009-04-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200904-017"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200904-017"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP AG SAPgui EAI WebViewer3D ActiveX control stack buffer overflow",
"sources": [
{
"db": "CERT/CC",
"id": "VU#985449"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200904-017"
}
],
"trust": 0.6
}
}
Vulnerability from fkie_nvd
Published
2022-11-08 22:15
Modified
2024-11-21 07:22
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H
6.1 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
6.1 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Summary
SAP GUI allows an authenticated attacker to execute scripts in the local network. On successful exploitation, the attacker can gain access to registries which can cause a limited impact on confidentiality and high impact on availability of the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3237251 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3237251 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:gui:7.70:-:*:*:*:*:*:*",
"matchCriteriaId": "F248FAAF-A8B4-48AB-BDBF-A019C1FC1932",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP GUI allows an authenticated attacker to execute scripts in the local network. On successful exploitation, the attacker can gain access to registries which can cause a limited impact on confidentiality and high impact on availability of the application.\n\n"
},
{
"lang": "es",
"value": "SAP GUI permite a un atacante autenticado ejecutar scripts en la red local. Si la explotaci\u00f3n tiene \u00e9xito, el atacante puede obtener acceso a los registros, lo que puede causar un impacto limitado en la confidencialidad y un alto impacto en la disponibilidad de la aplicaci\u00f3n."
}
],
"id": "CVE-2022-41205",
"lastModified": "2024-11-21T07:22:49.450",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 4.7,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-08T22:15:17.657",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/3237251"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/3237251"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "cna@sap.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-06-02 14:59
Modified
2024-11-21 02:27
Severity ?
Summary
Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | gui | - | |
| sap | maxdb | 7.5 | |
| sap | maxdb | 7.6 | |
| sap | netweaver_abap_application_server | - | |
| sap | netweaver_java_application_server | - | |
| sap | netweaver_rfc_sdk | - | |
| sap | rfc_library | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:gui:-:*:*:*:*:*:*:*",
"matchCriteriaId": "399383D3-01CC-48FF-943F-F7F0EF54ECFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:maxdb:7.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BAA8EB08-6866-4FDF-A552-C290A54E9B08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:maxdb:7.6:*:*:*:*:*:*:*",
"matchCriteriaId": "3BF72173-A7B4-44DD-A842-BA29D6AF6E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver_abap_application_server:-:*:*:*:*:*:*:*",
"matchCriteriaId": "9A55F8F2-A31D-4C57-A664-0B1DBD1F17A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver_java_application_server:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4BC67018-106D-4103-83FB-FEC80496F14D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver_rfc_sdk:-:*:*:*:*:*:*:*",
"matchCriteriaId": "1A37353F-8BC1-4B72-B452-E19308C9740B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:rfc_library:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F0FE182C-229B-461B-8139-D39E005034A3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316."
},
{
"lang": "es",
"value": "Desbordamiento de buffer basado en pila en la implementaci\u00f3n LZC decompression (la funci\u00f3n CsObjectInt::CsDecomprLZC en vpa106cslzc.cpp) en SAP MaxDB 7.5 y 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, la herramienta de archivos SAPCAR, y otros productos permite a atacantes dependientes de contexto causar una denegaci\u00f3n de servicio (ca\u00edda) o posiblemente ejecutar c\u00f3digo arbitrario a trav\u00e9s de vectores no especificados, tambi\u00e9n conocido como las notas de seguridad de 2124806, 2121661, 2127995, y 2125316."
}
],
"id": "CVE-2015-2282",
"lastModified": "2024-11-21T02:27:08.723",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-06-02T14:59:08.880",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/May/50"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/May/96"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/74643"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/May/50"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/May/96"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/74643"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-06-02 14:59
Modified
2024-11-21 02:27
Severity ?
Summary
The LZH decompression implementation (CsObjectInt::BuildHufTree function in vpa108csulzh.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (out-of-bounds read) via unspecified vectors, related to look-ups of non-simple codes, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | gui | - | |
| sap | maxdb | 7.5 | |
| sap | maxdb | 7.6 | |
| sap | netweaver_abap_application_server | - | |
| sap | netweaver_java_application_server | - | |
| sap | netweaver_rfc_sdk | - | |
| sap | rfc_library | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:gui:-:*:*:*:*:*:*:*",
"matchCriteriaId": "399383D3-01CC-48FF-943F-F7F0EF54ECFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:maxdb:7.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BAA8EB08-6866-4FDF-A552-C290A54E9B08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:maxdb:7.6:*:*:*:*:*:*:*",
"matchCriteriaId": "3BF72173-A7B4-44DD-A842-BA29D6AF6E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver_abap_application_server:-:*:*:*:*:*:*:*",
"matchCriteriaId": "9A55F8F2-A31D-4C57-A664-0B1DBD1F17A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver_java_application_server:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4BC67018-106D-4103-83FB-FEC80496F14D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver_rfc_sdk:-:*:*:*:*:*:*:*",
"matchCriteriaId": "1A37353F-8BC1-4B72-B452-E19308C9740B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:rfc_library:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F0FE182C-229B-461B-8139-D39E005034A3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The LZH decompression implementation (CsObjectInt::BuildHufTree function in vpa108csulzh.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (out-of-bounds read) via unspecified vectors, related to look-ups of non-simple codes, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316."
},
{
"lang": "es",
"value": "La implementaci\u00f3n LZH decompression (la funci\u00f3n CsObjectInt::BuildHufTree en vpa108csulzh.cpp) en SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, la herramienta de archivos SAPCAR, y otros productos permite a atacantes dependientes de contexto causar una denegaci\u00f3n de servicio (lectura fuera de rango) a trav\u00e9s de vectores no especificados, relacionado con b\u00fasquedas de c\u00f3digos no simples, tambi\u00e9n conocido como las notas de seguridad de SAP 2124806, 2121661, 2127995, y 2125316."
}
],
"id": "CVE-2015-2278",
"lastModified": "2024-11-21T02:27:08.110",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-06-02T14:59:07.537",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/May/50"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/May/96"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/74643"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/May/50"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/May/96"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/74643"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2022-41205
Vulnerability from cvelistv5
Published
2022-11-08 00:00
Modified
2024-08-03 12:35
Severity ?
EPSS score ?
Summary
SAP GUI allows an authenticated attacker to execute scripts in the local network. On successful exploitation, the attacker can gain access to registries which can cause a limited impact on confidentiality and high impact on availability of the application.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | SAP SE | SAP GUI for Windows |
Version: = 7.70 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:35:49.518Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3237251"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP GUI for Windows",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "= 7.70"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP GUI allows an authenticated attacker to execute scripts in the local network. On successful exploitation, the attacker can gain access to registries which can cause a limited impact on confidentiality and high impact on availability of the application.\u003c/p\u003e"
}
],
"value": "SAP GUI allows an authenticated attacker to execute scripts in the local network. On successful exploitation, the attacker can gain access to registries which can cause a limited impact on confidentiality and high impact on availability of the application.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-10T05:46:50.453Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"url": "https://launchpad.support.sap.com/#/notes/3237251"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2022-41205",
"datePublished": "2022-11-08T00:00:00",
"dateReserved": "2022-09-21T00:00:00",
"dateUpdated": "2024-08-03T12:35:49.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-2282
Vulnerability from cvelistv5
Published
2015-06-02 14:00
Modified
2024-08-06 05:10
Severity ?
EPSS score ?
Summary
Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316.
References
| ▼ | URL | Tags |
|---|---|---|
| http://seclists.org/fulldisclosure/2015/May/50 | mailing-list, x_refsource_FULLDISC | |
| http://www.securityfocus.com/bid/74643 | vdb-entry, x_refsource_BID | |
| http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html | x_refsource_MISC | |
| http://www.securityfocus.com/archive/1/535535/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://seclists.org/fulldisclosure/2015/May/96 | mailing-list, x_refsource_FULLDISC | |
| http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:10:15.939Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/May/50"
},
{
"name": "74643",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/74643"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html"
},
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"name": "20150522 SAP Security Notes May 2015",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/May/96"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-05-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/May/50"
},
{
"name": "74643",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/74643"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html"
},
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"name": "20150522 SAP Security Notes May 2015",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/May/96"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-2282",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/May/50"
},
{
"name": "74643",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/74643"
},
{
"name": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html"
},
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"name": "20150522 SAP Security Notes May 2015",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/May/96"
},
{
"name": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities",
"refsource": "MISC",
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-2282",
"datePublished": "2015-06-02T14:00:00",
"dateReserved": "2015-03-10T00:00:00",
"dateUpdated": "2024-08-06T05:10:15.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-2278
Vulnerability from cvelistv5
Published
2015-06-02 14:00
Modified
2024-08-06 05:10
Severity ?
EPSS score ?
Summary
The LZH decompression implementation (CsObjectInt::BuildHufTree function in vpa108csulzh.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (out-of-bounds read) via unspecified vectors, related to look-ups of non-simple codes, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316.
References
| ▼ | URL | Tags |
|---|---|---|
| http://seclists.org/fulldisclosure/2015/May/50 | mailing-list, x_refsource_FULLDISC | |
| http://www.securityfocus.com/bid/74643 | vdb-entry, x_refsource_BID | |
| http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html | x_refsource_MISC | |
| http://www.securityfocus.com/archive/1/535535/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://seclists.org/fulldisclosure/2015/May/96 | mailing-list, x_refsource_FULLDISC | |
| http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:10:15.851Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/May/50"
},
{
"name": "74643",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/74643"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html"
},
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"name": "20150522 SAP Security Notes May 2015",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/May/96"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-05-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The LZH decompression implementation (CsObjectInt::BuildHufTree function in vpa108csulzh.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (out-of-bounds read) via unspecified vectors, related to look-ups of non-simple codes, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/May/50"
},
{
"name": "74643",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/74643"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html"
},
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"name": "20150522 SAP Security Notes May 2015",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/May/96"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-2278",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The LZH decompression implementation (CsObjectInt::BuildHufTree function in vpa108csulzh.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (out-of-bounds read) via unspecified vectors, related to look-ups of non-simple codes, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/May/50"
},
{
"name": "74643",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/74643"
},
{
"name": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html"
},
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"name": "20150522 SAP Security Notes May 2015",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/May/96"
},
{
"name": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities",
"refsource": "MISC",
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-2278",
"datePublished": "2015-06-02T14:00:00",
"dateReserved": "2015-03-10T00:00:00",
"dateUpdated": "2024-08-06T05:10:15.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}