All the vulnerabilites related to sap - maxdb
var-201107-0315
Vulnerability from variot
MaxDB is an SAP database compatible with ANSI SQL-92. A security vulnerability exists in MaxDB that caused a null pointer error in SAP DBTech-MAXDB (kernel.exe) when processing certain login handshake messages. An attacker can crash a service by sending a specially crafted packet to, for example, TCP port 7200 or 7210. SAP DBTech-MAXDB ( kernel.exe ) Generates a null pointer error. Attackers can send specially crafted packets to e.g. ----------------------------------------------------------------------
The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way.
Read more and request a free trial: http://secunia.com/products/corporate/vim/
TITLE: MaxDB Handshake Packet Processing Denial of Service Vulnerability
SECUNIA ADVISORY ID: SA44525
VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44525/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44525
RELEASE DATE: 2011-07-13
DISCUSS ADVISORY: http://secunia.com/advisories/44525/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s)
http://secunia.com/advisories/44525/
ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44525
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION: Abdul-Aziz Hariri has discovered a vulnerability in MaxDB, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is confirmed in version 7.8.01.18. Other versions may also be affected.
SOLUTION: Apply patches (please see the vendor's advisory for details).
PROVIDED AND/OR DISCOVERED BY: Abdul-Aziz Hariri via Secunia.
ORIGINAL ADVISORY: SAP: https://service.sap.com/sap/support/notes/1594180
OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/
DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/
EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/
About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Show details on source website
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201107-0315",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "maxdb",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "7.8.01.18"
}
],
"sources": [
{
"db": "IVD",
"id": "3ac46842-1f90-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-2642"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Secunia",
"sources": [
{
"db": "PACKETSTORM",
"id": "103015"
}
],
"trust": 0.1
},
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": null,
"accessVector": null,
"authentication": null,
"author": "IVD",
"availabilityImpact": null,
"baseScore": null,
"confidentialityImpact": null,
"exploitabilityScore": null,
"id": "3ac46842-1f90-11e6-abef-000c29c66e3d",
"impactScore": null,
"integrityImpact": null,
"severity": null,
"trust": 0.2,
"vectorString": null,
"version": "unknown"
}
],
"cvssV3": [],
"severity": [
{
"author": "IVD",
"id": "3ac46842-1f90-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "LOW"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "3ac46842-1f90-11e6-abef-000c29c66e3d"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "MaxDB is an SAP database compatible with ANSI SQL-92. A security vulnerability exists in MaxDB that caused a null pointer error in SAP DBTech-MAXDB (kernel.exe) when processing certain login handshake messages. An attacker can crash a service by sending a specially crafted packet to, for example, TCP port 7200 or 7210. SAP DBTech-MAXDB ( kernel.exe ) Generates a null pointer error. Attackers can send specially crafted packets to e.g. ----------------------------------------------------------------------\n\nThe Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way. \n\nRead more and request a free trial:\nhttp://secunia.com/products/corporate/vim/\n\n----------------------------------------------------------------------\n\nTITLE:\nMaxDB Handshake Packet Processing Denial of Service Vulnerability\n\nSECUNIA ADVISORY ID:\nSA44525\n\nVERIFY ADVISORY:\nSecunia.com\nhttp://secunia.com/advisories/44525/\nCustomer Area (Credentials Required)\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=44525\n\nRELEASE DATE:\n2011-07-13\n\nDISCUSS ADVISORY:\nhttp://secunia.com/advisories/44525/#comments\n\nAVAILABLE ON SITE AND IN CUSTOMER AREA:\n * Last Update\n * Popularity\n * Comments\n * Criticality Level\n * Impact\n * Where\n * Solution Status\n * Operating System / Software\n * CVE Reference(s)\n\nhttp://secunia.com/advisories/44525/\n\nONLY AVAILABLE IN CUSTOMER AREA:\n * Authentication Level\n * Report Reliability\n * Secunia PoC\n * Secunia Analysis\n * Systems Affected\n * Approve Distribution\n * Remediation Status\n * Secunia CVSS Score\n * CVSS\n\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=44525\n\nONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:\n * AUTOMATED SCANNING\n\nhttp://secunia.com/vulnerability_scanning/personal/\nhttp://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/\n\nDESCRIPTION:\nAbdul-Aziz Hariri has discovered a vulnerability in MaxDB, which can\nbe exploited by malicious people to cause a DoS (Denial of Service). \n\nThe vulnerability is confirmed in version 7.8.01.18. Other versions\nmay also be affected. \n\nSOLUTION:\nApply patches (please see the vendor\u0027s advisory for details). \n\nPROVIDED AND/OR DISCOVERED BY:\nAbdul-Aziz Hariri via Secunia. \n\nORIGINAL ADVISORY:\nSAP:\nhttps://service.sap.com/sap/support/notes/1594180\n\nOTHER REFERENCES:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nDEEP LINKS:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nEXTENDED DESCRIPTION:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nEXTENDED SOLUTION:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nEXPLOIT:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\nprivate users keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-2642"
},
{
"db": "IVD",
"id": "3ac46842-1f90-11e6-abef-000c29c66e3d"
},
{
"db": "PACKETSTORM",
"id": "103015"
}
],
"trust": 0.81
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2011-2642",
"trust": 0.8
},
{
"db": "SECUNIA",
"id": "44525",
"trust": 0.7
},
{
"db": "IVD",
"id": "3AC46842-1F90-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "103015",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "3ac46842-1f90-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-2642"
},
{
"db": "PACKETSTORM",
"id": "103015"
}
]
},
"id": "VAR-201107-0315",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "3ac46842-1f90-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-2642"
}
],
"trust": 0.9359447000000001
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "3ac46842-1f90-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-2642"
}
]
},
"last_update_date": "2022-05-17T22:45:28.249000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "MaxDB handshake packet to handle denial of service vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/4374"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-2642"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 0.7,
"url": "http://secunia.com/advisories/44525/"
},
{
"trust": 0.1,
"url": "https://ca.secunia.com/?page=viewadvisory\u0026vuln_id=44525"
},
{
"trust": 0.1,
"url": "https://service.sap.com/sap/support/notes/1594180"
},
{
"trust": 0.1,
"url": "http://secunia.com/vulnerability_intelligence/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/44525/#comments"
},
{
"trust": 0.1,
"url": "http://secunia.com/products/corporate/vim/"
},
{
"trust": 0.1,
"url": "http://secunia.com/vulnerability_scanning/personal/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/about_secunia_advisories/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-2642"
},
{
"db": "PACKETSTORM",
"id": "103015"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "3ac46842-1f90-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-2642"
},
{
"db": "PACKETSTORM",
"id": "103015"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-07-12T00:00:00",
"db": "IVD",
"id": "3ac46842-1f90-11e6-abef-000c29c66e3d"
},
{
"date": "2011-07-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-2642"
},
{
"date": "2011-07-13T06:32:38",
"db": "PACKETSTORM",
"id": "103015"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-07-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-2642"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "MaxDB Handshake packet handling denial of service vulnerability",
"sources": [
{
"db": "IVD",
"id": "3ac46842-1f90-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-2642"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Denial of service",
"sources": [
{
"db": "IVD",
"id": "3ac46842-1f90-11e6-abef-000c29c66e3d"
}
],
"trust": 0.2
}
}
var-201001-0445
Vulnerability from variot
SAP MaxDB is prone to an unspecified information-disclosure vulnerability and an unspecified denial-of-service vulnerability. Very few details are currently available regarding these issues. We will update this BID as more information emerges. Attackers can exploit these issues to a cause a denial-of-service condition or obtain sensitive information. SAP MaxDB 7.6.06 is vulnerable; other versions any also be affected.
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201001-0445",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "maxdb",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.6.6"
}
],
"sources": [
{
"db": "BID",
"id": "37766"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Intevydis",
"sources": [
{
"db": "BID",
"id": "37766"
}
],
"trust": 0.3
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP MaxDB is prone to an unspecified information-disclosure vulnerability and an unspecified denial-of-service vulnerability.\nVery few details are currently available regarding these issues. We will update this BID as more information emerges.\nAttackers can exploit these issues to a cause a denial-of-service condition or obtain sensitive information.\nSAP MaxDB 7.6.06 is vulnerable; other versions any also be affected.",
"sources": [
{
"db": "BID",
"id": "37766"
}
],
"trust": 0.3
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "37766",
"trust": 0.3
}
],
"sources": [
{
"db": "BID",
"id": "37766"
}
]
},
"id": "VAR-201001-0445",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.1359447
},
"last_update_date": "2022-05-17T02:01:27.092000Z",
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 0.3,
"url": "https://www.sdn.sap.com/irj/sdn/maxdb"
},
{
"trust": 0.3,
"url": "http://intevydis.com/company.shtml"
}
],
"sources": [
{
"db": "BID",
"id": "37766"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "BID",
"id": "37766"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-01-13T00:00:00",
"db": "BID",
"id": "37766"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-01-13T00:00:00",
"db": "BID",
"id": "37766"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "network",
"sources": [
{
"db": "BID",
"id": "37766"
}
],
"trust": 0.3
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP MaxDB Unspecified Information Disclosure and Denial of Service Vulnerabilities",
"sources": [
{
"db": "BID",
"id": "37766"
}
],
"trust": 0.3
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Unknown",
"sources": [
{
"db": "BID",
"id": "37766"
}
],
"trust": 0.3
}
}
var-201805-0882
Vulnerability from variot
SAP MaxDB ODBC driver (all versions before 7.9.09.07) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application. SAP MaxDB ODBC The driver contains a code injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of UDL files by the Data Link Properties dialog. When parsing the Servername element, the process does not properly validate the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code under the context of the process. MaxDB ODBC Driver 7.9.09.07 is vulnerable; other versions may also be affected
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201805-0882",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "maxdb odbc driver",
"scope": "eq",
"trust": 1.1,
"vendor": "sap",
"version": "7.9.09.07"
},
{
"model": "maxdb odbc driver",
"scope": "lt",
"trust": 1.0,
"vendor": "sap",
"version": "7.9.09.07"
},
{
"model": "maxdb",
"scope": null,
"trust": 0.7,
"vendor": "sap",
"version": null
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-18-423"
},
{
"db": "BID",
"id": "104115"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-004827"
},
{
"db": "NVD",
"id": "CVE-2018-2418"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:maxdb_odbc_driver:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "7.9.09.07",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-2418"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "rgod",
"sources": [
{
"db": "ZDI",
"id": "ZDI-18-423"
}
],
"trust": 0.7
},
"cve": "CVE-2018-2418",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": true,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 7.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2018-2418",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "ZDI",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CVE-2018-2418",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "MEDIUM",
"trust": 0.7,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "cna@sap.com",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 1.3,
"impactScore": 3.7,
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-2418",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-2418",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "cna@sap.com",
"id": "CVE-2018-2418",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "ZDI",
"id": "CVE-2018-2418",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201805-240",
"trust": 0.6,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-18-423"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-004827"
},
{
"db": "NVD",
"id": "CVE-2018-2418"
},
{
"db": "NVD",
"id": "CVE-2018-2418"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-240"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP MaxDB ODBC driver (all versions before 7.9.09.07) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application. SAP MaxDB ODBC The driver contains a code injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of UDL files by the Data Link Properties dialog. When parsing the Servername element, the process does not properly validate the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code under the context of the process. \nMaxDB ODBC Driver 7.9.09.07 is vulnerable; other versions may also be affected",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-2418"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-004827"
},
{
"db": "ZDI",
"id": "ZDI-18-423"
},
{
"db": "BID",
"id": "104115"
}
],
"trust": 2.52
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-2418",
"trust": 3.4
},
{
"db": "BID",
"id": "104115",
"trust": 1.9
},
{
"db": "JVNDB",
"id": "JVNDB-2018-004827",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-5478",
"trust": 0.7
},
{
"db": "ZDI",
"id": "ZDI-18-423",
"trust": 0.7
},
{
"db": "CNNVD",
"id": "CNNVD-201805-240",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-18-423"
},
{
"db": "BID",
"id": "104115"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-004827"
},
{
"db": "NVD",
"id": "CVE-2018-2418"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-240"
}
]
},
"id": "VAR-201805-0882",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.1359447
},
"last_update_date": "2023-12-18T13:57:00.254000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SAP Security Patch Day - May 2018",
"trust": 1.5,
"url": "https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/"
},
{
"title": "SAP MaxDB ODBC Driver security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=79918"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-18-423"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-004827"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-240"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-94",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-004827"
},
{
"db": "NVD",
"id": "CVE-2018-2418"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/"
},
{
"trust": 1.9,
"url": "https://launchpad.support.sap.com/#/notes/2610231"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/104115"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-2418"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-2418"
},
{
"trust": 0.3,
"url": "http://www.sap.com/"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-18-423"
},
{
"db": "BID",
"id": "104115"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-004827"
},
{
"db": "NVD",
"id": "CVE-2018-2418"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-240"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-18-423"
},
{
"db": "BID",
"id": "104115"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-004827"
},
{
"db": "NVD",
"id": "CVE-2018-2418"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-240"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-05-14T00:00:00",
"db": "ZDI",
"id": "ZDI-18-423"
},
{
"date": "2018-05-08T00:00:00",
"db": "BID",
"id": "104115"
},
{
"date": "2018-06-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-004827"
},
{
"date": "2018-05-09T20:29:00.823000",
"db": "NVD",
"id": "CVE-2018-2418"
},
{
"date": "2018-05-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-240"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-05-14T00:00:00",
"db": "ZDI",
"id": "ZDI-18-423"
},
{
"date": "2018-05-08T00:00:00",
"db": "BID",
"id": "104115"
},
{
"date": "2018-06-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-004827"
},
{
"date": "2019-10-09T23:40:04.777000",
"db": "NVD",
"id": "CVE-2018-2418"
},
{
"date": "2019-10-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-240"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201805-240"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP MaxDB ODBC Code injection vulnerability in driver",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-004827"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "code injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201805-240"
}
],
"trust": 0.6
}
}
var-201506-0132
Vulnerability from variot
Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316. plural SAP Product LZC Implementation of decompression (vpa106cslzc.cpp of CsObjectInt::CsDecomprLZC function ) Contains a stack-based buffer overflow vulnerability. Vendors have confirmed this vulnerability SAP Security Note 2124806 , 2121661 , 2127995 ,and 2125316 It is released as.Denial of service by attacker ( crash ) Could be put into a state or execute arbitrary code. Multiple SAP Products are prone to a buffer-overflow vulnerability and a denial-of-service vulnerability. Remote attackers can exploit these issues to execute arbitrary code in the context of the application or cause denial-of-service conditions. 1. Advisory Information
Title: SAP LZC/LZH Compression Multiple Vulnerabilities Advisory ID: CORE-2015-0009 Advisory URL: http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities Date published: 2015-05-12 Date of last update: 2015-05-12 Vendors contacted: SAP Release mode: Coordinated release
- Vulnerability Information
Class: Out-of-bounds Write [CWE-787], Out-of-bounds Read [CWE-125] Impact: Denial of service Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2015-2282, CVE-2015-2278
- Vulnerability Description
SAP products make use of a proprietary implementation of the Lempel-Ziv-Thomas (LZC) adaptive dictionary compression algorithm and the Lempel-Ziv-Huffman (LZH) compression algorithm [1] . These compression algorithms are used across several SAP products and programs. Vulnerabilities were found in the decompression routines that could be triggered in different scenarios, and could lead to execution of arbitrary code and denial of service conditions.
- Vulnerable Packages
SAP Netweaver Application Server ABAP. SAP Netweaver Application Server Java. SAP Netweaver RFC SDK SAP RFC SDK SAP GUI SAP MaxDB database SAPCAR archive tool Other products and versions might be affected, but they were not tested.
- Vendor Information, Solutions and Workarounds
SAP published the following Security Notes:
2124806 2121661 2127995 2125316 They can be accessed by SAP clients in their Support Portal [15].
Developers who used the Open Source versions of MaxDB 7.5 and 7.6 for their tools should contact SAP.
- Credits
This vulnerability was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Advisories Team.
- Technical Description / Proof of Concept Code
SAP products make use of LZC and LZH algorithms for compressing in-transit data for different services (Diag protocol, RFC protocol, MaxDB protocol) and for distributing files (SAPCAR program). The implementation of this algorithm was also included in Open Source versions of MaxDB 7.5 and 7.6 [2], and used on multiple Open Source security-related programs [3][4][5][6][7][8][9][10][11].
The code that handles the decompression of LZC and LZH compressed data is prone to two memory corruption vulnerabilities, as described below.
7.1.
The following snippet of code shows the vulnerable function [file vpa106cslzc.cpp in the MaxDB source code [12]]. This piece of code can be reached by decompressing a specially crafted buffer.
[..] int CsObjectInt::CsDecomprLZC (SAP_BYTE * inbuf, SAP_INT inlen, SAP_BYTE * outbuf, SAP_INT outlen, SAP_INT option, SAP_INT * bytes_read, SAP_INT * bytes_written) [..] / Generate output characters in reverse order .................../ while (code >= 256) { *stackp++ = TAB_SUFFIXOF(code); OVERFLOW_CHECK code = TAB_PREFIXOF(code); } [..] Note that the "code" variable contains an attacker controlled value, resulting in a stack overflow if the value is greater than 256 and the value for that code in the prefix table is also greater than 256. It's possible to fill in the stack with arbitrary values by controlling the values stored in the prefix and suffix tables.
It's also worth mentioning that the above code includes a macro for performing some bounds checks on the stack pointer ("OVERFLOW_CHECK"). However, the check implemented by this macro is not sufficient for avoiding this vulnerability and also could lead to fault conditions when decompressing valid buffers. Moreover, vulnerable products and programs were built without this macro enabled ("CS_STACK_CHECK" macro not defined at the time of compilation).
7.2. LZH decompression out-of-bounds read
The vulnerability [CVE-2015-2278] is caused by an out-of-bounds read of a buffer used by the decompression routine when performing look-ups of non-simple codes.
The following piece of code shows the vulnerable function [file vpa108csulzh.cpp in the MaxDB source code [13]]. This piece of code can be reached by decompressing a specially crafted buffer.
[..] int CsObjectInt::BuildHufTree ( unsigned * b, / code lengths in bits (all assumed <= BMAX) / unsigned n, / number of codes (assumed <= N_MAX) / unsigned s, / number of simple-valued codes (0..s-1) / int * d, / list of base values for non-simple codes / int * e, / list of extra bits for non-simple codes / HUFTREE t, / result: starting table / int * m) / maximum lookup bits, returns actual / [..] if (p >= v + n) { r.e = INVALIDCODE; / out of values--invalid code / } else if (p < s) { / 256 is end-of-block code / r.e = (unsigned char)(p < 256 ? LITCODE : EOBCODE); r.v.n = (unsigned short) p; / simple code is just the value/ p++; } else { r.e = (unsigned char) e[p - s]; /non-simple,look up in lists/ r.v.n = (unsigned short) d[*p - s]; p++; } [..]
The "e" and "d" arrays are indexed with the value of "*p - s" which is an attacker-controlled value. When the code is reached, this results in an out-of-bounds read access.
7.3. Attack scenarios
The vulnerabilities affect a varied range of products and programs. The attack scenarios differ based on the way each product makes use of the compression libraries. At very least the following scenarios can be identified:
7.3.1. Attacks against server-side components
SAP Netweaver services like Dispatcher or Gateway handle compressed requests coming from the different clients connecting to them. A remote unauthenticated attacker might be able to connect to the aforementioned services and trigger the vulnerabilities by sending specially crafted packets.
7.3.2. Client-side attacks
An attacker might be able to perform client-side attacks against users of the affected programs that handle compressed data. For instance, an attacker might send a specially crafted .CAR or .SAR archive file aimed at being decompressed using the SAPCAR tool, or mount a rogue SAP server offering Dispatcher and entice users to connect to this malicious server using SAP GUI.
7.3.3. Man-in-the-middle attacks
As most of the services affected by these issues are not encrypted by default, an attacker might be able to perform a man-in-the-middle attack and trigger the vulnerabilities by injecting malicious packets within the communication.
7.4. Looking in binaries for compression routines
The LZC and LZH compression algorithm routines are statically compiled in the different binaries of the affected products and programs. It's possible to check if a binary includes these functions by looking at whether the algorithm's constants are used in the program.
The following Radare [14] command can be used to check if a binary file includes the mentioned constants:
$ rafind2 -x fffefcf8f0e0c080 -x 0103070f1f3f7fff
Example output:
$ rafind2 -X -x fffefcf8f0e0c080 -x 0103070f1f3f7fff SAPCAR64
SAPCAR64: 000 @ 0x1082c1 offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0x001082c1 0103 070f 1f3f 7fff fffe fcf8 f0e0 c080 .....?.......... 0x001082d1 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x001082e1 0000 0000 0000 0000 0000 0000 0000 0004 ................ 0x001082f1 0000 0004 0000 0010 0000 0000 0000 0006 ................ 0x00108301 0000 0008 0000 0010 0000 0000 0000 ..............
- Report Timeline
2015-01-20: Core Security sends an initial notification to SAP. Publication date set to Mar 10, 2015 (Patch Tuesday). 2015-01-21: SAP confirms reception and requests a draft version of the advisory. 2015-01-21: Core Security sends the draft version of the advisory to the vendor. 2015-01-21: SAP confirms reception of the report and assigns the following security message Number: 55318 2015. 2015-01-22: SAP asks if the two vulnerable functions mentioned in the draft are the only ones affected by these vulnerabilities. 2015-01-22: Core Security informs the vendor that researchers were only able to trigger the vulnerabilities in the functions mentioned in the draft advisory. In case they find other instances where the vulnerabilities can be triggered, Core requests to be informed. 2015-01-30: Core Security asks the vendor if they were able to verify the vulnerabilities in order to coordinate a proper release date. 2015-02-02: SAP states that they verified and confirmed the vulnerabilities, are working on a solution, and will provide an update once the solution plan is finished. 2015-02-04: SAP states that they will be able to provide a fix by May's Patch Tuesday, 2015, and not March as requested. They also request to know how the advisory is going to be published and if we have any plans to include them in any upcoming presentations. 2015-02-10: SAP requests confirmation of their previous email in order to coordinate the advisory for the May 12th, 2015. 2015-02-18: Core Security informs SAP that the date is confirmed and that researchers might present something after the publication of the advisory. 2015-02-19: SAP states that it is thankful for Core's commitment to go for a coordinated release. They say they will keep us updated. 2015-05-07: Core Security reminds SAP that the date for the proposed fix to be released is the following week, therefore we would like to resume communications in order to publish our findings in a coordinated manner. 2015-05-07: SAP informs that they are on track to release the security notes as part of their May patch day (May 12th, 2015). 2015-05-11: Core Security asks SAP for the specific time they are planning to publish their security note and requests a tentative link so it can be included in Core's advisory. Additionally, Core sends a tentative fix for the source code that it is planning to add in its advisory for SAP to review, and a list of vulnerable tools that used the vulnerable code so SAP can contact and inform the owners of the fix. 2015-05-12: SAP states that they published 4 security notes regarding the issues we reported. They requested for us to wait 3 months to publish our findings and to send them the advisory before is published. 2015-05-12: Core Security requests that SAP fixes the external ID (Core's ID) they used and offer Core's publication link. Additionally, Core explained that is their policy to release their findings the same day the vendor does. Core also reminded SAP that they were still waiting for a reply to their previous email. 2015-05-12: Advisory CORE-2015-0009 published.
- References
[1] http://en.wikipedia.org/wiki/LZ77_and_LZ78. [2] ftp://ftp.sap.com/pub/maxdb/current/7.6.00/. [3] http://conus.info/utils/SAP_pkt_decompr.txt. [4] https://github.com/sensepost/SAPProx. [5] https://github.com/sensepost/SapCap. [6] http://blog.ptsecurity.com/2011/10/sap-diag-decompress-plugin-for.html. [7] https://github.com/CoreSecurity/pysap. [8] https://github.com/CoreSecurity/SAP-Dissection-plug-in-for-Wireshark. [9] https://github.com/daberlin/sap-reposrc-decompressor. [10] https://labs.mwrinfosecurity.com/tools/sap-decom/. [11] http://www.oxid.it/cain.html. [12] http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa106cslzc_8cpp-source.html. [13] http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa108csulzh_8cpp-source.html. [14] http://radare.org/y/. [15] https://service.sap.com/securitynotes.
- About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security
Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
- Disclaimer
The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201506-0132",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "maxdb",
"scope": "eq",
"trust": 2.4,
"vendor": "sap",
"version": "7.5"
},
{
"model": "maxdb",
"scope": "eq",
"trust": 2.4,
"vendor": "sap",
"version": "7.6"
},
{
"model": "gui",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": null
},
{
"model": "netweaver rfc sdk",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": null
},
{
"model": "netweaver java application server",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": null
},
{
"model": "netweaver abap application server",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": null
},
{
"model": "rfc library",
"scope": "eq",
"trust": 1.0,
"vendor": "sap",
"version": "*"
},
{
"model": "gui",
"scope": null,
"trust": 0.8,
"vendor": "sap",
"version": null
},
{
"model": "netweaver application server abap",
"scope": null,
"trust": 0.8,
"vendor": "sap",
"version": null
},
{
"model": "netweaver application server java",
"scope": null,
"trust": 0.8,
"vendor": "sap",
"version": null
},
{
"model": "netweaver rfc sdk",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "\\u3000"
},
{
"model": "rfc library",
"scope": null,
"trust": 0.6,
"vendor": "sap",
"version": null
},
{
"model": "sapcar archive tool",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "rfc sdk",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "netweaver rfc sdk",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "netweaver application server java",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "netweaver application server abap",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "maxdb database",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "gui",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
}
],
"sources": [
{
"db": "BID",
"id": "74643"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002923"
},
{
"db": "NVD",
"id": "CVE-2015-2282"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-483"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:maxdb:7.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver_abap_application_server:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:gui:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:rfc_library:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:maxdb:7.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver_java_application_server:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver_rfc_sdk:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2015-2282"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Martin Gallo of Core Security Consulting Services.",
"sources": [
{
"db": "BID",
"id": "74643"
}
],
"trust": 0.3
},
"cve": "CVE-2015-2282",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 7.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2015-2282",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2015-2282",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201505-483",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2015-2282",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-2282"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002923"
},
{
"db": "NVD",
"id": "CVE-2015-2282"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-483"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316. plural SAP Product LZC Implementation of decompression (vpa106cslzc.cpp of CsObjectInt::CsDecomprLZC function ) Contains a stack-based buffer overflow vulnerability. Vendors have confirmed this vulnerability SAP Security Note 2124806 , 2121661 , 2127995 ,and 2125316 It is released as.Denial of service by attacker ( crash ) Could be put into a state or execute arbitrary code. Multiple SAP Products are prone to a buffer-overflow vulnerability and a denial-of-service vulnerability. \nRemote attackers can exploit these issues to execute arbitrary code in the context of the application or cause denial-of-service conditions. 1. Advisory Information\n\nTitle: SAP LZC/LZH Compression Multiple Vulnerabilities\nAdvisory ID: CORE-2015-0009\nAdvisory URL: http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities\nDate published: 2015-05-12\nDate of last update: 2015-05-12\nVendors contacted: SAP\nRelease mode: Coordinated release\n\n2. Vulnerability Information\n\nClass: Out-of-bounds Write [CWE-787], Out-of-bounds Read [CWE-125]\nImpact: Denial of service\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2015-2282, CVE-2015-2278\n\n\n3. Vulnerability Description\n\nSAP products make use of a proprietary implementation of the Lempel-Ziv-Thomas (LZC) adaptive dictionary compression algorithm and the Lempel-Ziv-Huffman (LZH) compression algorithm [1] . These compression algorithms are used across several SAP products and programs. Vulnerabilities were found in the decompression routines that could be triggered in different scenarios, and could lead to execution of arbitrary code and denial of service conditions. \n\n\n4. Vulnerable Packages\n\nSAP Netweaver Application Server ABAP. \nSAP Netweaver Application Server Java. \nSAP Netweaver RFC SDK\nSAP RFC SDK\nSAP GUI\nSAP MaxDB database\nSAPCAR archive tool\nOther products and versions might be affected, but they were not tested. \n\n\n5. Vendor Information, Solutions and Workarounds\n\nSAP published the following Security Notes:\n\n2124806\n2121661\n2127995\n2125316\nThey can be accessed by SAP clients in their Support Portal [15]. \n\nDevelopers who used the Open Source versions of MaxDB 7.5 and 7.6 for their tools should contact SAP. \n\n\n6. Credits\n\nThis vulnerability was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Joaqu\u00edn Rodr\u00edguez Varela from Core Advisories Team. \n\n\n\n7. Technical Description / Proof of Concept Code\n\nSAP products make use of LZC and LZH algorithms for compressing in-transit data for different services (Diag protocol, RFC protocol, MaxDB protocol) and for distributing files (SAPCAR program). The implementation of this algorithm was also included in Open Source versions of MaxDB 7.5 and 7.6 [2], and used on multiple Open Source security-related programs [3][4][5][6][7][8][9][10][11]. \n\nThe code that handles the decompression of LZC and LZH compressed data is prone to two memory corruption vulnerabilities, as described below. \n\n7.1. \n\nThe following snippet of code shows the vulnerable function [file vpa106cslzc.cpp in the MaxDB source code [12]]. This piece of code can be reached by decompressing a specially crafted buffer. \n\n \n[..]\nint CsObjectInt::CsDecomprLZC (SAP_BYTE * inbuf,\n SAP_INT inlen,\n SAP_BYTE * outbuf,\n SAP_INT outlen,\n SAP_INT option,\n SAP_INT * bytes_read,\n SAP_INT * bytes_written)\n [..]\n /* Generate output characters in reverse order ...................*/\n while (code \u003e= 256)\n {\n *stackp++ = TAB_SUFFIXOF(code);\n OVERFLOW_CHECK\n code = TAB_PREFIXOF(code);\n }\n[..]\nNote that the \"code\" variable contains an attacker controlled value, resulting in a stack overflow if the value is greater than 256 and the value for that code in the prefix table is also greater than 256. It\u0027s possible to fill in the stack with arbitrary values by controlling the values stored in the prefix and suffix tables. \n\nIt\u0027s also worth mentioning that the above code includes a macro for performing some bounds checks on the stack pointer (\"OVERFLOW_CHECK\"). However, the check implemented by this macro is not sufficient for avoiding this vulnerability and also could lead to fault conditions when decompressing valid buffers. Moreover, vulnerable products and programs were built without this macro enabled (\"CS_STACK_CHECK\" macro not defined at the time of compilation). \n\n7.2. LZH decompression out-of-bounds read\n\nThe vulnerability [CVE-2015-2278] is caused by an out-of-bounds read of a buffer used by the decompression routine when performing look-ups of non-simple codes. \n\nThe following piece of code shows the vulnerable function [file vpa108csulzh.cpp in the MaxDB source code [13]]. This piece of code can be reached by decompressing a specially crafted buffer. \n\n \n[..]\nint CsObjectInt::BuildHufTree (\n unsigned * b, /* code lengths in bits (all assumed \u003c= BMAX) */\n unsigned n, /* number of codes (assumed \u003c= N_MAX) */\n unsigned s, /* number of simple-valued codes (0..s-1) */\n int * d, /* list of base values for non-simple codes */\n int * e, /* list of extra bits for non-simple codes */\n HUFTREE **t, /* result: starting table */\n int * m) /* maximum lookup bits, returns actual */\n [..]\n if (p \u003e= v + n)\n {\n r.e = INVALIDCODE; /* out of values--invalid code */\n }\n else if (*p \u003c s)\n { /* 256 is end-of-block code */\n r.e = (unsigned char)(*p \u003c 256 ? LITCODE : EOBCODE);\n r.v.n = (unsigned short) *p; /* simple code is just the value*/\n p++;\n }\n else\n {\n r.e = (unsigned char) e[*p - s]; /*non-simple,look up in lists*/\n r.v.n = (unsigned short) d[*p - s];\n p++;\n }\n[..]\n \nThe \"e\" and \"d\" arrays are indexed with the value of \"*p - s\" which is an attacker-controlled value. When the code is reached, this results in an out-of-bounds read access. \n\n7.3. Attack scenarios\n\nThe vulnerabilities affect a varied range of products and programs. The attack scenarios differ based on the way each product makes use of the compression libraries. At very least the following scenarios can be identified:\n\n7.3.1. Attacks against server-side components\n\nSAP Netweaver services like Dispatcher or Gateway handle compressed requests coming from the different clients connecting to them. A remote unauthenticated attacker might be able to connect to the aforementioned services and trigger the vulnerabilities by sending specially crafted packets. \n\n7.3.2. Client-side attacks\n\nAn attacker might be able to perform client-side attacks against users of the affected programs that handle compressed data. For instance, an attacker might send a specially crafted .CAR or .SAR archive file aimed at being decompressed using the SAPCAR tool, or mount a rogue SAP server offering Dispatcher and entice users to connect to this malicious server using SAP GUI. \n\n7.3.3. Man-in-the-middle attacks\n\nAs most of the services affected by these issues are not encrypted by default, an attacker might be able to perform a man-in-the-middle attack and trigger the vulnerabilities by injecting malicious packets within the communication. \n\n7.4. Looking in binaries for compression routines\n\nThe LZC and LZH compression algorithm routines are statically compiled in the different binaries of the affected products and programs. It\u0027s possible to check if a binary includes these functions by looking at whether the algorithm\u0027s constants are used in the program. \n\nThe following Radare [14] command can be used to check if a binary file includes the mentioned constants:\n\n \n$ rafind2 -x fffefcf8f0e0c080 -x 0103070f1f3f7fff \u003cbinary_file\u003e\n \nExample output:\n\n \n$ rafind2 -X -x fffefcf8f0e0c080 -x 0103070f1f3f7fff SAPCAR64 \n\nSAPCAR64: 000 @ 0x1082c1\n offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF\n0x001082c1 0103 070f 1f3f 7fff fffe fcf8 f0e0 c080 .....?.......... \n0x001082d1 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n0x001082e1 0000 0000 0000 0000 0000 0000 0000 0004 ................ \n0x001082f1 0000 0004 0000 0010 0000 0000 0000 0006 ................ \n0x00108301 0000 0008 0000 0010 0000 0000 0000 .............. \n \n\n\n8. Report Timeline\n\n2015-01-20: Core Security sends an initial notification to SAP. Publication date set to Mar 10, 2015 (Patch Tuesday). \n2015-01-21: SAP confirms reception and requests a draft version of the advisory. \n2015-01-21: Core Security sends the draft version of the advisory to the vendor. \n2015-01-21: SAP confirms reception of the report and assigns the following security message Number: 55318 2015. \n2015-01-22: SAP asks if the two vulnerable functions mentioned in the draft are the only ones affected by these vulnerabilities. \n2015-01-22: Core Security informs the vendor that researchers were only able to trigger the vulnerabilities in the functions mentioned in the draft advisory. In case they find other instances where the vulnerabilities can be triggered, Core requests to be informed. \n2015-01-30: Core Security asks the vendor if they were able to verify the vulnerabilities in order to coordinate a proper release date. \n2015-02-02: SAP states that they verified and confirmed the vulnerabilities, are working on a solution, and will provide an update once the solution plan is finished. \n2015-02-04: SAP states that they will be able to provide a fix by May\u0027s Patch Tuesday, 2015, and not March as requested. They also request to know how the advisory is going to be published and if we have any plans to include them in any upcoming presentations. \n2015-02-10: SAP requests confirmation of their previous email in order to coordinate the advisory for the May 12th, 2015. \n2015-02-18: Core Security informs SAP that the date is confirmed and that researchers might present something after the publication of the advisory. \n2015-02-19: SAP states that it is thankful for Core\u0027s commitment to go for a coordinated release. They say they will keep us updated. \n2015-05-07: Core Security reminds SAP that the date for the proposed fix to be released is the following week, therefore we would like to resume communications in order to publish our findings in a coordinated manner. \n2015-05-07: SAP informs that they are on track to release the security notes as part of their May patch day (May 12th, 2015). \n2015-05-11: Core Security asks SAP for the specific time they are planning to publish their security note and requests a tentative link so it can be included in Core\u0027s advisory. Additionally, Core sends a tentative fix for the source code that it is planning to add in its advisory for SAP to review, and a list of vulnerable tools that used the vulnerable code so SAP can contact and inform the owners of the fix. \n2015-05-12: SAP states that they published 4 security notes regarding the issues we reported. They requested for us to wait 3 months to publish our findings and to send them the advisory before is published. \n2015-05-12: Core Security requests that SAP fixes the external ID (Core\u0027s ID) they used and offer Core\u0027s publication link. Additionally, Core explained that is their policy to release their findings the same day the vendor does. Core also reminded SAP that they were still waiting for a reply to their previous email. \n2015-05-12: Advisory CORE-2015-0009 published. \n\n\n9. References\n\n[1] http://en.wikipedia.org/wiki/LZ77_and_LZ78. \n[2] ftp://ftp.sap.com/pub/maxdb/current/7.6.00/. \n[3] http://conus.info/utils/SAP_pkt_decompr.txt. \n[4] https://github.com/sensepost/SAPProx. \n[5] https://github.com/sensepost/SapCap. \n[6] http://blog.ptsecurity.com/2011/10/sap-diag-decompress-plugin-for.html. \n[7] https://github.com/CoreSecurity/pysap. \n[8] https://github.com/CoreSecurity/SAP-Dissection-plug-in-for-Wireshark. \n[9] https://github.com/daberlin/sap-reposrc-decompressor. \n[10] https://labs.mwrinfosecurity.com/tools/sap-decom/. \n[11] http://www.oxid.it/cain.html. \n[12] http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa106cslzc_8cpp-source.html. \n[13] http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa108csulzh_8cpp-source.html. \n[14] http://radare.org/y/. \n[15] https://service.sap.com/securitynotes. \n\n\n10. About CoreLabs\n\nCoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. \n\n\n11. About Core Security\n\nCore Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. \n\nCore Security\u0027s software solutions build on over a decade of trusted research and leading-edge threat expertise from the company\u0027s Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. \n\n\n12. Disclaimer\n\nThe contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n\n13. PGP/GPG Keys\n\nThis advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc",
"sources": [
{
"db": "NVD",
"id": "CVE-2015-2282"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002923"
},
{
"db": "BID",
"id": "74643"
},
{
"db": "VULMON",
"id": "CVE-2015-2282"
},
{
"db": "PACKETSTORM",
"id": "131883"
}
],
"trust": 2.07
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2015-2282",
"trust": 2.9
},
{
"db": "PACKETSTORM",
"id": "131883",
"trust": 1.8
},
{
"db": "BID",
"id": "74643",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002923",
"trust": 0.8
},
{
"db": "SECUNIA",
"id": "64440",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201505-483",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2015-2282",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-2282"
},
{
"db": "BID",
"id": "74643"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002923"
},
{
"db": "PACKETSTORM",
"id": "131883"
},
{
"db": "NVD",
"id": "CVE-2015-2282"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-483"
}
]
},
"id": "VAR-201506-0132",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.167840075
},
"last_update_date": "2023-12-18T13:24:46.118000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SAP Security Note 2124806/2121661/2127995/2125316",
"trust": 0.8,
"url": "http://scn.sap.com/docs/doc-55451"
},
{
"title": "martingalloar",
"trust": 0.1,
"url": "https://github.com/martingalloar/martingalloar "
},
{
"title": "publications",
"trust": 0.1,
"url": "https://github.com/martingalloar/publications "
},
{
"title": "The Register",
"trust": 0.1,
"url": "https://www.theregister.co.uk/2015/05/14/saps_compression_is_buggy_and_insecure/"
},
{
"title": "Threatpost",
"trust": 0.1,
"url": "https://threatpost.com/remotely-exploitable-vulnerabilities-in-sap-compression-algorithms/112808/"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-2282"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002923"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-002923"
},
{
"db": "NVD",
"id": "CVE-2015-2282"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
},
{
"trust": 1.7,
"url": "http://packetstormsecurity.com/files/131883/sap-lzc-lzh-compression-denial-of-service.html"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2015/may/50"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2015/may/96"
},
{
"trust": 1.2,
"url": "http://www.securityfocus.com/bid/74643"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2282"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2282"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/535535/100/0/threaded"
},
{
"trust": 0.6,
"url": "http://secunia.com/advisories/64440"
},
{
"trust": 0.3,
"url": "http://www.sap.com"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://threatpost.com/remotely-exploitable-vulnerabilities-in-sap-compression-algorithms/112808/"
},
{
"trust": 0.1,
"url": "http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa108csulzh_8cpp-source.html."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://github.com/sensepost/sapcap."
},
{
"trust": 0.1,
"url": "https://github.com/coresecurity/sap-dissection-plug-in-for-wireshark."
},
{
"trust": 0.1,
"url": "https://github.com/sensepost/sapprox."
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa106cslzc_8cpp-source.html."
},
{
"trust": 0.1,
"url": "https://service.sap.com/securitynotes."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "https://github.com/coresecurity/pysap."
},
{
"trust": 0.1,
"url": "http://conus.info/utils/sap_pkt_decompr.txt."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-2282"
},
{
"trust": 0.1,
"url": "http://www.oxid.it/cain.html."
},
{
"trust": 0.1,
"url": "https://labs.mwrinfosecurity.com/tools/sap-decom/."
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://github.com/daberlin/sap-reposrc-decompressor."
},
{
"trust": 0.1,
"url": "http://blog.ptsecurity.com/2011/10/sap-diag-decompress-plugin-for.html."
},
{
"trust": 0.1,
"url": "http://radare.org/y/."
},
{
"trust": 0.1,
"url": "http://en.wikipedia.org/wiki/lz77_and_lz78."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-2278"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-2282"
},
{
"db": "BID",
"id": "74643"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002923"
},
{
"db": "PACKETSTORM",
"id": "131883"
},
{
"db": "NVD",
"id": "CVE-2015-2282"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-483"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2015-2282"
},
{
"db": "BID",
"id": "74643"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002923"
},
{
"db": "PACKETSTORM",
"id": "131883"
},
{
"db": "NVD",
"id": "CVE-2015-2282"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-483"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-06-02T00:00:00",
"db": "VULMON",
"id": "CVE-2015-2282"
},
{
"date": "2015-05-13T00:00:00",
"db": "BID",
"id": "74643"
},
{
"date": "2015-06-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-002923"
},
{
"date": "2015-05-13T17:48:36",
"db": "PACKETSTORM",
"id": "131883"
},
{
"date": "2015-06-02T14:59:08.880000",
"db": "NVD",
"id": "CVE-2015-2282"
},
{
"date": "2015-05-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201505-483"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-09T00:00:00",
"db": "VULMON",
"id": "CVE-2015-2282"
},
{
"date": "2015-05-13T00:00:00",
"db": "BID",
"id": "74643"
},
{
"date": "2015-06-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-002923"
},
{
"date": "2018-10-09T19:56:14.093000",
"db": "NVD",
"id": "CVE-2015-2282"
},
{
"date": "2015-06-03T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201505-483"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201505-483"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural SAP Product LZC Stack-based buffer overflow vulnerability in the decompression implementation",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-002923"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201505-483"
}
],
"trust": 0.6
}
}
var-200803-0281
Vulnerability from variot
sdbstarter in SAP MaxDB 7.6.0.37, and possibly other versions, allows local users to execute arbitrary commands by using unspecified environment variables to modify configuration settings. SAP MaxDB is prone to a local privilege-escalation vulnerability. Exploiting this issue allows local attackers to execute arbitrary code with superuser privileges. This will lead to the complete compromise of an affected computer. This issue affects MaxDB 7.6.0.37 on both Linux and Solaris platforms. Other UNIX variants are most likely affected. Microsoft Windows versions are not vulnerable to this issue. iDefense Security Advisory 03.10.08 http://labs.idefense.com/intelligence/vulnerabilities/ Mar 10, 2008
I. BACKGROUND
SAP's MaxDB is a database software product. MaxDB was released as open source from version 7.5 up to version 7.6.00. Later versions are no longer open source but are available for download from the SAP SDN website (sdn.sap.com) as a community edition with free community support for public use beyond the scope of SAP applications. The "sdbstarter" program is set-uid root and installed by default. For more information, visit the product's website at the following URL.
https://www.sdn.sap.com/irj/sdn/maxdb
II. DESCRIPTION
Local exploitation of a design error in the "sdbstarter" program, as distributed with SAP AG's MaxDB, could allow attackers to elevate privileges to root.
This vulnerability exists due to a design error in the handling of certain environment variables. These variables are used to specify the configuration settings to be used by various MaxDB components.
III. To exploit this vulnerability, an attacker must be able to execute the "sdbstarter" program. In a default installation, this requires that the attacker be a member of the "sdba" group.
It is important to note that this vulnerability is not architecture dependent.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in SAP AG's MaxDB version 7.6.0.37 on both Linux and Solaris. Windows releases do not include the "sdbstarter" program.
V. WORKAROUND
iDefense is currently unaware of any effective workaround for this issue.
VI. VENDOR RESPONSE
SAP AG has addressed this vulnerability by releasing a new version of MaxDB. For more information, consult SAP note 1140135.
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-0306 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.
VIII. DISCLOSURE TIMELINE
12/05/2007 Initial vendor notification 12/06/2007 Initial vendor response 03/10/2008 Coordinated public disclosure
IX. CREDIT
This vulnerability was discovered by Joshua J. Drake of VeriSign iDefense Labs.
Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2008 iDefense, Inc.
Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . The new version includes many new and advanced features, which makes it even easier to stay patched.
Download and test it today: https://psi.secunia.com/
Read more about this new version: https://psi.secunia.com/?page=changelog
TITLE: MaxDB Multiple Vulnerabilities
SECUNIA ADVISORY ID: SA29312
VERIFY ADVISORY: http://secunia.com/advisories/29312/
CRITICAL: Highly critical
IMPACT: Privilege escalation, System access
WHERE:
From remote
SOFTWARE: MaxDB 7.x http://secunia.com/product/4012/
DESCRIPTION: Some vulnerabilities have been reported in MaxDB, which can be exploited by malicious, local users to gain escalated privileges, and by malicious people to potentially compromise a vulnerable system.
1) A signedness error within the "vserver" component can be exploited to cause a heap corruption via a specially crafted packet sent to the port, which "vserver" is listening on (port 7210/TCP by default).
PROVIDED AND/OR DISCOVERED BY: An anonymous researcher, reported via iDefense.
ORIGINAL ADVISORY: iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=670 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=669
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200803-0281",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "maxdb",
"scope": "eq",
"trust": 2.7,
"vendor": "sap",
"version": "7.6.0.37"
}
],
"sources": [
{
"db": "BID",
"id": "28185"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005380"
},
{
"db": "NVD",
"id": "CVE-2008-0306"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-176"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:maxdb:7.6.0.37:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2008-0306"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Joshua J. Drake",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200803-176"
}
],
"trust": 0.6
},
"cve": "CVE-2008-0306",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 6.9,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.4,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": true,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Local",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 6.9,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2008-0306",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2008-0306",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-200803-176",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-005380"
},
{
"db": "NVD",
"id": "CVE-2008-0306"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-176"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "sdbstarter in SAP MaxDB 7.6.0.37, and possibly other versions, allows local users to execute arbitrary commands by using unspecified environment variables to modify configuration settings. SAP MaxDB is prone to a local privilege-escalation vulnerability. \nExploiting this issue allows local attackers to execute arbitrary code with superuser privileges. This will lead to the complete compromise of an affected computer. \nThis issue affects MaxDB 7.6.0.37 on both Linux and Solaris platforms. Other UNIX variants are most likely affected. Microsoft Windows versions are not vulnerable to this issue. iDefense Security Advisory 03.10.08\nhttp://labs.idefense.com/intelligence/vulnerabilities/\nMar 10, 2008\n\nI. BACKGROUND\n\nSAP\u0027s MaxDB is a database software product. MaxDB was released as open\nsource from version 7.5 up to version 7.6.00. Later versions are no\nlonger open source but are available for download from the SAP SDN\nwebsite (sdn.sap.com) as a community edition with free community\nsupport for public use beyond the scope of SAP applications. The\n\"sdbstarter\" program is set-uid root and installed by default. For more\ninformation, visit the product\u0027s website at the following URL. \n\nhttps://www.sdn.sap.com/irj/sdn/maxdb\n\nII. DESCRIPTION\n\nLocal exploitation of a design error in the \"sdbstarter\" program, as\ndistributed with SAP AG\u0027s MaxDB, could allow attackers to elevate\nprivileges to root. \n\nThis vulnerability exists due to a design error in the handling of\ncertain environment variables. These variables are used to specify the\nconfiguration settings to be used by various MaxDB components. \n\nIII. To exploit this vulnerability, an attacker must be able to\nexecute the \"sdbstarter\" program. In a default installation, this\nrequires that the attacker be a member of the \"sdba\" group. \n\nIt is important to note that this vulnerability is not architecture\ndependent. \n\nIV. DETECTION\n\niDefense has confirmed the existence of this vulnerability in SAP AG\u0027s\nMaxDB version 7.6.0.37 on both Linux and Solaris. Windows releases do\nnot include the \"sdbstarter\" program. \n\nV. WORKAROUND\n\niDefense is currently unaware of any effective workaround for this\nissue. \n\nVI. VENDOR RESPONSE\n\nSAP AG has addressed this vulnerability by releasing a new version of\nMaxDB. For more information, consult SAP note 1140135. \n\nVII. CVE INFORMATION\n\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\nname CVE-2008-0306 to this issue. This is a candidate for inclusion in\nthe CVE list (http://cve.mitre.org/), which standardizes names for\nsecurity problems. \n\nVIII. DISCLOSURE TIMELINE\n\n12/05/2007 Initial vendor notification\n12/06/2007 Initial vendor response\n03/10/2008 Coordinated public disclosure\n\nIX. CREDIT\n\nThis vulnerability was discovered by Joshua J. Drake of VeriSign\niDefense Labs. \n\nGet paid for vulnerability research\nhttp://labs.idefense.com/methodology/vulnerability/vcp.php\n\nFree tools, research and upcoming events\nhttp://labs.idefense.com/\n\nX. LEGAL NOTICES\n\nCopyright \\xa9 2008 iDefense, Inc. \n\nPermission is granted for the redistribution of this alert\nelectronically. It may not be edited in any way without the express\nwritten consent of iDefense. If you wish to reprint the whole or any\npart of this alert in any other medium other than electronically,\nplease e-mail customerservice@idefense.com for permission. \n\nDisclaimer: The information in the advisory is believed to be accurate\nat the time of publishing based on currently available information. Use\nof the information constitutes acceptance for use in an AS IS condition. \n There are no warranties with regard to this information. Neither the\nauthor nor the publisher accepts any liability for any direct,\nindirect, or consequential loss or damage arising from use of, or\nreliance on, this information. \n\n_______________________________________________\nFull-Disclosure - We believe in it. \nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\nHosted and sponsored by Secunia - http://secunia.com/\n. The new version includes many new and advanced\nfeatures, which makes it even easier to stay patched. \n\nDownload and test it today:\nhttps://psi.secunia.com/\n\nRead more about this new version:\nhttps://psi.secunia.com/?page=changelog\n\n----------------------------------------------------------------------\n\nTITLE:\nMaxDB Multiple Vulnerabilities\n\nSECUNIA ADVISORY ID:\nSA29312\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/29312/\n\nCRITICAL:\nHighly critical\n\nIMPACT:\nPrivilege escalation, System access\n\nWHERE:\n\u003eFrom remote\n\nSOFTWARE:\nMaxDB 7.x\nhttp://secunia.com/product/4012/\n\nDESCRIPTION:\nSome vulnerabilities have been reported in MaxDB, which can be\nexploited by malicious, local users to gain escalated privileges, and\nby malicious people to potentially compromise a vulnerable system. \n\n1) A signedness error within the \"vserver\" component can be exploited\nto cause a heap corruption via a specially crafted packet sent to the\nport, which \"vserver\" is listening on (port 7210/TCP by default). \n\nPROVIDED AND/OR DISCOVERED BY:\nAn anonymous researcher, reported via iDefense. \n\nORIGINAL ADVISORY:\niDefense:\nhttp://labs.idefense.com/intelligence/vulnerabilities/display.php?id=670\nhttp://labs.idefense.com/intelligence/vulnerabilities/display.php?id=669\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor",
"sources": [
{
"db": "NVD",
"id": "CVE-2008-0306"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005380"
},
{
"db": "BID",
"id": "28185"
},
{
"db": "PACKETSTORM",
"id": "64481"
},
{
"db": "PACKETSTORM",
"id": "64375"
}
],
"trust": 2.07
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2008-0306",
"trust": 2.8
},
{
"db": "BID",
"id": "28185",
"trust": 1.9
},
{
"db": "SECUNIA",
"id": "29312",
"trust": 1.7
},
{
"db": "VUPEN",
"id": "ADV-2008-0844",
"trust": 1.6
},
{
"db": "SECTRACK",
"id": "1019570",
"trust": 1.6
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005380",
"trust": 0.8
},
{
"db": "XF",
"id": "41104",
"trust": 0.6
},
{
"db": "IDEFENSE",
"id": "20080310 SAP MAXDB SDBSTARTER PRIVILEGE ESCALATION VULNERABILITY",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200803-176",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "64481",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "64375",
"trust": 0.1
}
],
"sources": [
{
"db": "BID",
"id": "28185"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005380"
},
{
"db": "PACKETSTORM",
"id": "64481"
},
{
"db": "PACKETSTORM",
"id": "64375"
},
{
"db": "NVD",
"id": "CVE-2008-0306"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-176"
}
]
},
"id": "VAR-200803-0281",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.1359447
},
"last_update_date": "2023-12-18T13:58:13.403000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://maxdb.sap.com/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-005380"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
},
{
"problemtype": "CWE-DesignError",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-005380"
},
{
"db": "NVD",
"id": "CVE-2008-0306"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=670"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/29312"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/28185"
},
{
"trust": 1.6,
"url": "http://www.securitytracker.com/id?1019570"
},
{
"trust": 1.0,
"url": "http://www.vupen.com/english/advisories/2008/0844/references"
},
{
"trust": 1.0,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41104"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-0306"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-0306"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/41104"
},
{
"trust": 0.6,
"url": "http://www.frsirt.com/english/advisories/2008/0844/references"
},
{
"trust": 0.4,
"url": "https://www.sdn.sap.com/irj/sdn/maxdb"
},
{
"trust": 0.3,
"url": "/archive/1/489361"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/),"
},
{
"trust": 0.1,
"url": "http://secunia.com/"
},
{
"trust": 0.1,
"url": "http://labs.idefense.com/intelligence/vulnerabilities/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2008-0306"
},
{
"trust": 0.1,
"url": "http://labs.idefense.com/methodology/vulnerability/vcp.php"
},
{
"trust": 0.1,
"url": "http://labs.idefense.com/"
},
{
"trust": 0.1,
"url": "http://lists.grok.org.uk/full-disclosure-charter.html"
},
{
"trust": 0.1,
"url": "http://secunia.com/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/4012/"
},
{
"trust": 0.1,
"url": "https://psi.secunia.com/?page=changelog"
},
{
"trust": 0.1,
"url": "https://psi.secunia.com/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/29312/"
},
{
"trust": 0.1,
"url": "http://secunia.com/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=669"
}
],
"sources": [
{
"db": "BID",
"id": "28185"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005380"
},
{
"db": "PACKETSTORM",
"id": "64481"
},
{
"db": "PACKETSTORM",
"id": "64375"
},
{
"db": "NVD",
"id": "CVE-2008-0306"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-176"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "BID",
"id": "28185"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005380"
},
{
"db": "PACKETSTORM",
"id": "64481"
},
{
"db": "PACKETSTORM",
"id": "64375"
},
{
"db": "NVD",
"id": "CVE-2008-0306"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-176"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2008-03-10T00:00:00",
"db": "BID",
"id": "28185"
},
{
"date": "2012-12-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-005380"
},
{
"date": "2008-03-13T00:31:09",
"db": "PACKETSTORM",
"id": "64481"
},
{
"date": "2008-03-12T17:55:23",
"db": "PACKETSTORM",
"id": "64375"
},
{
"date": "2008-03-11T23:44:00",
"db": "NVD",
"id": "CVE-2008-0306"
},
{
"date": "2008-03-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200803-176"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2008-03-12T18:01:00",
"db": "BID",
"id": "28185"
},
{
"date": "2012-12-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-005380"
},
{
"date": "2017-08-08T01:29:28.367000",
"db": "NVD",
"id": "CVE-2008-0306"
},
{
"date": "2008-09-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200803-176"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "BID",
"id": "28185"
},
{
"db": "PACKETSTORM",
"id": "64481"
},
{
"db": "PACKETSTORM",
"id": "64375"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-176"
}
],
"trust": 1.1
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP MaxDB of sdbstarter Vulnerable to arbitrary command execution",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-005380"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Design Error",
"sources": [
{
"db": "BID",
"id": "28185"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-176"
}
],
"trust": 0.9
}
}
var-200903-0567
Vulnerability from variot
MaxDB is a database management system widely used in SAP applications. The webdbm script used by MaxDB does not properly validate the parameters passed to the Server, Database, and User parameters. A remote attacker can perform a cross-site scripting attack by executing parameters, resulting in theft of an administrator cookie or a fake login page when the user attempts to log in. Send the password to the attacker. SAP MaxDB is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200903-0567",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "maxdb",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "7.8.01.18"
},
{
"model": "maxdb build",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.6.3007"
},
{
"model": "maxdb",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.6.03.15"
},
{
"model": "maxdb",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.6.00.37"
},
{
"model": "maxdb",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.6.0.37"
},
{
"model": "maxdb",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.4.3.32"
}
],
"sources": [
{
"db": "IVD",
"id": "e7841a22-1fcd-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2009-1930"
},
{
"db": "BID",
"id": "34319"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Digital Security Research Group [DSecRG]",
"sources": [
{
"db": "BID",
"id": "34319"
}
],
"trust": 0.3
},
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "CNVD-2009-1930",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "IVD",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "e7841a22-1fcd-11e6-abef-000c29c66e3d",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.9 [IVD]"
}
],
"cvssV3": [],
"severity": [
{
"author": "CNVD",
"id": "CNVD-2009-1930",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "e7841a22-1fcd-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "LOW"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "e7841a22-1fcd-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2009-1930"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "MaxDB is a database management system widely used in SAP applications. The webdbm script used by MaxDB does not properly validate the parameters passed to the Server, Database, and User parameters. A remote attacker can perform a cross-site scripting attack by executing parameters, resulting in theft of an administrator cookie or a fake login page when the user attempts to log in. Send the password to the attacker. SAP MaxDB is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. \nAn attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2009-1930"
},
{
"db": "BID",
"id": "34319"
},
{
"db": "IVD",
"id": "e7841a22-1fcd-11e6-abef-000c29c66e3d"
}
],
"trust": 0.99
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "34319",
"trust": 0.9
},
{
"db": "CNVD",
"id": "CNVD-2009-1930",
"trust": 0.8
},
{
"db": "IVD",
"id": "E7841A22-1FCD-11E6-ABEF-000C29C66E3D",
"trust": 0.2
}
],
"sources": [
{
"db": "IVD",
"id": "e7841a22-1fcd-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2009-1930"
},
{
"db": "BID",
"id": "34319"
}
]
},
"id": "VAR-200903-0567",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "e7841a22-1fcd-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2009-1930"
}
],
"trust": 0.9359447000000001
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "e7841a22-1fcd-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2009-1930"
}
]
},
"last_update_date": "2022-05-17T01:43:47.382000Z",
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 0.6,
"url": "http://marc.info/?l=bugtraq\u0026m=123852432711709\u0026w=2"
},
{
"trust": 0.3,
"url": "https://www.sdn.sap.com/irj/sdn/maxdb"
},
{
"trust": 0.3,
"url": "/archive/1/502318"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2009-1930"
},
{
"db": "BID",
"id": "34319"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "e7841a22-1fcd-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2009-1930"
},
{
"db": "BID",
"id": "34319"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2009-03-31T00:00:00",
"db": "IVD",
"id": "e7841a22-1fcd-11e6-abef-000c29c66e3d"
},
{
"date": "2009-03-31T00:00:00",
"db": "CNVD",
"id": "CNVD-2009-1930"
},
{
"date": "2009-03-31T00:00:00",
"db": "BID",
"id": "34319"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2009-03-31T00:00:00",
"db": "CNVD",
"id": "CNVD-2009-1930"
},
{
"date": "2009-03-31T21:16:00",
"db": "BID",
"id": "34319"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "network",
"sources": [
{
"db": "BID",
"id": "34319"
}
],
"trust": 0.3
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP MaxDB webdbm Cross-Site Scripting Vulnerability",
"sources": [
{
"db": "IVD",
"id": "e7841a22-1fcd-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2009-1930"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Input Validation Error",
"sources": [
{
"db": "BID",
"id": "34319"
}
],
"trust": 0.3
}
}
var-201003-0494
Vulnerability from variot
Stack-based buffer overflow in serv.exe in SAP MaxDB 7.4.3.32, and 7.6.0.37 through 7.6.06 allows remote attackers to execute arbitrary code via an invalid length parameter in a handshake packet to TCP port 7210. NOTE: some of these details are obtained from third party information. Authentication is not required to exploit this vulnerability.The specific flaw exists within the serv.exe process which listens by default on TCP port 7210. The process trusts a value from a handshake packet and uses it as a length when copying data to the stack. If provided a malicious value and packet data, this can be leveraged to execute arbitrary code under the context of the SYSTEM user. Failed exploit attempts will result in a denial-of-service condition. ZDI-10-032: SAP MaxDB Malformed Handshake Request Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-032 March 16, 2010
-- Affected Vendors: SAP
-- Affected Products: SAP MaxDB
-- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9403. Authentication is not required to exploit this vulnerability.
-- Vendor Response: SAP states: A solution was provided via SAP note 1409425 (https://service.sap.com/sap/support/notes/1409425)
-- Disclosure Timeline: 2009-11-09 - Vulnerability reported to vendor 2010-03-16 - Coordinated public release of advisory
-- Credit: This vulnerability was discovered by: * AbdulAziz Hariri of Insight Technologies
-- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi. ----------------------------------------------------------------------
Use WSUS to deploy 3rd party patches
Public BETA http://secunia.com/vulnerability_scanning/corporate/wsus_3rd_third_party_patching/
TITLE: MaxDB Handshake Packet Buffer Overflow Vulnerability
SECUNIA ADVISORY ID: SA38955
VERIFY ADVISORY: http://secunia.com/advisories/38955/
DESCRIPTION: A vulnerability has been reported in MaxDB, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an input validation error within the processing of handshake packets in serv.exe. This can be exploited to cause a stack-based buffer overflow by sending a specially crafted packet to port 7210/TCP. https://service.sap.com/sap/support/notes/1409425
PROVIDED AND/OR DISCOVERED BY: AbdulAziz Hariri of Insight Technologies, reported via ZDI.
ORIGINAL ADVISORY: http://www.zerodayinitiative.com/advisories/ZDI-10-032/
About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Show details on source website
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201003-0494",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "maxdb",
"scope": "eq",
"trust": 1.9,
"vendor": "sap",
"version": "7.6.0.37"
},
{
"model": "maxdb",
"scope": "eq",
"trust": 1.9,
"vendor": "sap",
"version": "7.4.3.32"
},
{
"model": "maxdb",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": "7.6.06"
},
{
"model": "maxdb",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "7.4.3.32 and 7.6.0.37 to 7.6.06"
},
{
"model": "maxdb",
"scope": null,
"trust": 0.7,
"vendor": "sap",
"version": null
},
{
"model": "maxdb",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.6.6"
},
{
"model": "maxdb build",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.6.3007"
},
{
"model": "maxdb",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.6.03.15"
},
{
"model": "maxdb",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.6.00.37"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-10-032"
},
{
"db": "BID",
"id": "38769"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-005362"
},
{
"db": "NVD",
"id": "CVE-2010-1185"
},
{
"db": "CNNVD",
"id": "CNNVD-201003-447"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:maxdb:7.6.06:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:maxdb:7.6.0.37:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:maxdb:7.4.3.32:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2010-1185"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "AbdulAziz Hariri of Insight Technologies",
"sources": [
{
"db": "ZDI",
"id": "ZDI-10-032"
},
{
"db": "BID",
"id": "38769"
}
],
"trust": 1.0
},
"cve": "CVE-2010-1185",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2010-1185",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 1.5,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2010-1185",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "ZDI",
"id": "CVE-2010-1185",
"trust": 0.7,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201003-447",
"trust": 0.6,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-10-032"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-005362"
},
{
"db": "NVD",
"id": "CVE-2010-1185"
},
{
"db": "CNNVD",
"id": "CNNVD-201003-447"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Stack-based buffer overflow in serv.exe in SAP MaxDB 7.4.3.32, and 7.6.0.37 through 7.6.06 allows remote attackers to execute arbitrary code via an invalid length parameter in a handshake packet to TCP port 7210. NOTE: some of these details are obtained from third party information. Authentication is not required to exploit this vulnerability.The specific flaw exists within the serv.exe process which listens by default on TCP port 7210. The process trusts a value from a handshake packet and uses it as a length when copying data to the stack. If provided a malicious value and packet data, this can be leveraged to execute arbitrary code under the context of the SYSTEM user. Failed exploit attempts will result in a denial-of-service condition. ZDI-10-032: SAP MaxDB Malformed Handshake Request Remote Code Execution Vulnerability\nhttp://www.zerodayinitiative.com/advisories/ZDI-10-032\nMarch 16, 2010\n\n-- Affected Vendors:\nSAP\n\n-- Affected Products:\nSAP MaxDB\n\n-- TippingPoint(TM) IPS Customer Protection:\nTippingPoint IPS customers have been protected against this\nvulnerability by Digital Vaccine protection filter ID 9403. Authentication is not required to\nexploit this vulnerability. \n\n-- Vendor Response:\nSAP states:\nA solution was provided via SAP note 1409425\n(https://service.sap.com/sap/support/notes/1409425)\n\n-- Disclosure Timeline:\n2009-11-09 - Vulnerability reported to vendor\n2010-03-16 - Coordinated public release of advisory\n\n-- Credit:\nThis vulnerability was discovered by:\n * AbdulAziz Hariri of Insight Technologies\n\n-- About the Zero Day Initiative (ZDI):\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \na best-of-breed model for rewarding security researchers for responsibly\ndisclosing discovered vulnerabilities. \n\nResearchers interested in getting paid for their security research\nthrough the ZDI can find more information and sign-up at:\n\n http://www.zerodayinitiative.com\n\nThe ZDI is unique in how the acquired vulnerability information is\nused. TippingPoint does not re-sell the vulnerability details or any\nexploit code. Instead, upon notifying the affected product vendor,\nTippingPoint provides its customers with zero day protection through\nits intrusion prevention technology. Explicit details regarding the\nspecifics of the vulnerability are not exposed to any parties until\nan official vendor patch is publicly available. Furthermore, with the\naltruistic aim of helping to secure a broader user base, TippingPoint\nprovides this vulnerability information confidentially to security\nvendors (including competitors) who have a vulnerability protection or\nmitigation product. \n\nOur vulnerability disclosure policy is available online at:\n\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\n\nFollow the ZDI on Twitter:\n\n http://twitter.com/thezdi. ----------------------------------------------------------------------\n\n\nUse WSUS to deploy 3rd party patches\n\nPublic BETA\nhttp://secunia.com/vulnerability_scanning/corporate/wsus_3rd_third_party_patching/\n\n\n----------------------------------------------------------------------\n\nTITLE:\nMaxDB Handshake Packet Buffer Overflow Vulnerability\n\nSECUNIA ADVISORY ID:\nSA38955\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/38955/\n\nDESCRIPTION:\nA vulnerability has been reported in MaxDB, which can be exploited by\nmalicious people to compromise a vulnerable system. \n\nThe vulnerability is caused due to an input validation error within\nthe processing of handshake packets in serv.exe. This can be\nexploited to cause a stack-based buffer overflow by sending a\nspecially crafted packet to port 7210/TCP. \nhttps://service.sap.com/sap/support/notes/1409425\n\nPROVIDED AND/OR DISCOVERED BY:\nAbdulAziz Hariri of Insight Technologies, reported via ZDI. \n\nORIGINAL ADVISORY:\nhttp://www.zerodayinitiative.com/advisories/ZDI-10-032/\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\nprivate users keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2010-1185"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-005362"
},
{
"db": "ZDI",
"id": "ZDI-10-032"
},
{
"db": "BID",
"id": "38769"
},
{
"db": "PACKETSTORM",
"id": "87335"
},
{
"db": "PACKETSTORM",
"id": "87413"
}
],
"trust": 2.7
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2010-1185",
"trust": 3.4
},
{
"db": "ZDI",
"id": "ZDI-10-032",
"trust": 2.8
},
{
"db": "BID",
"id": "38769",
"trust": 1.9
},
{
"db": "SECUNIA",
"id": "38955",
"trust": 1.8
},
{
"db": "VUPEN",
"id": "ADV-2010-0643",
"trust": 1.6
},
{
"db": "SECTRACK",
"id": "1023719",
"trust": 1.6
},
{
"db": "OSVDB",
"id": "63047",
"trust": 1.6
},
{
"db": "JVNDB",
"id": "JVNDB-2010-005362",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-610",
"trust": 0.7
},
{
"db": "XF",
"id": "56950",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20100316 ZDI-10-032: SAP MAXDB MALFORMED HANDSHAKE REQUEST REMOTE CODE EXECUTION VULNERABILITY",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "14631",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201003-447",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "87335",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "87413",
"trust": 0.1
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-10-032"
},
{
"db": "BID",
"id": "38769"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-005362"
},
{
"db": "PACKETSTORM",
"id": "87335"
},
{
"db": "PACKETSTORM",
"id": "87413"
},
{
"db": "NVD",
"id": "CVE-2010-1185"
},
{
"db": "CNNVD",
"id": "CNNVD-201003-447"
}
]
},
"id": "VAR-201003-0494",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.1359447
},
"last_update_date": "2023-12-18T12:58:32.796000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://maxdb.sap.com/"
},
{
"title": "A solution was provided via SAP note 1409425 (",
"trust": 0.7,
"url": "https://service.sap.com/sap/support/notes/1409425)"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-10-032"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-005362"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-005362"
},
{
"db": "NVD",
"id": "CVE-2010-1185"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.0,
"url": "http://www.zerodayinitiative.com/advisories/zdi-10-032/"
},
{
"trust": 1.6,
"url": "http://osvdb.org/63047"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/38955"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/38769"
},
{
"trust": 1.6,
"url": "http://www.securitytracker.com/id?1023719"
},
{
"trust": 1.6,
"url": "http://www.vupen.com/english/advisories/2010/0643"
},
{
"trust": 1.0,
"url": "http://www.securityfocus.com/archive/1/510125/100/0/threaded"
},
{
"trust": 1.0,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56950"
},
{
"trust": 0.8,
"url": "https://service.sap.com/sap/support/notes/1409425)"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-1185"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-1185"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/56950"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/510125/100/0/threaded"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/14631"
},
{
"trust": 0.3,
"url": "https://www.sdn.sap.com/irj/sdn/maxdb"
},
{
"trust": 0.3,
"url": "/archive/1/510125"
},
{
"trust": 0.1,
"url": "http://www.zerodayinitiative.com/advisories/disclosure_policy/"
},
{
"trust": 0.1,
"url": "http://www.zerodayinitiative.com/advisories/zdi-10-032"
},
{
"trust": 0.1,
"url": "http://twitter.com/thezdi"
},
{
"trust": 0.1,
"url": "http://www.tippingpoint.com"
},
{
"trust": 0.1,
"url": "http://www.zerodayinitiative.com"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/38955/"
},
{
"trust": 0.1,
"url": "https://service.sap.com/sap/support/notes/1409425"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/vulnerability_scanning/corporate/wsus_3rd_third_party_patching/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/about_secunia_advisories/"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-10-032"
},
{
"db": "BID",
"id": "38769"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-005362"
},
{
"db": "PACKETSTORM",
"id": "87335"
},
{
"db": "PACKETSTORM",
"id": "87413"
},
{
"db": "NVD",
"id": "CVE-2010-1185"
},
{
"db": "CNNVD",
"id": "CNNVD-201003-447"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-10-032"
},
{
"db": "BID",
"id": "38769"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-005362"
},
{
"db": "PACKETSTORM",
"id": "87335"
},
{
"db": "PACKETSTORM",
"id": "87413"
},
{
"db": "NVD",
"id": "CVE-2010-1185"
},
{
"db": "CNNVD",
"id": "CNNVD-201003-447"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-03-16T00:00:00",
"db": "ZDI",
"id": "ZDI-10-032"
},
{
"date": "2010-03-16T00:00:00",
"db": "BID",
"id": "38769"
},
{
"date": "2012-12-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-005362"
},
{
"date": "2010-03-16T23:47:16",
"db": "PACKETSTORM",
"id": "87335"
},
{
"date": "2010-03-18T06:53:42",
"db": "PACKETSTORM",
"id": "87413"
},
{
"date": "2010-03-29T22:30:00.407000",
"db": "NVD",
"id": "CVE-2010-1185"
},
{
"date": "2010-03-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201003-447"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-03-16T00:00:00",
"db": "ZDI",
"id": "ZDI-10-032"
},
{
"date": "2010-05-10T12:32:00",
"db": "BID",
"id": "38769"
},
{
"date": "2012-12-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-005362"
},
{
"date": "2018-10-10T19:56:02.580000",
"db": "NVD",
"id": "CVE-2010-1185"
},
{
"date": "2010-03-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201003-447"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "87335"
},
{
"db": "CNNVD",
"id": "CNNVD-201003-447"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP MaxDB of serv.exe Vulnerable to stack-based buffer overflow",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-005362"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201003-447"
}
],
"trust": 0.6
}
}
var-200808-0238
Vulnerability from variot
Untrusted search path vulnerability in dbmsrv in SAP MaxDB 7.6.03.15 on Linux allows local users to gain privileges via a modified PATH environment variable. SAP MaxDB is prone to a local privilege-escalation vulnerability that occurs in the 'dbmsrv' process because the application fails to sufficiently sanitize user-supplied input. An attacker can exploit this issue to execute arbitrary code with 'sdb:sdba' privileges. Successfully exploiting this issue will compromise the affected application and possibly the underlying computer. SAP MaxDB 7.6.03.15 on Linux is vulnerable; other versions running on different platforms may also be affected. ----------------------------------------------------------------------
Want a new job?
http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/
International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/
TITLE: MaxDB "dbmsrv" Privilege Escalation Vulnerability
SECUNIA ADVISORY ID: SA31318
VERIFY ADVISORY: http://secunia.com/advisories/31318/
CRITICAL: Less critical
IMPACT: Privilege escalation
WHERE: Local system
SOFTWARE: MaxDB 7.x http://secunia.com/product/4012/
DESCRIPTION: A vulnerability has been reported in MaxDB, which can be exploited by malicious, local users to gain escalated privileges.
PROVIDED AND/OR DISCOVERED BY: anonymous researcher, reported via iDefense
ORIGINAL ADVISORY: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=729
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. iDefense Security Advisory 07.30.08 http://labs.idefense.com/intelligence/vulnerabilities/ Jul 30, 2008
I. BACKGROUND
SAP's MaxDB is a database software product. MaxDB was released as open source from version 7.5 up to version 7.6.00. Later versions are no longer open source but are available for download from the SAP SDN website (sdn.sap.com) as a community edition with free community support for public use beyond the scope of SAP applications. The "dbmsrv" program is set-uid "sdb", set-gid "sdba", and installed by default. For more information, visit the product's website at the following URL.
https://www.sdn.sap.com/irj/sdn/maxdb
II.
When a local user runs the "dbmcli" program, the MaxDB executes a "dbmsrv" process on the user's behalf. The "dbmsrv" process, which is responsible for executing user commands, runs as the user "sdb" with group "sdba".
III.
IV. Other versions may also be vulnerable.
V. WORKAROUND
iDefense is currently unaware of any workaround for this issue.
VI. VENDOR RESPONSE
SAP AG has addressed this vulnerability by releasing a new version of MaxDB. For more information, consult SAP note 1178438.
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-1810 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.
VIII. DISCLOSURE TIMELINE
03/27/2008 Initial vendor notification 04/01/2008 Initial vendor response 07/30/2008 Coordinated public disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2008 iDefense, Inc.
Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200808-0238",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "maxdb",
"scope": "eq",
"trust": 2.1,
"vendor": "sap",
"version": "7.6.03.15"
},
{
"model": "kernel",
"scope": null,
"trust": 0.6,
"vendor": "linux",
"version": null
}
],
"sources": [
{
"db": "BID",
"id": "30474"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005690"
},
{
"db": "NVD",
"id": "CVE-2008-1810"
},
{
"db": "CNNVD",
"id": "CNNVD-200808-004"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:maxdb:7.6.03.15:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2008-1810"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "iDEFENSE",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200808-004"
}
],
"trust": 0.6
},
"cve": "CVE-2008-1810",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 4.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.4,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Local",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 4.4,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2008-1810",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2008-1810",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-200808-004",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-005690"
},
{
"db": "NVD",
"id": "CVE-2008-1810"
},
{
"db": "CNNVD",
"id": "CNNVD-200808-004"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Untrusted search path vulnerability in dbmsrv in SAP MaxDB 7.6.03.15 on Linux allows local users to gain privileges via a modified PATH environment variable. SAP MaxDB is prone to a local privilege-escalation vulnerability that occurs in the \u0027dbmsrv\u0027 process because the application fails to sufficiently sanitize user-supplied input. \nAn attacker can exploit this issue to execute arbitrary code with \u0027sdb:sdba\u0027 privileges. Successfully exploiting this issue will compromise the affected application and possibly the underlying computer. \nSAP MaxDB 7.6.03.15 on Linux is vulnerable; other versions running on different platforms may also be affected. ----------------------------------------------------------------------\n\nWant a new job?\n\nhttp://secunia.com/secunia_security_specialist/\nhttp://secunia.com/hardcore_disassembler_and_reverse_engineer/\n\nInternational Partner Manager - Project Sales in the IT-Security\nIndustry:\nhttp://corporate.secunia.com/about_secunia/64/\n\n----------------------------------------------------------------------\n\nTITLE:\nMaxDB \"dbmsrv\" Privilege Escalation Vulnerability\n\nSECUNIA ADVISORY ID:\nSA31318\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/31318/\n\nCRITICAL:\nLess critical\n\nIMPACT:\nPrivilege escalation\n\nWHERE:\nLocal system\n\nSOFTWARE:\nMaxDB 7.x\nhttp://secunia.com/product/4012/\n\nDESCRIPTION:\nA vulnerability has been reported in MaxDB, which can be exploited by\nmalicious, local users to gain escalated privileges. \n\nPROVIDED AND/OR DISCOVERED BY:\nanonymous researcher, reported via iDefense\n\nORIGINAL ADVISORY:\nhttp://labs.idefense.com/intelligence/vulnerabilities/display.php?id=729\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. iDefense Security Advisory 07.30.08\nhttp://labs.idefense.com/intelligence/vulnerabilities/\nJul 30, 2008\n\nI. BACKGROUND\n\nSAP\u0027s MaxDB is a database software product. MaxDB was released as open\nsource from version 7.5 up to version 7.6.00. Later versions are no\nlonger open source but are available for download from the SAP SDN\nwebsite (sdn.sap.com) as a community edition with free community\nsupport for public use beyond the scope of SAP applications. The\n\"dbmsrv\" program is set-uid \"sdb\", set-gid \"sdba\", and installed by\ndefault. For more information, visit the product\u0027s website at the\nfollowing URL. \n\nhttps://www.sdn.sap.com/irj/sdn/maxdb\n\nII. \n\nWhen a local user runs the \"dbmcli\" program, the MaxDB executes a\n\"dbmsrv\" process on the user\u0027s behalf. The \"dbmsrv\" process, which is\nresponsible for executing user commands, runs as the user \"sdb\" with\ngroup \"sdba\". \n\nIII. \n\nIV. Other versions may also be vulnerable. \n\nV. WORKAROUND\n\niDefense is currently unaware of any workaround for this issue. \n\nVI. VENDOR RESPONSE\n\nSAP AG has addressed this vulnerability by releasing a new version of\nMaxDB. For more information, consult SAP note 1178438. \n\nVII. CVE INFORMATION\n\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\nname CVE-2008-1810 to this issue. This is a candidate for inclusion in\nthe CVE list (http://cve.mitre.org/), which standardizes names for\nsecurity problems. \n\nVIII. DISCLOSURE TIMELINE\n\n03/27/2008 Initial vendor notification\n04/01/2008 Initial vendor response\n07/30/2008 Coordinated public disclosure\n\nIX. CREDIT\n\nThe discoverer of this vulnerability wishes to remain anonymous. \n\nGet paid for vulnerability research\nhttp://labs.idefense.com/methodology/vulnerability/vcp.php\n\nFree tools, research and upcoming events\nhttp://labs.idefense.com/\n\nX. LEGAL NOTICES\n\nCopyright \\xa9 2008 iDefense, Inc. \n\nPermission is granted for the redistribution of this alert\nelectronically. It may not be edited in any way without the express\nwritten consent of iDefense. If you wish to reprint the whole or any\npart of this alert in any other medium other than electronically,\nplease e-mail customerservice@idefense.com for permission. \n\nDisclaimer: The information in the advisory is believed to be accurate\nat the time of publishing based on currently available information. Use\nof the information constitutes acceptance for use in an AS IS condition. \n There are no warranties with regard to this information. Neither the\nauthor nor the publisher accepts any liability for any direct,\nindirect, or consequential loss or damage arising from use of, or\nreliance on, this information",
"sources": [
{
"db": "NVD",
"id": "CVE-2008-1810"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005690"
},
{
"db": "BID",
"id": "30474"
},
{
"db": "PACKETSTORM",
"id": "68727"
},
{
"db": "PACKETSTORM",
"id": "68694"
}
],
"trust": 2.07
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2008-1810",
"trust": 2.8
},
{
"db": "BID",
"id": "30474",
"trust": 1.9
},
{
"db": "SECUNIA",
"id": "31318",
"trust": 1.7
},
{
"db": "VUPEN",
"id": "ADV-2008-2267",
"trust": 1.6
},
{
"db": "SECTRACK",
"id": "1020585",
"trust": 1.6
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005690",
"trust": 0.8
},
{
"db": "IDEFENSE",
"id": "20080730 SAP MAXDB DBMSRV UNTRUSTED EXECUTION PATH VULNERABILITY",
"trust": 0.6
},
{
"db": "XF",
"id": "44125",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200808-004",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "68727",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "68694",
"trust": 0.1
}
],
"sources": [
{
"db": "BID",
"id": "30474"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005690"
},
{
"db": "PACKETSTORM",
"id": "68727"
},
{
"db": "PACKETSTORM",
"id": "68694"
},
{
"db": "NVD",
"id": "CVE-2008-1810"
},
{
"db": "CNNVD",
"id": "CNNVD-200808-004"
}
]
},
"id": "VAR-200808-0238",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.1359447
},
"last_update_date": "2023-12-18T13:35:14.124000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://maxdb.sap.com/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-005690"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-264",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-005690"
},
{
"db": "NVD",
"id": "CVE-2008-1810"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.0,
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=729"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/31318"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/30474"
},
{
"trust": 1.6,
"url": "http://www.securitytracker.com/id?1020585"
},
{
"trust": 1.0,
"url": "http://www.vupen.com/english/advisories/2008/2267/references"
},
{
"trust": 1.0,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44125"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-1810"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-1810"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/44125"
},
{
"trust": 0.6,
"url": "http://www.frsirt.com/english/advisories/2008/2267/references"
},
{
"trust": 0.4,
"url": "https://www.sdn.sap.com/irj/sdn/maxdb"
},
{
"trust": 0.3,
"url": "/archive/1/494990"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/4012/"
},
{
"trust": 0.1,
"url": "http://secunia.com/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/hardcore_disassembler_and_reverse_engineer/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/31318/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/secunia_security_specialist/"
},
{
"trust": 0.1,
"url": "http://corporate.secunia.com/about_secunia/64/"
},
{
"trust": 0.1,
"url": "http://secunia.com/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/),"
},
{
"trust": 0.1,
"url": "http://labs.idefense.com/intelligence/vulnerabilities/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2008-1810"
},
{
"trust": 0.1,
"url": "http://labs.idefense.com/methodology/vulnerability/vcp.php"
},
{
"trust": 0.1,
"url": "http://labs.idefense.com/"
}
],
"sources": [
{
"db": "BID",
"id": "30474"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005690"
},
{
"db": "PACKETSTORM",
"id": "68727"
},
{
"db": "PACKETSTORM",
"id": "68694"
},
{
"db": "NVD",
"id": "CVE-2008-1810"
},
{
"db": "CNNVD",
"id": "CNNVD-200808-004"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "BID",
"id": "30474"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005690"
},
{
"db": "PACKETSTORM",
"id": "68727"
},
{
"db": "PACKETSTORM",
"id": "68694"
},
{
"db": "NVD",
"id": "CVE-2008-1810"
},
{
"db": "CNNVD",
"id": "CNNVD-200808-004"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2008-07-31T00:00:00",
"db": "BID",
"id": "30474"
},
{
"date": "2012-12-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-005690"
},
{
"date": "2008-08-01T19:48:32",
"db": "PACKETSTORM",
"id": "68727"
},
{
"date": "2008-07-31T22:25:13",
"db": "PACKETSTORM",
"id": "68694"
},
{
"date": "2008-08-01T14:41:00",
"db": "NVD",
"id": "CVE-2008-1810"
},
{
"date": "2008-07-31T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200808-004"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2008-07-31T22:07:00",
"db": "BID",
"id": "30474"
},
{
"date": "2012-12-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-005690"
},
{
"date": "2017-08-08T01:30:28.387000",
"db": "NVD",
"id": "CVE-2008-1810"
},
{
"date": "2008-09-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200808-004"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "BID",
"id": "30474"
},
{
"db": "PACKETSTORM",
"id": "68727"
},
{
"db": "PACKETSTORM",
"id": "68694"
},
{
"db": "CNNVD",
"id": "CNNVD-200808-004"
}
],
"trust": 1.1
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Linux Run on SAP MaxDB of dbmsrv Vulnerability gained in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-005690"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "permissions and access control",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200808-004"
}
],
"trust": 0.6
}
}
var-200803-0282
Vulnerability from variot
Integer signedness error in vserver in SAP MaxDB 7.6.0.37, and possibly other versions, allows remote attackers to execute arbitrary code via unknown vectors that trigger heap corruption. SAP MaxDB is prone to a heap-based memory-corruption vulnerability. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Successfully exploiting this issue will compromise the affected application and possibly the underlying computer. This issue affects MaxDB 7.6.0.37 running on the Linux operating system. Other versions running on different platforms may also be affected. The new version includes many new and advanced features, which makes it even easier to stay patched.
Download and test it today: https://psi.secunia.com/
Read more about this new version: https://psi.secunia.com/?page=changelog
TITLE: MaxDB Multiple Vulnerabilities
SECUNIA ADVISORY ID: SA29312
VERIFY ADVISORY: http://secunia.com/advisories/29312/
CRITICAL: Highly critical
IMPACT: Privilege escalation, System access
WHERE:
From remote
SOFTWARE: MaxDB 7.x http://secunia.com/product/4012/
DESCRIPTION: Some vulnerabilities have been reported in MaxDB, which can be exploited by malicious, local users to gain escalated privileges, and by malicious people to potentially compromise a vulnerable system.
2) An error exists within the "sdbstarter" program when handling environment variables.
Successful exploitation requires that the attacker is a member of the "sdba" group.
PROVIDED AND/OR DISCOVERED BY: An anonymous researcher, reported via iDefense.
ORIGINAL ADVISORY: iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=670 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=669
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. iDefense Security Advisory 03.10.08 http://labs.idefense.com/intelligence/vulnerabilities/ Mar 10, 2008
I. BACKGROUND
SAP's MaxDB is a database software product. MaxDB was released as open source from version 7.5 up to version 7.6.00. Later versions are no longer open source but are available for download from the SAP SDN website (sdn.sap.com) as a community edition with free community support for public use beyond the scope of SAP applications. The "vserver" program is responsible for accepting and handling communication with remote database clients. For more information, visit the product's website at the following URL.
https://www.sdn.sap.com/irj/sdn/maxdb
II.
After accepting a connection, the "vserver" process forks and reads parameters from the client into various structures. When doing so, it trusts values sent from the client to be valid. By sending a specially crafted request, an attacker can cause heap corruption. This leads to a potentially exploitable memory corruption condition.
III. In order to exploit this vulnerability, an attacker must be able to establish a TCP session on port 7210 with the target host. Additionally, the attacker must know the name of an active database on the server.
Since this service uses the fork() system call once a connection has been accepted, an attacker can repeatedly attempt to exploit this vulnerability. Some exploitation attempts may result in the database process ceasing to run, in which case further exploitation attempts will not be possible.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in SAP AG's MaxDB version 7.6.0.37 on Linux.
V. WORKAROUND
Employing firewalls to limit access to the affected service will mitigate exposure to this vulnerability.
VI. VENDOR RESPONSE
SAP AG has addressed this vulnerability by releasing a new version of MaxDB. For more information, consult SAP note 1140135.
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-0307 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.
VIII. DISCLOSURE TIMELINE
12/06/2007 Initial vendor notification 12/10/2007 Initial vendor response 03/10/2008 Coordinated public disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2008 iDefense, Inc.
Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200803-0282",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "maxdb",
"scope": "eq",
"trust": 2.7,
"vendor": "sap",
"version": "7.6.0.37"
}
],
"sources": [
{
"db": "BID",
"id": "28183"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005381"
},
{
"db": "NVD",
"id": "CVE-2008-0307"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-177"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:maxdb:7.6.0.37:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2008-0307"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "iDEFENSE",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200803-177"
}
],
"trust": 0.6
},
"cve": "CVE-2008-0307",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 9.3,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2008-0307",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2008-0307",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-200803-177",
"trust": 0.6,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-005381"
},
{
"db": "NVD",
"id": "CVE-2008-0307"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-177"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Integer signedness error in vserver in SAP MaxDB 7.6.0.37, and possibly other versions, allows remote attackers to execute arbitrary code via unknown vectors that trigger heap corruption. SAP MaxDB is prone to a heap-based memory-corruption vulnerability. \nAn attacker can exploit this issue to execute arbitrary code within the context of the affected application. Successfully exploiting this issue will compromise the affected application and possibly the underlying computer. \nThis issue affects MaxDB 7.6.0.37 running on the Linux operating system. Other versions running on different platforms may also be affected. The new version includes many new and advanced\nfeatures, which makes it even easier to stay patched. \n\nDownload and test it today:\nhttps://psi.secunia.com/\n\nRead more about this new version:\nhttps://psi.secunia.com/?page=changelog\n\n----------------------------------------------------------------------\n\nTITLE:\nMaxDB Multiple Vulnerabilities\n\nSECUNIA ADVISORY ID:\nSA29312\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/29312/\n\nCRITICAL:\nHighly critical\n\nIMPACT:\nPrivilege escalation, System access\n\nWHERE:\n\u003eFrom remote\n\nSOFTWARE:\nMaxDB 7.x\nhttp://secunia.com/product/4012/\n\nDESCRIPTION:\nSome vulnerabilities have been reported in MaxDB, which can be\nexploited by malicious, local users to gain escalated privileges, and\nby malicious people to potentially compromise a vulnerable system. \n\n2) An error exists within the \"sdbstarter\" program when handling\nenvironment variables. \n\nSuccessful exploitation requires that the attacker is a member of the\n\"sdba\" group. \n\nPROVIDED AND/OR DISCOVERED BY:\nAn anonymous researcher, reported via iDefense. \n\nORIGINAL ADVISORY:\niDefense:\nhttp://labs.idefense.com/intelligence/vulnerabilities/display.php?id=670\nhttp://labs.idefense.com/intelligence/vulnerabilities/display.php?id=669\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. iDefense Security Advisory 03.10.08\nhttp://labs.idefense.com/intelligence/vulnerabilities/\nMar 10, 2008\n\nI. BACKGROUND\n\nSAP\u0027s MaxDB is a database software product. MaxDB was released as open\nsource from version 7.5 up to version 7.6.00. Later versions are no\nlonger open source but are available for download from the SAP SDN\nwebsite (sdn.sap.com) as a community edition with free community\nsupport for public use beyond the scope of SAP applications. The\n\"vserver\" program is responsible for accepting and handling\ncommunication with remote database clients. For more information, visit\nthe product\u0027s website at the following URL. \n\nhttps://www.sdn.sap.com/irj/sdn/maxdb\n\nII. \n\nAfter accepting a connection, the \"vserver\" process forks and reads\nparameters from the client into various structures. When doing so, it\ntrusts values sent from the client to be valid. By sending a specially\ncrafted request, an attacker can cause heap corruption. This leads to a\npotentially exploitable memory corruption condition. \n\nIII. In order to exploit this vulnerability, an\nattacker must be able to establish a TCP session on port 7210 with the\ntarget host. Additionally, the attacker must know the name of an active\ndatabase on the server. \n\nSince this service uses the fork() system call once a connection has\nbeen accepted, an attacker can repeatedly attempt to exploit this\nvulnerability. Some exploitation attempts may result in the database\nprocess ceasing to run, in which case further exploitation attempts\nwill not be possible. \n\nIV. DETECTION\n\niDefense has confirmed the existence of this vulnerability in SAP AG\u0027s\nMaxDB version 7.6.0.37 on Linux. \n\nV. WORKAROUND\n\nEmploying firewalls to limit access to the affected service will\nmitigate exposure to this vulnerability. \n\nVI. VENDOR RESPONSE\n\nSAP AG has addressed this vulnerability by releasing a new version of\nMaxDB. For more information, consult SAP note 1140135. \n\nVII. CVE INFORMATION\n\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\nname CVE-2008-0307 to this issue. This is a candidate for inclusion in\nthe CVE list (http://cve.mitre.org/), which standardizes names for\nsecurity problems. \n\nVIII. DISCLOSURE TIMELINE\n\n12/06/2007 Initial vendor notification\n12/10/2007 Initial vendor response\n03/10/2008 Coordinated public disclosure\n\nIX. CREDIT\n\nThe discoverer of this vulnerability wishes to remain anonymous. \n\nGet paid for vulnerability research\nhttp://labs.idefense.com/methodology/vulnerability/vcp.php\n\nFree tools, research and upcoming events\nhttp://labs.idefense.com/\n\nX. LEGAL NOTICES\n\nCopyright \\xa9 2008 iDefense, Inc. \n\nPermission is granted for the redistribution of this alert\nelectronically. It may not be edited in any way without the express\nwritten consent of iDefense. If you wish to reprint the whole or any\npart of this alert in any other medium other than electronically,\nplease e-mail customerservice@idefense.com for permission. \n\nDisclaimer: The information in the advisory is believed to be accurate\nat the time of publishing based on currently available information. Use\nof the information constitutes acceptance for use in an AS IS condition. \n There are no warranties with regard to this information. Neither the\nauthor nor the publisher accepts any liability for any direct,\nindirect, or consequential loss or damage arising from use of, or\nreliance on, this information. \n\n_______________________________________________\nFull-Disclosure - We believe in it. \nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\nHosted and sponsored by Secunia - http://secunia.com/\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2008-0307"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005381"
},
{
"db": "BID",
"id": "28183"
},
{
"db": "PACKETSTORM",
"id": "64375"
},
{
"db": "PACKETSTORM",
"id": "64480"
}
],
"trust": 2.07
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2008-0307",
"trust": 2.8
},
{
"db": "BID",
"id": "28183",
"trust": 1.9
},
{
"db": "SECUNIA",
"id": "29312",
"trust": 1.7
},
{
"db": "VUPEN",
"id": "ADV-2008-0844",
"trust": 1.6
},
{
"db": "SECTRACK",
"id": "1019571",
"trust": 1.6
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005381",
"trust": 0.8
},
{
"db": "IDEFENSE",
"id": "20080310 SAP MAXDB SIGNEDNESS ERROR HEAP CORRUPTION VULNERABILITY",
"trust": 0.6
},
{
"db": "XF",
"id": "41107",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200803-177",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "64375",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "64480",
"trust": 0.1
}
],
"sources": [
{
"db": "BID",
"id": "28183"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005381"
},
{
"db": "PACKETSTORM",
"id": "64375"
},
{
"db": "PACKETSTORM",
"id": "64480"
},
{
"db": "NVD",
"id": "CVE-2008-0307"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-177"
}
]
},
"id": "VAR-200803-0282",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.1359447
},
"last_update_date": "2023-12-18T13:58:13.364000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://maxdb.sap.com/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-005381"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-189",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-005381"
},
{
"db": "NVD",
"id": "CVE-2008-0307"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.0,
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=669"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/29312"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/28183"
},
{
"trust": 1.6,
"url": "http://www.securitytracker.com/id?1019571"
},
{
"trust": 1.0,
"url": "http://www.vupen.com/english/advisories/2008/0844/references"
},
{
"trust": 1.0,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41107"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-0307"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-0307"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/41107"
},
{
"trust": 0.6,
"url": "http://www.frsirt.com/english/advisories/2008/0844/references"
},
{
"trust": 0.4,
"url": "https://www.sdn.sap.com/irj/sdn/maxdb"
},
{
"trust": 0.3,
"url": "/archive/1/489357"
},
{
"trust": 0.1,
"url": "http://secunia.com/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/4012/"
},
{
"trust": 0.1,
"url": "https://psi.secunia.com/?page=changelog"
},
{
"trust": 0.1,
"url": "https://psi.secunia.com/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=670"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/29312/"
},
{
"trust": 0.1,
"url": "http://secunia.com/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/),"
},
{
"trust": 0.1,
"url": "http://secunia.com/"
},
{
"trust": 0.1,
"url": "http://labs.idefense.com/intelligence/vulnerabilities/"
},
{
"trust": 0.1,
"url": "http://labs.idefense.com/methodology/vulnerability/vcp.php"
},
{
"trust": 0.1,
"url": "http://labs.idefense.com/"
},
{
"trust": 0.1,
"url": "http://lists.grok.org.uk/full-disclosure-charter.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2008-0307"
}
],
"sources": [
{
"db": "BID",
"id": "28183"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005381"
},
{
"db": "PACKETSTORM",
"id": "64375"
},
{
"db": "PACKETSTORM",
"id": "64480"
},
{
"db": "NVD",
"id": "CVE-2008-0307"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-177"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "BID",
"id": "28183"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005381"
},
{
"db": "PACKETSTORM",
"id": "64375"
},
{
"db": "PACKETSTORM",
"id": "64480"
},
{
"db": "NVD",
"id": "CVE-2008-0307"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-177"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2008-03-10T00:00:00",
"db": "BID",
"id": "28183"
},
{
"date": "2012-12-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-005381"
},
{
"date": "2008-03-12T17:55:23",
"db": "PACKETSTORM",
"id": "64375"
},
{
"date": "2008-03-13T00:29:44",
"db": "PACKETSTORM",
"id": "64480"
},
{
"date": "2008-03-11T23:44:00",
"db": "NVD",
"id": "CVE-2008-0307"
},
{
"date": "2008-03-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200803-177"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2008-03-12T17:21:00",
"db": "BID",
"id": "28183"
},
{
"date": "2012-12-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-005381"
},
{
"date": "2017-08-08T01:29:28.430000",
"db": "NVD",
"id": "CVE-2008-0307"
},
{
"date": "2008-09-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200803-177"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "64480"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-177"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP MaxDB of vserver Integer sign error vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-005381"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "digital error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200803-177"
}
],
"trust": 0.6
}
}
var-201808-0802
Vulnerability from variot
SAP MaxDB (liveCache), versions 7.8 and 7.9, allows an attacker who gets DBM operator privileges to execute crafted database queries and therefore read, modify or delete sensitive data from database. SAP MaxDB (liveCache) Is SQL An injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SAP MaxDB is prone to an unspecified SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. SAP MaxDB (liveCache) 7.8 and 7.9 are vulnerable
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201808-0802",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "maxdb",
"scope": "eq",
"trust": 2.7,
"vendor": "sap",
"version": "7.9"
},
{
"model": "maxdb",
"scope": "eq",
"trust": 2.7,
"vendor": "sap",
"version": "7.8"
}
],
"sources": [
{
"db": "BID",
"id": "105063"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-009019"
},
{
"db": "NVD",
"id": "CVE-2018-2450"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-427"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:maxdb:7.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:maxdb:7.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-2450"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The vendor reported this issue.",
"sources": [
{
"db": "BID",
"id": "105063"
}
],
"trust": 0.3
},
"cve": "CVE-2018-2450",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2018-2450",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.2,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-2450",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "High",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-2450",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201808-427",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-009019"
},
{
"db": "NVD",
"id": "CVE-2018-2450"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-427"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP MaxDB (liveCache), versions 7.8 and 7.9, allows an attacker who gets DBM operator privileges to execute crafted database queries and therefore read, modify or delete sensitive data from database. SAP MaxDB (liveCache) Is SQL An injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SAP MaxDB is prone to an unspecified SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. \nAn attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. \nSAP MaxDB (liveCache) 7.8 and 7.9 are vulnerable",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-2450"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-009019"
},
{
"db": "BID",
"id": "105063"
}
],
"trust": 1.89
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-2450",
"trust": 2.7
},
{
"db": "BID",
"id": "105063",
"trust": 1.3
},
{
"db": "JVNDB",
"id": "JVNDB-2018-009019",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201808-427",
"trust": 0.6
}
],
"sources": [
{
"db": "BID",
"id": "105063"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-009019"
},
{
"db": "NVD",
"id": "CVE-2018-2450"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-427"
}
]
},
"id": "VAR-201808-0802",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.1359447
},
"last_update_date": "2023-12-18T12:28:46.007000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SAP Security Patch Day - August 2018",
"trust": 0.8,
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=499352742"
},
{
"title": "SAP MaxDB(liveCache Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=83883"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-009019"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-427"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-89",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-009019"
},
{
"db": "NVD",
"id": "CVE-2018-2450"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.9,
"url": "https://launchpad.support.sap.com/#/notes/2660005"
},
{
"trust": 1.9,
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=499352742"
},
{
"trust": 1.0,
"url": "http://www.securityfocus.com/bid/105063"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-2450"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-2450"
},
{
"trust": 0.3,
"url": "http://www.sap.com"
}
],
"sources": [
{
"db": "BID",
"id": "105063"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-009019"
},
{
"db": "NVD",
"id": "CVE-2018-2450"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-427"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "BID",
"id": "105063"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-009019"
},
{
"db": "NVD",
"id": "CVE-2018-2450"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-427"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-08-14T00:00:00",
"db": "BID",
"id": "105063"
},
{
"date": "2018-11-06T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-009019"
},
{
"date": "2018-08-14T16:29:01.553000",
"db": "NVD",
"id": "CVE-2018-2450"
},
{
"date": "2018-08-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201808-427"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-08-14T00:00:00",
"db": "BID",
"id": "105063"
},
{
"date": "2018-11-06T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-009019"
},
{
"date": "2018-10-11T16:47:12.083000",
"db": "NVD",
"id": "CVE-2018-2450"
},
{
"date": "2018-08-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201808-427"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201808-427"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP MaxDB In SQL Injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-009019"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SQL injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201808-427"
}
],
"trust": 0.6
}
}
var-200801-0222
Vulnerability from variot
SAP MaxDB 7.6.03 build 007 and earlier allows remote attackers to execute arbitrary commands via "&&" and other shell metacharacters in exec_sdbinfo and other unspecified commands, which are executed when MaxDB invokes cons.exe. SAP MaxDB is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input. Multiple database commands expose this issue, including one that is available prior to authentication. MaxDB 7.6.03 build 007 is vulnerable to this issue; other versions may also be affected.
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched.
Download and test it today: https://psi.secunia.com/
Read more about this new version: https://psi.secunia.com/?page=changelog
TITLE: MaxDB DBM Command Processing Command Execution Vulnerability
SECUNIA ADVISORY ID: SA28409
VERIFY ADVISORY: http://secunia.com/advisories/28409/
CRITICAL: Moderately critical
IMPACT: System access
WHERE:
From local network
SOFTWARE: MaxDB 7.x http://secunia.com/product/4012/
DESCRIPTION: Luigi Auriemma has discovered a vulnerability in MaxDB, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an input validation error in the handling of certain DBM commands (e.g. sending a specially crafted packet to default port 7210/TCP.
The vulnerability is confirmed in version 7.6.03.07 on Windows.
SOLUTION: Restrict network access to the database service.
PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma
ORIGINAL ADVISORY: http://aluigi.altervista.org/adv/sapone-adv.txt
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Show details on source website
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200801-0222",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "maxdb",
"scope": "lte",
"trust": 1.0,
"vendor": "sap",
"version": "7.6.3_build_007"
},
{
"model": "maxdb",
"scope": "lte",
"trust": 0.8,
"vendor": "sap",
"version": "7.6.03 build 007"
},
{
"model": "maxdb",
"scope": "eq",
"trust": 0.6,
"vendor": "sap",
"version": "7.6.3_build_007"
},
{
"model": "maxdb build",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.6.3007"
}
],
"sources": [
{
"db": "BID",
"id": "27206"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005366"
},
{
"db": "NVD",
"id": "CVE-2008-0244"
},
{
"db": "CNNVD",
"id": "CNNVD-200801-173"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:maxdb:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "7.6.3_build_007",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2008-0244"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Luigi Auriemma\u203b aluigi@pivx.com",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200801-173"
}
],
"trust": 0.6
},
"cve": "CVE-2008-0244",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2008-0244",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2008-0244",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-200801-173",
"trust": 0.6,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-005366"
},
{
"db": "NVD",
"id": "CVE-2008-0244"
},
{
"db": "CNNVD",
"id": "CNNVD-200801-173"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP MaxDB 7.6.03 build 007 and earlier allows remote attackers to execute arbitrary commands via \"\u0026\u0026\" and other shell metacharacters in exec_sdbinfo and other unspecified commands, which are executed when MaxDB invokes cons.exe. SAP MaxDB is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input. Multiple database commands expose this issue, including one that is available prior to authentication. \nMaxDB 7.6.03 build 007 is vulnerable to this issue; other versions may also be affected. \n\n----------------------------------------------------------------------\n\nA new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI\nhas been released. The new version includes many new and advanced\nfeatures, which makes it even easier to stay patched. \n\nDownload and test it today:\nhttps://psi.secunia.com/\n\nRead more about this new version:\nhttps://psi.secunia.com/?page=changelog\n\n----------------------------------------------------------------------\n\nTITLE:\nMaxDB DBM Command Processing Command Execution Vulnerability\n\nSECUNIA ADVISORY ID:\nSA28409\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/28409/\n\nCRITICAL:\nModerately critical\n\nIMPACT:\nSystem access\n\nWHERE:\n\u003eFrom local network\n\nSOFTWARE:\nMaxDB 7.x\nhttp://secunia.com/product/4012/\n\nDESCRIPTION:\nLuigi Auriemma has discovered a vulnerability in MaxDB, which can be\nexploited by malicious people to compromise a vulnerable system. \n\nThe vulnerability is caused due to an input validation error in the\nhandling of certain DBM commands (e.g. sending a specially crafted packet to default port 7210/TCP. \n\nThe vulnerability is confirmed in version 7.6.03.07 on Windows. \n\nSOLUTION:\nRestrict network access to the database service. \n\nPROVIDED AND/OR DISCOVERED BY:\nLuigi Auriemma\n\nORIGINAL ADVISORY:\nhttp://aluigi.altervista.org/adv/sapone-adv.txt\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2008-0244"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005366"
},
{
"db": "BID",
"id": "27206"
},
{
"db": "PACKETSTORM",
"id": "62509"
}
],
"trust": 1.98
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2008-0244",
"trust": 2.7
},
{
"db": "BID",
"id": "27206",
"trust": 1.9
},
{
"db": "SECUNIA",
"id": "28409",
"trust": 1.7
},
{
"db": "VUPEN",
"id": "ADV-2008-0104",
"trust": 1.6
},
{
"db": "EXPLOIT-DB",
"id": "4877",
"trust": 1.6
},
{
"db": "SREASON",
"id": "3536",
"trust": 1.6
},
{
"db": "SECTRACK",
"id": "1019171",
"trust": 1.6
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005366",
"trust": 0.8
},
{
"db": "XF",
"id": "39573",
"trust": 0.6
},
{
"db": "MILW0RM",
"id": "4877",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "11368",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20080109 PRE-AUTH REMOTE COMMANDS EXECUTION IN SAP MAXDB 7.6.03.07",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200801-173",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "62509",
"trust": 0.1
}
],
"sources": [
{
"db": "BID",
"id": "27206"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005366"
},
{
"db": "PACKETSTORM",
"id": "62509"
},
{
"db": "NVD",
"id": "CVE-2008-0244"
},
{
"db": "CNNVD",
"id": "CNNVD-200801-173"
}
]
},
"id": "VAR-200801-0222",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.1359447
},
"last_update_date": "2023-12-18T13:04:54.989000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://maxdb.sap.com/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-005366"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-20",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-005366"
},
{
"db": "NVD",
"id": "CVE-2008-0244"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "http://aluigi.altervista.org/adv/sapone-adv.txt"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/28409"
},
{
"trust": 1.6,
"url": "http://securityreason.com/securityalert/3536"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/27206"
},
{
"trust": 1.6,
"url": "http://www.securitytracker.com/id?1019171"
},
{
"trust": 1.0,
"url": "http://www.securityfocus.com/archive/1/486039/100/0/threaded"
},
{
"trust": 1.0,
"url": "http://www.vupen.com/english/advisories/2008/0104"
},
{
"trust": 1.0,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39573"
},
{
"trust": 1.0,
"url": "https://www.exploit-db.com/exploits/4877"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-0244"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-0244"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/39573"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/486039/100/0/threaded"
},
{
"trust": 0.6,
"url": "http://www.milw0rm.com/exploits/4877"
},
{
"trust": 0.6,
"url": "http://www.frsirt.com/english/advisories/2008/0104"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/11368"
},
{
"trust": 0.3,
"url": "https://www.sdn.sap.com/irj/sdn/maxdb"
},
{
"trust": 0.3,
"url": "/archive/1/486039"
},
{
"trust": 0.1,
"url": "http://secunia.com/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/4012/"
},
{
"trust": 0.1,
"url": "http://secunia.com/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "https://psi.secunia.com/?page=changelog"
},
{
"trust": 0.1,
"url": "https://psi.secunia.com/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/28409/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
}
],
"sources": [
{
"db": "BID",
"id": "27206"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005366"
},
{
"db": "PACKETSTORM",
"id": "62509"
},
{
"db": "NVD",
"id": "CVE-2008-0244"
},
{
"db": "CNNVD",
"id": "CNNVD-200801-173"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "BID",
"id": "27206"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-005366"
},
{
"db": "PACKETSTORM",
"id": "62509"
},
{
"db": "NVD",
"id": "CVE-2008-0244"
},
{
"db": "CNNVD",
"id": "CNNVD-200801-173"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2008-01-09T00:00:00",
"db": "BID",
"id": "27206"
},
{
"date": "2012-12-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-005366"
},
{
"date": "2008-01-10T23:06:04",
"db": "PACKETSTORM",
"id": "62509"
},
{
"date": "2008-01-12T02:46:00",
"db": "NVD",
"id": "CVE-2008-0244"
},
{
"date": "2008-01-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200801-173"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-02-09T05:51:00",
"db": "BID",
"id": "27206"
},
{
"date": "2012-12-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-005366"
},
{
"date": "2018-10-15T21:58:51.733000",
"db": "NVD",
"id": "CVE-2008-0244"
},
{
"date": "2008-09-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200801-173"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200801-173"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP MaxDB Vulnerable to arbitrary command execution",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-005366"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200801-173"
}
],
"trust": 0.6
}
}
var-200712-0506
Vulnerability from variot
SAP MaxDB is prone to an unspecified remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application. Failed exploit attempts will crash the application. This issue affects MaxDB 7.6.00.37 and 7.4.3.32; other versions may also be affected.
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200712-0506",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "maxdb",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.6.00.37"
},
{
"model": "maxdb",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.4.3.32"
}
],
"sources": [
{
"db": "BID",
"id": "26822"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "WabiSabiLabi disclosed this vulnerability.",
"sources": [
{
"db": "BID",
"id": "26822"
}
],
"trust": 0.3
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP MaxDB is prone to an unspecified remote code-execution vulnerability.\nAn attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application. Failed exploit attempts will crash the application.\nThis issue affects MaxDB 7.6.00.37 and 7.4.3.32; other versions may also be affected.",
"sources": [
{
"db": "BID",
"id": "26822"
}
],
"trust": 0.3
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "26822",
"trust": 0.3
}
],
"sources": [
{
"db": "BID",
"id": "26822"
}
]
},
"id": "VAR-200712-0506",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.1359447
},
"last_update_date": "2022-05-17T01:49:24.936000Z",
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 0.3,
"url": "http://wabisabilabi.blogspot.com/2007/12/focus-on-sap-maxdb-remote-code.html"
},
{
"trust": 0.3,
"url": "https://www.sdn.sap.com/irj/sdn/maxdb"
},
{
"trust": 0.3,
"url": "http://wslabi.com/wabisabilabi/showbidinfo.do?code=zd-00000166"
}
],
"sources": [
{
"db": "BID",
"id": "26822"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "BID",
"id": "26822"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2007-12-11T00:00:00",
"db": "BID",
"id": "26822"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2007-12-12T21:32:00",
"db": "BID",
"id": "26822"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "network",
"sources": [
{
"db": "BID",
"id": "26822"
}
],
"trust": 0.3
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP MaxDB Unspecified Remote Execution Vulnerability",
"sources": [
{
"db": "BID",
"id": "26822"
}
],
"trust": 0.3
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Unknown",
"sources": [
{
"db": "BID",
"id": "26822"
}
],
"trust": 0.3
}
}
var-190001-0139
Vulnerability from variot
SAP MaxDB is prone to a denial-of-service vulnerability. Attackers may leverage this issue to crash the affected application, denying service to legitimate users. SAP MaxDB 7.8.01.18 is vulnerable; other versions may also be affected.
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-190001-0139",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "maxdb",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.8.01.18"
}
],
"sources": [
{
"db": "BID",
"id": "48646"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Abdul-Aziz Hariri",
"sources": [
{
"db": "BID",
"id": "48646"
},
{
"db": "CNNVD",
"id": "CNNVD-201107-144"
}
],
"trust": 0.9
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP MaxDB is prone to a denial-of-service vulnerability.\nAttackers may leverage this issue to crash the affected application, denying service to legitimate users.\nSAP MaxDB 7.8.01.18 is vulnerable; other versions may also be affected.",
"sources": [
{
"db": "BID",
"id": "48646"
}
],
"trust": 0.3
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "48646",
"trust": 0.9
},
{
"db": "CNNVD",
"id": "CNNVD-201107-144",
"trust": 0.6
}
],
"sources": [
{
"db": "BID",
"id": "48646"
},
{
"db": "CNNVD",
"id": "CNNVD-201107-144"
}
]
},
"id": "VAR-190001-0139",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.1359447
},
"last_update_date": "2022-05-17T01:55:40.371000Z",
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 0.6,
"url": "http://www.securityfocus.com/bid/48646"
},
{
"trust": 0.3,
"url": "https://service.sap.com/sap/support/notes/1594180"
}
],
"sources": [
{
"db": "BID",
"id": "48646"
},
{
"db": "CNNVD",
"id": "CNNVD-201107-144"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "BID",
"id": "48646"
},
{
"db": "CNNVD",
"id": "CNNVD-201107-144"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-07-12T00:00:00",
"db": "BID",
"id": "48646"
},
{
"date": "1900-01-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201107-144"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-03-19T09:09:00",
"db": "BID",
"id": "48646"
},
{
"date": "2011-07-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201107-144"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201107-144"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP MaxDB NULL Pointer Dereference Denial of Service Vulnerability",
"sources": [
{
"db": "BID",
"id": "48646"
},
{
"db": "CNNVD",
"id": "CNNVD-201107-144"
}
],
"trust": 0.9
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "resource management error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201107-144"
}
],
"trust": 0.6
}
}
var-201506-0131
Vulnerability from variot
The LZH decompression implementation (CsObjectInt::BuildHufTree function in vpa108csulzh.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (out-of-bounds read) via unspecified vectors, related to look-ups of non-simple codes, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316. Vendors have confirmed this vulnerability SAP Security Note 2124806 , 2121661 , 2127995 ,and 2125316 It is released as.Denial of service by attacker (out-of-bounds read) There is a possibility of being put into a state. Multiple SAP Products are prone to a buffer-overflow vulnerability and a denial-of-service vulnerability. Remote attackers can exploit these issues to execute arbitrary code in the context of the application or cause denial-of-service conditions. 1. Advisory Information
Title: SAP LZC/LZH Compression Multiple Vulnerabilities Advisory ID: CORE-2015-0009 Advisory URL: http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities Date published: 2015-05-12 Date of last update: 2015-05-12 Vendors contacted: SAP Release mode: Coordinated release
- Vulnerability Information
Class: Out-of-bounds Write [CWE-787], Out-of-bounds Read [CWE-125] Impact: Denial of service Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2015-2282, CVE-2015-2278
- Vulnerability Description
SAP products make use of a proprietary implementation of the Lempel-Ziv-Thomas (LZC) adaptive dictionary compression algorithm and the Lempel-Ziv-Huffman (LZH) compression algorithm [1] . These compression algorithms are used across several SAP products and programs. Vulnerabilities were found in the decompression routines that could be triggered in different scenarios, and could lead to execution of arbitrary code and denial of service conditions.
- Vulnerable Packages
SAP Netweaver Application Server ABAP. SAP Netweaver Application Server Java. SAP Netweaver RFC SDK SAP RFC SDK SAP GUI SAP MaxDB database SAPCAR archive tool Other products and versions might be affected, but they were not tested.
- Vendor Information, Solutions and Workarounds
SAP published the following Security Notes:
2124806 2121661 2127995 2125316 They can be accessed by SAP clients in their Support Portal [15].
Developers who used the Open Source versions of MaxDB 7.5 and 7.6 for their tools should contact SAP.
- Credits
This vulnerability was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Advisories Team.
- Technical Description / Proof of Concept Code
SAP products make use of LZC and LZH algorithms for compressing in-transit data for different services (Diag protocol, RFC protocol, MaxDB protocol) and for distributing files (SAPCAR program). The implementation of this algorithm was also included in Open Source versions of MaxDB 7.5 and 7.6 [2], and used on multiple Open Source security-related programs [3][4][5][6][7][8][9][10][11].
The code that handles the decompression of LZC and LZH compressed data is prone to two memory corruption vulnerabilities, as described below.
7.1. LZC decompression stack-based buffer overflow
The vulnerability [CVE-2015-2282] is caused by an out-of-bounds write to a stack buffer used by the decompression routine to write the output characters.
The following snippet of code shows the vulnerable function [file vpa106cslzc.cpp in the MaxDB source code [12]]. This piece of code can be reached by decompressing a specially crafted buffer.
[..] int CsObjectInt::CsDecomprLZC (SAP_BYTE * inbuf, SAP_INT inlen, SAP_BYTE * outbuf, SAP_INT outlen, SAP_INT option, SAP_INT * bytes_read, SAP_INT * bytes_written) [..] / Generate output characters in reverse order .................../ while (code >= 256) { *stackp++ = TAB_SUFFIXOF(code); OVERFLOW_CHECK code = TAB_PREFIXOF(code); } [..] Note that the "code" variable contains an attacker controlled value, resulting in a stack overflow if the value is greater than 256 and the value for that code in the prefix table is also greater than 256. It's possible to fill in the stack with arbitrary values by controlling the values stored in the prefix and suffix tables.
It's also worth mentioning that the above code includes a macro for performing some bounds checks on the stack pointer ("OVERFLOW_CHECK"). However, the check implemented by this macro is not sufficient for avoiding this vulnerability and also could lead to fault conditions when decompressing valid buffers. Moreover, vulnerable products and programs were built without this macro enabled ("CS_STACK_CHECK" macro not defined at the time of compilation).
7.2. LZH decompression out-of-bounds read
The vulnerability [CVE-2015-2278] is caused by an out-of-bounds read of a buffer used by the decompression routine when performing look-ups of non-simple codes.
The following piece of code shows the vulnerable function [file vpa108csulzh.cpp in the MaxDB source code [13]]. This piece of code can be reached by decompressing a specially crafted buffer.
[..] int CsObjectInt::BuildHufTree ( unsigned * b, / code lengths in bits (all assumed <= BMAX) / unsigned n, / number of codes (assumed <= N_MAX) / unsigned s, / number of simple-valued codes (0..s-1) / int * d, / list of base values for non-simple codes / int * e, / list of extra bits for non-simple codes / HUFTREE t, / result: starting table / int * m) / maximum lookup bits, returns actual / [..] if (p >= v + n) { r.e = INVALIDCODE; / out of values--invalid code / } else if (p < s) { / 256 is end-of-block code / r.e = (unsigned char)(p < 256 ? LITCODE : EOBCODE); r.v.n = (unsigned short) p; / simple code is just the value/ p++; } else { r.e = (unsigned char) e[p - s]; /non-simple,look up in lists/ r.v.n = (unsigned short) d[*p - s]; p++; } [..]
The "e" and "d" arrays are indexed with the value of "*p - s" which is an attacker-controlled value. When the code is reached, this results in an out-of-bounds read access.
7.3. Attack scenarios
The vulnerabilities affect a varied range of products and programs. The attack scenarios differ based on the way each product makes use of the compression libraries. At very least the following scenarios can be identified:
7.3.1. Attacks against server-side components
SAP Netweaver services like Dispatcher or Gateway handle compressed requests coming from the different clients connecting to them. A remote unauthenticated attacker might be able to connect to the aforementioned services and trigger the vulnerabilities by sending specially crafted packets.
7.3.2. Client-side attacks
An attacker might be able to perform client-side attacks against users of the affected programs that handle compressed data. For instance, an attacker might send a specially crafted .CAR or .SAR archive file aimed at being decompressed using the SAPCAR tool, or mount a rogue SAP server offering Dispatcher and entice users to connect to this malicious server using SAP GUI.
7.3.3. Man-in-the-middle attacks
As most of the services affected by these issues are not encrypted by default, an attacker might be able to perform a man-in-the-middle attack and trigger the vulnerabilities by injecting malicious packets within the communication.
7.4. Looking in binaries for compression routines
The LZC and LZH compression algorithm routines are statically compiled in the different binaries of the affected products and programs. It's possible to check if a binary includes these functions by looking at whether the algorithm's constants are used in the program.
The following Radare [14] command can be used to check if a binary file includes the mentioned constants:
$ rafind2 -x fffefcf8f0e0c080 -x 0103070f1f3f7fff
Example output:
$ rafind2 -X -x fffefcf8f0e0c080 -x 0103070f1f3f7fff SAPCAR64
SAPCAR64: 000 @ 0x1082c1 offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0x001082c1 0103 070f 1f3f 7fff fffe fcf8 f0e0 c080 .....?.......... 0x001082d1 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x001082e1 0000 0000 0000 0000 0000 0000 0000 0004 ................ 0x001082f1 0000 0004 0000 0010 0000 0000 0000 0006 ................ 0x00108301 0000 0008 0000 0010 0000 0000 0000 ..............
- Report Timeline
2015-01-20: Core Security sends an initial notification to SAP. Publication date set to Mar 10, 2015 (Patch Tuesday). 2015-01-21: SAP confirms reception and requests a draft version of the advisory. 2015-01-21: Core Security sends the draft version of the advisory to the vendor. 2015-01-21: SAP confirms reception of the report and assigns the following security message Number: 55318 2015. 2015-01-22: SAP asks if the two vulnerable functions mentioned in the draft are the only ones affected by these vulnerabilities. 2015-01-22: Core Security informs the vendor that researchers were only able to trigger the vulnerabilities in the functions mentioned in the draft advisory. In case they find other instances where the vulnerabilities can be triggered, Core requests to be informed. 2015-01-30: Core Security asks the vendor if they were able to verify the vulnerabilities in order to coordinate a proper release date. 2015-02-02: SAP states that they verified and confirmed the vulnerabilities, are working on a solution, and will provide an update once the solution plan is finished. 2015-02-04: SAP states that they will be able to provide a fix by May's Patch Tuesday, 2015, and not March as requested. They also request to know how the advisory is going to be published and if we have any plans to include them in any upcoming presentations. 2015-02-10: SAP requests confirmation of their previous email in order to coordinate the advisory for the May 12th, 2015. 2015-02-18: Core Security informs SAP that the date is confirmed and that researchers might present something after the publication of the advisory. 2015-02-19: SAP states that it is thankful for Core's commitment to go for a coordinated release. They say they will keep us updated. 2015-05-07: Core Security reminds SAP that the date for the proposed fix to be released is the following week, therefore we would like to resume communications in order to publish our findings in a coordinated manner. 2015-05-07: SAP informs that they are on track to release the security notes as part of their May patch day (May 12th, 2015). 2015-05-11: Core Security asks SAP for the specific time they are planning to publish their security note and requests a tentative link so it can be included in Core's advisory. Additionally, Core sends a tentative fix for the source code that it is planning to add in its advisory for SAP to review, and a list of vulnerable tools that used the vulnerable code so SAP can contact and inform the owners of the fix. 2015-05-12: SAP states that they published 4 security notes regarding the issues we reported. They requested for us to wait 3 months to publish our findings and to send them the advisory before is published. 2015-05-12: Core Security requests that SAP fixes the external ID (Core's ID) they used and offer Core's publication link. Additionally, Core explained that is their policy to release their findings the same day the vendor does. Core also reminded SAP that they were still waiting for a reply to their previous email. 2015-05-12: Advisory CORE-2015-0009 published.
- References
[1] http://en.wikipedia.org/wiki/LZ77_and_LZ78. [2] ftp://ftp.sap.com/pub/maxdb/current/7.6.00/. [3] http://conus.info/utils/SAP_pkt_decompr.txt. [4] https://github.com/sensepost/SAPProx. [5] https://github.com/sensepost/SapCap. [6] http://blog.ptsecurity.com/2011/10/sap-diag-decompress-plugin-for.html. [7] https://github.com/CoreSecurity/pysap. [8] https://github.com/CoreSecurity/SAP-Dissection-plug-in-for-Wireshark. [9] https://github.com/daberlin/sap-reposrc-decompressor. [10] https://labs.mwrinfosecurity.com/tools/sap-decom/. [11] http://www.oxid.it/cain.html. [12] http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa106cslzc_8cpp-source.html. [13] http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa108csulzh_8cpp-source.html. [14] http://radare.org/y/. [15] https://service.sap.com/securitynotes.
- About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security
Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
- Disclaimer
The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201506-0131",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "maxdb",
"scope": "eq",
"trust": 2.4,
"vendor": "sap",
"version": "7.5"
},
{
"model": "maxdb",
"scope": "eq",
"trust": 2.4,
"vendor": "sap",
"version": "7.6"
},
{
"model": "gui",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": null
},
{
"model": "netweaver rfc sdk",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": null
},
{
"model": "netweaver java application server",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": null
},
{
"model": "netweaver abap application server",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": null
},
{
"model": "rfc library",
"scope": "eq",
"trust": 1.0,
"vendor": "sap",
"version": "*"
},
{
"model": "gui",
"scope": null,
"trust": 0.8,
"vendor": "sap",
"version": null
},
{
"model": "netweaver application server abap",
"scope": null,
"trust": 0.8,
"vendor": "sap",
"version": null
},
{
"model": "netweaver application server java",
"scope": null,
"trust": 0.8,
"vendor": "sap",
"version": null
},
{
"model": "netweaver rfc sdk",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "\\u3000"
},
{
"model": "rfc library",
"scope": null,
"trust": 0.6,
"vendor": "sap",
"version": null
},
{
"model": "sapcar archive tool",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "rfc sdk",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "netweaver rfc sdk",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "netweaver application server java",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "netweaver application server abap",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "maxdb database",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "gui",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
}
],
"sources": [
{
"db": "BID",
"id": "74643"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002925"
},
{
"db": "NVD",
"id": "CVE-2015-2278"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-482"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:maxdb:7.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver_java_application_server:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver_rfc_sdk:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:gui:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:rfc_library:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:maxdb:7.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver_abap_application_server:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2015-2278"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Martin Gallo of Core Security Consulting Services.",
"sources": [
{
"db": "BID",
"id": "74643"
}
],
"trust": 0.3
},
"cve": "CVE-2015-2278",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 5.0,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2015-2278",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2015-2278",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201505-482",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2015-2278",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-2278"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002925"
},
{
"db": "NVD",
"id": "CVE-2015-2278"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-482"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The LZH decompression implementation (CsObjectInt::BuildHufTree function in vpa108csulzh.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (out-of-bounds read) via unspecified vectors, related to look-ups of non-simple codes, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316. Vendors have confirmed this vulnerability SAP Security Note 2124806 , 2121661 , 2127995 ,and 2125316 It is released as.Denial of service by attacker (out-of-bounds read) There is a possibility of being put into a state. Multiple SAP Products are prone to a buffer-overflow vulnerability and a denial-of-service vulnerability. \nRemote attackers can exploit these issues to execute arbitrary code in the context of the application or cause denial-of-service conditions. 1. Advisory Information\n\nTitle: SAP LZC/LZH Compression Multiple Vulnerabilities\nAdvisory ID: CORE-2015-0009\nAdvisory URL: http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities\nDate published: 2015-05-12\nDate of last update: 2015-05-12\nVendors contacted: SAP\nRelease mode: Coordinated release\n\n2. Vulnerability Information\n\nClass: Out-of-bounds Write [CWE-787], Out-of-bounds Read [CWE-125]\nImpact: Denial of service\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2015-2282, CVE-2015-2278\n\n\n3. Vulnerability Description\n\nSAP products make use of a proprietary implementation of the Lempel-Ziv-Thomas (LZC) adaptive dictionary compression algorithm and the Lempel-Ziv-Huffman (LZH) compression algorithm [1] . These compression algorithms are used across several SAP products and programs. Vulnerabilities were found in the decompression routines that could be triggered in different scenarios, and could lead to execution of arbitrary code and denial of service conditions. \n\n\n4. Vulnerable Packages\n\nSAP Netweaver Application Server ABAP. \nSAP Netweaver Application Server Java. \nSAP Netweaver RFC SDK\nSAP RFC SDK\nSAP GUI\nSAP MaxDB database\nSAPCAR archive tool\nOther products and versions might be affected, but they were not tested. \n\n\n5. Vendor Information, Solutions and Workarounds\n\nSAP published the following Security Notes:\n\n2124806\n2121661\n2127995\n2125316\nThey can be accessed by SAP clients in their Support Portal [15]. \n\nDevelopers who used the Open Source versions of MaxDB 7.5 and 7.6 for their tools should contact SAP. \n\n\n6. Credits\n\nThis vulnerability was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Joaqu\u00edn Rodr\u00edguez Varela from Core Advisories Team. \n\n\n\n7. Technical Description / Proof of Concept Code\n\nSAP products make use of LZC and LZH algorithms for compressing in-transit data for different services (Diag protocol, RFC protocol, MaxDB protocol) and for distributing files (SAPCAR program). The implementation of this algorithm was also included in Open Source versions of MaxDB 7.5 and 7.6 [2], and used on multiple Open Source security-related programs [3][4][5][6][7][8][9][10][11]. \n\nThe code that handles the decompression of LZC and LZH compressed data is prone to two memory corruption vulnerabilities, as described below. \n\n7.1. LZC decompression stack-based buffer overflow\n\nThe vulnerability [CVE-2015-2282] is caused by an out-of-bounds write to a stack buffer used by the decompression routine to write the output characters. \n\nThe following snippet of code shows the vulnerable function [file vpa106cslzc.cpp in the MaxDB source code [12]]. This piece of code can be reached by decompressing a specially crafted buffer. \n\n \n[..]\nint CsObjectInt::CsDecomprLZC (SAP_BYTE * inbuf,\n SAP_INT inlen,\n SAP_BYTE * outbuf,\n SAP_INT outlen,\n SAP_INT option,\n SAP_INT * bytes_read,\n SAP_INT * bytes_written)\n [..]\n /* Generate output characters in reverse order ...................*/\n while (code \u003e= 256)\n {\n *stackp++ = TAB_SUFFIXOF(code);\n OVERFLOW_CHECK\n code = TAB_PREFIXOF(code);\n }\n[..]\nNote that the \"code\" variable contains an attacker controlled value, resulting in a stack overflow if the value is greater than 256 and the value for that code in the prefix table is also greater than 256. It\u0027s possible to fill in the stack with arbitrary values by controlling the values stored in the prefix and suffix tables. \n\nIt\u0027s also worth mentioning that the above code includes a macro for performing some bounds checks on the stack pointer (\"OVERFLOW_CHECK\"). However, the check implemented by this macro is not sufficient for avoiding this vulnerability and also could lead to fault conditions when decompressing valid buffers. Moreover, vulnerable products and programs were built without this macro enabled (\"CS_STACK_CHECK\" macro not defined at the time of compilation). \n\n7.2. LZH decompression out-of-bounds read\n\nThe vulnerability [CVE-2015-2278] is caused by an out-of-bounds read of a buffer used by the decompression routine when performing look-ups of non-simple codes. \n\nThe following piece of code shows the vulnerable function [file vpa108csulzh.cpp in the MaxDB source code [13]]. This piece of code can be reached by decompressing a specially crafted buffer. \n\n \n[..]\nint CsObjectInt::BuildHufTree (\n unsigned * b, /* code lengths in bits (all assumed \u003c= BMAX) */\n unsigned n, /* number of codes (assumed \u003c= N_MAX) */\n unsigned s, /* number of simple-valued codes (0..s-1) */\n int * d, /* list of base values for non-simple codes */\n int * e, /* list of extra bits for non-simple codes */\n HUFTREE **t, /* result: starting table */\n int * m) /* maximum lookup bits, returns actual */\n [..]\n if (p \u003e= v + n)\n {\n r.e = INVALIDCODE; /* out of values--invalid code */\n }\n else if (*p \u003c s)\n { /* 256 is end-of-block code */\n r.e = (unsigned char)(*p \u003c 256 ? LITCODE : EOBCODE);\n r.v.n = (unsigned short) *p; /* simple code is just the value*/\n p++;\n }\n else\n {\n r.e = (unsigned char) e[*p - s]; /*non-simple,look up in lists*/\n r.v.n = (unsigned short) d[*p - s];\n p++;\n }\n[..]\n \nThe \"e\" and \"d\" arrays are indexed with the value of \"*p - s\" which is an attacker-controlled value. When the code is reached, this results in an out-of-bounds read access. \n\n7.3. Attack scenarios\n\nThe vulnerabilities affect a varied range of products and programs. The attack scenarios differ based on the way each product makes use of the compression libraries. At very least the following scenarios can be identified:\n\n7.3.1. Attacks against server-side components\n\nSAP Netweaver services like Dispatcher or Gateway handle compressed requests coming from the different clients connecting to them. A remote unauthenticated attacker might be able to connect to the aforementioned services and trigger the vulnerabilities by sending specially crafted packets. \n\n7.3.2. Client-side attacks\n\nAn attacker might be able to perform client-side attacks against users of the affected programs that handle compressed data. For instance, an attacker might send a specially crafted .CAR or .SAR archive file aimed at being decompressed using the SAPCAR tool, or mount a rogue SAP server offering Dispatcher and entice users to connect to this malicious server using SAP GUI. \n\n7.3.3. Man-in-the-middle attacks\n\nAs most of the services affected by these issues are not encrypted by default, an attacker might be able to perform a man-in-the-middle attack and trigger the vulnerabilities by injecting malicious packets within the communication. \n\n7.4. Looking in binaries for compression routines\n\nThe LZC and LZH compression algorithm routines are statically compiled in the different binaries of the affected products and programs. It\u0027s possible to check if a binary includes these functions by looking at whether the algorithm\u0027s constants are used in the program. \n\nThe following Radare [14] command can be used to check if a binary file includes the mentioned constants:\n\n \n$ rafind2 -x fffefcf8f0e0c080 -x 0103070f1f3f7fff \u003cbinary_file\u003e\n \nExample output:\n\n \n$ rafind2 -X -x fffefcf8f0e0c080 -x 0103070f1f3f7fff SAPCAR64 \n\nSAPCAR64: 000 @ 0x1082c1\n offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF\n0x001082c1 0103 070f 1f3f 7fff fffe fcf8 f0e0 c080 .....?.......... \n0x001082d1 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n0x001082e1 0000 0000 0000 0000 0000 0000 0000 0004 ................ \n0x001082f1 0000 0004 0000 0010 0000 0000 0000 0006 ................ \n0x00108301 0000 0008 0000 0010 0000 0000 0000 .............. \n \n\n\n8. Report Timeline\n\n2015-01-20: Core Security sends an initial notification to SAP. Publication date set to Mar 10, 2015 (Patch Tuesday). \n2015-01-21: SAP confirms reception and requests a draft version of the advisory. \n2015-01-21: Core Security sends the draft version of the advisory to the vendor. \n2015-01-21: SAP confirms reception of the report and assigns the following security message Number: 55318 2015. \n2015-01-22: SAP asks if the two vulnerable functions mentioned in the draft are the only ones affected by these vulnerabilities. \n2015-01-22: Core Security informs the vendor that researchers were only able to trigger the vulnerabilities in the functions mentioned in the draft advisory. In case they find other instances where the vulnerabilities can be triggered, Core requests to be informed. \n2015-01-30: Core Security asks the vendor if they were able to verify the vulnerabilities in order to coordinate a proper release date. \n2015-02-02: SAP states that they verified and confirmed the vulnerabilities, are working on a solution, and will provide an update once the solution plan is finished. \n2015-02-04: SAP states that they will be able to provide a fix by May\u0027s Patch Tuesday, 2015, and not March as requested. They also request to know how the advisory is going to be published and if we have any plans to include them in any upcoming presentations. \n2015-02-10: SAP requests confirmation of their previous email in order to coordinate the advisory for the May 12th, 2015. \n2015-02-18: Core Security informs SAP that the date is confirmed and that researchers might present something after the publication of the advisory. \n2015-02-19: SAP states that it is thankful for Core\u0027s commitment to go for a coordinated release. They say they will keep us updated. \n2015-05-07: Core Security reminds SAP that the date for the proposed fix to be released is the following week, therefore we would like to resume communications in order to publish our findings in a coordinated manner. \n2015-05-07: SAP informs that they are on track to release the security notes as part of their May patch day (May 12th, 2015). \n2015-05-11: Core Security asks SAP for the specific time they are planning to publish their security note and requests a tentative link so it can be included in Core\u0027s advisory. Additionally, Core sends a tentative fix for the source code that it is planning to add in its advisory for SAP to review, and a list of vulnerable tools that used the vulnerable code so SAP can contact and inform the owners of the fix. \n2015-05-12: SAP states that they published 4 security notes regarding the issues we reported. They requested for us to wait 3 months to publish our findings and to send them the advisory before is published. \n2015-05-12: Core Security requests that SAP fixes the external ID (Core\u0027s ID) they used and offer Core\u0027s publication link. Additionally, Core explained that is their policy to release their findings the same day the vendor does. Core also reminded SAP that they were still waiting for a reply to their previous email. \n2015-05-12: Advisory CORE-2015-0009 published. \n\n\n9. References\n\n[1] http://en.wikipedia.org/wiki/LZ77_and_LZ78. \n[2] ftp://ftp.sap.com/pub/maxdb/current/7.6.00/. \n[3] http://conus.info/utils/SAP_pkt_decompr.txt. \n[4] https://github.com/sensepost/SAPProx. \n[5] https://github.com/sensepost/SapCap. \n[6] http://blog.ptsecurity.com/2011/10/sap-diag-decompress-plugin-for.html. \n[7] https://github.com/CoreSecurity/pysap. \n[8] https://github.com/CoreSecurity/SAP-Dissection-plug-in-for-Wireshark. \n[9] https://github.com/daberlin/sap-reposrc-decompressor. \n[10] https://labs.mwrinfosecurity.com/tools/sap-decom/. \n[11] http://www.oxid.it/cain.html. \n[12] http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa106cslzc_8cpp-source.html. \n[13] http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa108csulzh_8cpp-source.html. \n[14] http://radare.org/y/. \n[15] https://service.sap.com/securitynotes. \n\n\n10. About CoreLabs\n\nCoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. \n\n\n11. About Core Security\n\nCore Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. \n\nCore Security\u0027s software solutions build on over a decade of trusted research and leading-edge threat expertise from the company\u0027s Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. \n\n\n12. Disclaimer\n\nThe contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n\n13. PGP/GPG Keys\n\nThis advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc",
"sources": [
{
"db": "NVD",
"id": "CVE-2015-2278"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002925"
},
{
"db": "BID",
"id": "74643"
},
{
"db": "VULMON",
"id": "CVE-2015-2278"
},
{
"db": "PACKETSTORM",
"id": "131883"
}
],
"trust": 2.07
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2015-2278",
"trust": 2.9
},
{
"db": "PACKETSTORM",
"id": "131883",
"trust": 1.8
},
{
"db": "BID",
"id": "74643",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002925",
"trust": 0.8
},
{
"db": "SECUNIA",
"id": "64440",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201505-482",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2015-2278",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-2278"
},
{
"db": "BID",
"id": "74643"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002925"
},
{
"db": "PACKETSTORM",
"id": "131883"
},
{
"db": "NVD",
"id": "CVE-2015-2278"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-482"
}
]
},
"id": "VAR-201506-0131",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.167840075
},
"last_update_date": "2023-12-18T13:24:46.085000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SAP Security Note 2124806/2121661/2127995/2125316",
"trust": 0.8,
"url": "http://scn.sap.com/docs/doc-55451"
},
{
"title": "martingalloar",
"trust": 0.1,
"url": "https://github.com/martingalloar/martingalloar "
},
{
"title": "publications",
"trust": 0.1,
"url": "https://github.com/martingalloar/publications "
},
{
"title": "The Register",
"trust": 0.1,
"url": "https://www.theregister.co.uk/2015/05/14/saps_compression_is_buggy_and_insecure/"
},
{
"title": "Threatpost",
"trust": 0.1,
"url": "https://threatpost.com/remotely-exploitable-vulnerabilities-in-sap-compression-algorithms/112808/"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-2278"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002925"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-002925"
},
{
"db": "NVD",
"id": "CVE-2015-2278"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
},
{
"trust": 1.7,
"url": "http://packetstormsecurity.com/files/131883/sap-lzc-lzh-compression-denial-of-service.html"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2015/may/50"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2015/may/96"
},
{
"trust": 1.2,
"url": "http://www.securityfocus.com/bid/74643"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2278"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2278"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/535535/100/0/threaded"
},
{
"trust": 0.6,
"url": "http://secunia.com/advisories/64440"
},
{
"trust": 0.3,
"url": "http://www.sap.com"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://threatpost.com/remotely-exploitable-vulnerabilities-in-sap-compression-algorithms/112808/"
},
{
"trust": 0.1,
"url": "http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa108csulzh_8cpp-source.html."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://github.com/sensepost/sapcap."
},
{
"trust": 0.1,
"url": "https://github.com/coresecurity/sap-dissection-plug-in-for-wireshark."
},
{
"trust": 0.1,
"url": "https://github.com/sensepost/sapprox."
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa106cslzc_8cpp-source.html."
},
{
"trust": 0.1,
"url": "https://service.sap.com/securitynotes."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "https://github.com/coresecurity/pysap."
},
{
"trust": 0.1,
"url": "http://conus.info/utils/sap_pkt_decompr.txt."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-2282"
},
{
"trust": 0.1,
"url": "http://www.oxid.it/cain.html."
},
{
"trust": 0.1,
"url": "https://labs.mwrinfosecurity.com/tools/sap-decom/."
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://github.com/daberlin/sap-reposrc-decompressor."
},
{
"trust": 0.1,
"url": "http://blog.ptsecurity.com/2011/10/sap-diag-decompress-plugin-for.html."
},
{
"trust": 0.1,
"url": "http://radare.org/y/."
},
{
"trust": 0.1,
"url": "http://en.wikipedia.org/wiki/lz77_and_lz78."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-2278"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-2278"
},
{
"db": "BID",
"id": "74643"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002925"
},
{
"db": "PACKETSTORM",
"id": "131883"
},
{
"db": "NVD",
"id": "CVE-2015-2278"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-482"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2015-2278"
},
{
"db": "BID",
"id": "74643"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002925"
},
{
"db": "PACKETSTORM",
"id": "131883"
},
{
"db": "NVD",
"id": "CVE-2015-2278"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-482"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-06-02T00:00:00",
"db": "VULMON",
"id": "CVE-2015-2278"
},
{
"date": "2015-05-13T00:00:00",
"db": "BID",
"id": "74643"
},
{
"date": "2015-06-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-002925"
},
{
"date": "2015-05-13T17:48:36",
"db": "PACKETSTORM",
"id": "131883"
},
{
"date": "2015-06-02T14:59:07.537000",
"db": "NVD",
"id": "CVE-2015-2278"
},
{
"date": "2015-05-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201505-482"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-09T00:00:00",
"db": "VULMON",
"id": "CVE-2015-2278"
},
{
"date": "2015-05-13T00:00:00",
"db": "BID",
"id": "74643"
},
{
"date": "2015-06-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-002925"
},
{
"date": "2018-10-09T19:56:11.780000",
"db": "NVD",
"id": "CVE-2015-2278"
},
{
"date": "2015-06-03T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201505-482"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201505-482"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural SAP Product LZH Service disruption in decompression implementation (DoS) Vulnerabilities",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-002925"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201505-482"
}
],
"trust": 0.6
}
}
Vulnerability from fkie_nvd
Published
2008-03-11 23:44
Modified
2024-11-21 00:41
Severity ?
Summary
Integer signedness error in vserver in SAP MaxDB 7.6.0.37, and possibly other versions, allows remote attackers to execute arbitrary code via unknown vectors that trigger heap corruption.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:maxdb:7.6.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "75C1FA85-049A-4324-9E18-7C41017B84EE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Integer signedness error in vserver in SAP MaxDB 7.6.0.37, and possibly other versions, allows remote attackers to execute arbitrary code via unknown vectors that trigger heap corruption."
},
{
"lang": "es",
"value": "Error de presencia de signo en entero en vserver en SAP MaxDB 7.6.0.37, y posiblemente otras versiones permite a atacantes remotos ejecutar c\u00f3digo de su elecci\u00f3n mediante vectores no especificados que disparan una corrupci\u00f3n de pila."
}
],
"id": "CVE-2008-0307",
"lastModified": "2024-11-21T00:41:38.243",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-03-11T23:44:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=669"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29312"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/28183"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id?1019571"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/0844/references"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41107"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=669"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29312"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/28183"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1019571"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/0844/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41107"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-189"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-03-11 23:44
Modified
2024-11-21 00:41
Severity ?
Summary
sdbstarter in SAP MaxDB 7.6.0.37, and possibly other versions, allows local users to execute arbitrary commands by using unspecified environment variables to modify configuration settings.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:maxdb:7.6.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "75C1FA85-049A-4324-9E18-7C41017B84EE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "sdbstarter in SAP MaxDB 7.6.0.37, and possibly other versions, allows local users to execute arbitrary commands by using unspecified environment variables to modify configuration settings."
},
{
"lang": "es",
"value": "sdbstarter en SAP MaxDB 7.6.0.37, y posiblemente en otras versiones, permite a usuarios locales ejecutar comandos de su elecci\u00f3n mediante utilizando variables de entorno no especificadas para mnodificar par\u00e1metros de configuraci\u00f3n."
}
],
"id": "CVE-2008-0306",
"lastModified": "2024-11-21T00:41:38.073",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 6.9,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 10.0,
"obtainAllPrivilege": true,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-03-11T23:44:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=670"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29312"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/28185"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id?1019570"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/0844/references"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41104"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=670"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29312"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/28185"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1019570"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/0844/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41104"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-08-14 16:29
Modified
2024-11-21 04:03
Severity ?
Summary
SAP MaxDB (liveCache), versions 7.8 and 7.9, allows an attacker who gets DBM operator privileges to execute crafted database queries and therefore read, modify or delete sensitive data from database.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | http://www.securityfocus.com/bid/105063 | Third Party Advisory, VDB Entry | |
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2660005 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499352742 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/105063 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2660005 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499352742 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:maxdb:7.8:*:*:*:*:*:*:*",
"matchCriteriaId": "ACF846DB-673F-40F3-9D6C-20C8486DD37E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:maxdb:7.9:*:*:*:*:*:*:*",
"matchCriteriaId": "568A024B-D6AD-4B94-B813-A38F7266C3F4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP MaxDB (liveCache), versions 7.8 and 7.9, allows an attacker who gets DBM operator privileges to execute crafted database queries and therefore read, modify or delete sensitive data from database."
},
{
"lang": "es",
"value": "SAP MaxDB (liveCache), en versiones 7.8 y 7.9, permite que un atacante que obtenga privilegios de operador DBM ejecute consultas manipuladas en la base de datos y, por lo tanto, leer, modificar o eliminar informaci\u00f3n sensible de la base de datos."
}
],
"id": "CVE-2018-2450",
"lastModified": "2024-11-21T04:03:50.223",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-08-14T16:29:01.553",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105063"
},
{
"source": "cna@sap.com",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2660005"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499352742"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105063"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2660005"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499352742"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-08-01 14:41
Modified
2024-11-21 00:45
Severity ?
Summary
Untrusted search path vulnerability in dbmsrv in SAP MaxDB 7.6.03.15 on Linux allows local users to gain privileges via a modified PATH environment variable.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linux | linux_kernel | * | |
| sap | maxdb | 7.6.03.15 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "155AD4FB-E527-4103-BCEF-801B653DEA37",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:maxdb:7.6.03.15:*:*:*:*:*:*:*",
"matchCriteriaId": "4AA3A766-8E99-4CD8-B6EA-A360DE2AA832",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Untrusted search path vulnerability in dbmsrv in SAP MaxDB 7.6.03.15 on Linux allows local users to gain privileges via a modified PATH environment variable."
},
{
"lang": "es",
"value": "Vulnerabilidad de b\u00fasqueda de ruta no confiable en dbmsrv en SAP MaxDB 7.6.03.15 sobre Linux. Permite a usuarios locales elevar sus privilegios a trav\u00e9s de una variable de entorno PATH modificada."
}
],
"id": "CVE-2008-1810",
"lastModified": "2024-11-21T00:45:24.077",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-08-01T14:41:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=729"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/31318"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/30474"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id?1020585"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/2267/references"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44125"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=729"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/31318"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/30474"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1020585"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/2267/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44125"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-03-29 22:30
Modified
2024-11-21 01:13
Severity ?
Summary
Stack-based buffer overflow in serv.exe in SAP MaxDB 7.4.3.32, and 7.6.0.37 through 7.6.06 allows remote attackers to execute arbitrary code via an invalid length parameter in a handshake packet to TCP port 7210. NOTE: some of these details are obtained from third party information.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:maxdb:7.4.3.32:*:*:*:*:*:*:*",
"matchCriteriaId": "2A00391D-3952-4089-84A2-E69DFA0B7EE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:maxdb:7.6.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "75C1FA85-049A-4324-9E18-7C41017B84EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:maxdb:7.6.06:*:*:*:*:*:*:*",
"matchCriteriaId": "526EF6D0-762C-4F36-A5DC-476F5B44B534",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Stack-based buffer overflow in serv.exe in SAP MaxDB 7.4.3.32, and 7.6.0.37 through 7.6.06 allows remote attackers to execute arbitrary code via an invalid length parameter in a handshake packet to TCP port 7210. NOTE: some of these details are obtained from third party information."
},
{
"lang": "es",
"value": "Desbordamiento de b\u00fafer basado en pila en serv.exe de SAP MaxDB v7.4.3.32, y v7.6.0.37 hasta la v7.6.06. Permite a atacantes remotos ejecutar c\u00f3digo de su elecci\u00f3n a trav\u00e9s de un par\u00e1metro de longitud inv\u00e1lido en un paquete de \"handshake\" (establecimiento de conexi\u00f3n) al puerto TCP 7210. NOTA: algunos de estos detalles han sido obtenidos de informaci\u00f3n de terceras partes."
}
],
"id": "CVE-2010-1185",
"lastModified": "2024-11-21T01:13:49.600",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-03-29T22:30:00.407",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/63047"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/38955"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/510125/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/38769"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id?1023719"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/0643"
},
{
"source": "cve@mitre.org",
"url": "http://www.zerodayinitiative.com/advisories/ZDI-10-032/"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56950"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/63047"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/38955"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/510125/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/38769"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1023719"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/0643"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.zerodayinitiative.com/advisories/ZDI-10-032/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56950"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-01-12 02:46
Modified
2024-11-21 00:41
Severity ?
Summary
SAP MaxDB 7.6.03 build 007 and earlier allows remote attackers to execute arbitrary commands via "&&" and other shell metacharacters in exec_sdbinfo and other unspecified commands, which are executed when MaxDB invokes cons.exe.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:maxdb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C15B96CF-B854-4A87-B702-3784333F9D1F",
"versionEndIncluding": "7.6.3_build_007",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP MaxDB 7.6.03 build 007 and earlier allows remote attackers to execute arbitrary commands via \"\u0026\u0026\" and other shell metacharacters in exec_sdbinfo and other unspecified commands, which are executed when MaxDB invokes cons.exe."
},
{
"lang": "es",
"value": "SAP MaxDB 7.6.03 build 007 y versiones anteriores, permite que atacantes remotos ejecuten comandos arbitrarios usando \"$$\", adem\u00e1s de otros metacarateres del int\u00e9prete de comandos (shell) en exec_sdbinfo, y de otros comandos no especificados, que se ejecutan cuando MaxDB invoca a cons.exe"
}
],
"id": "CVE-2008-0244",
"lastModified": "2024-11-21T00:41:29.393",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-01-12T02:46:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://aluigi.altervista.org/adv/sapone-adv.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/28409"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/3536"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/486039/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/27206"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id?1019171"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/0104"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39573"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/4877"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://aluigi.altervista.org/adv/sapone-adv.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/28409"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/3536"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/486039/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/27206"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1019171"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/0104"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39573"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/4877"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-06-02 14:59
Modified
2024-11-21 02:27
Severity ?
Summary
The LZH decompression implementation (CsObjectInt::BuildHufTree function in vpa108csulzh.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (out-of-bounds read) via unspecified vectors, related to look-ups of non-simple codes, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | gui | - | |
| sap | maxdb | 7.5 | |
| sap | maxdb | 7.6 | |
| sap | netweaver_abap_application_server | - | |
| sap | netweaver_java_application_server | - | |
| sap | netweaver_rfc_sdk | - | |
| sap | rfc_library | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:gui:-:*:*:*:*:*:*:*",
"matchCriteriaId": "399383D3-01CC-48FF-943F-F7F0EF54ECFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:maxdb:7.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BAA8EB08-6866-4FDF-A552-C290A54E9B08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:maxdb:7.6:*:*:*:*:*:*:*",
"matchCriteriaId": "3BF72173-A7B4-44DD-A842-BA29D6AF6E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver_abap_application_server:-:*:*:*:*:*:*:*",
"matchCriteriaId": "9A55F8F2-A31D-4C57-A664-0B1DBD1F17A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver_java_application_server:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4BC67018-106D-4103-83FB-FEC80496F14D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver_rfc_sdk:-:*:*:*:*:*:*:*",
"matchCriteriaId": "1A37353F-8BC1-4B72-B452-E19308C9740B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:rfc_library:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F0FE182C-229B-461B-8139-D39E005034A3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The LZH decompression implementation (CsObjectInt::BuildHufTree function in vpa108csulzh.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (out-of-bounds read) via unspecified vectors, related to look-ups of non-simple codes, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316."
},
{
"lang": "es",
"value": "La implementaci\u00f3n LZH decompression (la funci\u00f3n CsObjectInt::BuildHufTree en vpa108csulzh.cpp) en SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, la herramienta de archivos SAPCAR, y otros productos permite a atacantes dependientes de contexto causar una denegaci\u00f3n de servicio (lectura fuera de rango) a trav\u00e9s de vectores no especificados, relacionado con b\u00fasquedas de c\u00f3digos no simples, tambi\u00e9n conocido como las notas de seguridad de SAP 2124806, 2121661, 2127995, y 2125316."
}
],
"id": "CVE-2015-2278",
"lastModified": "2024-11-21T02:27:08.110",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-06-02T14:59:07.537",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/May/50"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/May/96"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/74643"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/May/50"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/May/96"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/74643"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-06-02 14:59
Modified
2024-11-21 02:27
Severity ?
Summary
Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | gui | - | |
| sap | maxdb | 7.5 | |
| sap | maxdb | 7.6 | |
| sap | netweaver_abap_application_server | - | |
| sap | netweaver_java_application_server | - | |
| sap | netweaver_rfc_sdk | - | |
| sap | rfc_library | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:gui:-:*:*:*:*:*:*:*",
"matchCriteriaId": "399383D3-01CC-48FF-943F-F7F0EF54ECFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:maxdb:7.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BAA8EB08-6866-4FDF-A552-C290A54E9B08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:maxdb:7.6:*:*:*:*:*:*:*",
"matchCriteriaId": "3BF72173-A7B4-44DD-A842-BA29D6AF6E08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver_abap_application_server:-:*:*:*:*:*:*:*",
"matchCriteriaId": "9A55F8F2-A31D-4C57-A664-0B1DBD1F17A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver_java_application_server:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4BC67018-106D-4103-83FB-FEC80496F14D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:netweaver_rfc_sdk:-:*:*:*:*:*:*:*",
"matchCriteriaId": "1A37353F-8BC1-4B72-B452-E19308C9740B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:rfc_library:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F0FE182C-229B-461B-8139-D39E005034A3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316."
},
{
"lang": "es",
"value": "Desbordamiento de buffer basado en pila en la implementaci\u00f3n LZC decompression (la funci\u00f3n CsObjectInt::CsDecomprLZC en vpa106cslzc.cpp) en SAP MaxDB 7.5 y 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, la herramienta de archivos SAPCAR, y otros productos permite a atacantes dependientes de contexto causar una denegaci\u00f3n de servicio (ca\u00edda) o posiblemente ejecutar c\u00f3digo arbitrario a trav\u00e9s de vectores no especificados, tambi\u00e9n conocido como las notas de seguridad de 2124806, 2121661, 2127995, y 2125316."
}
],
"id": "CVE-2015-2282",
"lastModified": "2024-11-21T02:27:08.723",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-06-02T14:59:08.880",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/May/50"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/May/96"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/74643"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/May/50"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/May/96"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/74643"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2008-0244
Vulnerability from cvelistv5
Published
2008-01-12 02:00
Modified
2024-08-07 07:39
Severity ?
EPSS score ?
Summary
SAP MaxDB 7.6.03 build 007 and earlier allows remote attackers to execute arbitrary commands via "&&" and other shell metacharacters in exec_sdbinfo and other unspecified commands, which are executed when MaxDB invokes cons.exe.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/28409 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/archive/1/486039/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.vupen.com/english/advisories/2008/0104 | vdb-entry, x_refsource_VUPEN | |
| https://www.exploit-db.com/exploits/4877 | exploit, x_refsource_EXPLOIT-DB | |
| http://www.securitytracker.com/id?1019171 | vdb-entry, x_refsource_SECTRACK | |
| http://aluigi.altervista.org/adv/sapone-adv.txt | x_refsource_MISC | |
| http://securityreason.com/securityalert/3536 | third-party-advisory, x_refsource_SREASON | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/39573 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/bid/27206 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T07:39:34.987Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "28409",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/28409"
},
{
"name": "20080109 Pre-auth remote commands execution in SAP MaxDB 7.6.03.07",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/486039/100/0/threaded"
},
{
"name": "ADV-2008-0104",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/0104"
},
{
"name": "4877",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/4877"
},
{
"name": "1019171",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1019171"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://aluigi.altervista.org/adv/sapone-adv.txt"
},
{
"name": "3536",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/3536"
},
{
"name": "maxdb-system-command-execution(39573)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39573"
},
{
"name": "27206",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/27206"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-01-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP MaxDB 7.6.03 build 007 and earlier allows remote attackers to execute arbitrary commands via \"\u0026\u0026\" and other shell metacharacters in exec_sdbinfo and other unspecified commands, which are executed when MaxDB invokes cons.exe."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-15T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "28409",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/28409"
},
{
"name": "20080109 Pre-auth remote commands execution in SAP MaxDB 7.6.03.07",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/486039/100/0/threaded"
},
{
"name": "ADV-2008-0104",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/0104"
},
{
"name": "4877",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/4877"
},
{
"name": "1019171",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1019171"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://aluigi.altervista.org/adv/sapone-adv.txt"
},
{
"name": "3536",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/3536"
},
{
"name": "maxdb-system-command-execution(39573)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39573"
},
{
"name": "27206",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/27206"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-0244",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP MaxDB 7.6.03 build 007 and earlier allows remote attackers to execute arbitrary commands via \"\u0026\u0026\" and other shell metacharacters in exec_sdbinfo and other unspecified commands, which are executed when MaxDB invokes cons.exe."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "28409",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/28409"
},
{
"name": "20080109 Pre-auth remote commands execution in SAP MaxDB 7.6.03.07",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/486039/100/0/threaded"
},
{
"name": "ADV-2008-0104",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/0104"
},
{
"name": "4877",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/4877"
},
{
"name": "1019171",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id?1019171"
},
{
"name": "http://aluigi.altervista.org/adv/sapone-adv.txt",
"refsource": "MISC",
"url": "http://aluigi.altervista.org/adv/sapone-adv.txt"
},
{
"name": "3536",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/3536"
},
{
"name": "maxdb-system-command-execution(39573)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39573"
},
{
"name": "27206",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/27206"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-0244",
"datePublished": "2008-01-12T02:00:00",
"dateReserved": "2008-01-11T00:00:00",
"dateUpdated": "2024-08-07T07:39:34.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-1185
Vulnerability from cvelistv5
Published
2010-03-29 22:00
Modified
2024-08-07 01:14
Severity ?
EPSS score ?
Summary
Stack-based buffer overflow in serv.exe in SAP MaxDB 7.4.3.32, and 7.6.0.37 through 7.6.06 allows remote attackers to execute arbitrary code via an invalid length parameter in a handshake packet to TCP port 7210. NOTE: some of these details are obtained from third party information.
References
| ▼ | URL | Tags |
|---|---|---|
| http://osvdb.org/63047 | vdb-entry, x_refsource_OSVDB | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/56950 | vdb-entry, x_refsource_XF | |
| http://www.securitytracker.com/id?1023719 | vdb-entry, x_refsource_SECTRACK | |
| http://www.zerodayinitiative.com/advisories/ZDI-10-032/ | x_refsource_MISC | |
| http://www.securityfocus.com/bid/38769 | vdb-entry, x_refsource_BID | |
| http://www.securityfocus.com/archive/1/510125/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.vupen.com/english/advisories/2010/0643 | vdb-entry, x_refsource_VUPEN | |
| http://secunia.com/advisories/38955 | third-party-advisory, x_refsource_SECUNIA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T01:14:06.689Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "63047",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/63047"
},
{
"name": "maxdb-serv-bo(56950)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56950"
},
{
"name": "1023719",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1023719"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.zerodayinitiative.com/advisories/ZDI-10-032/"
},
{
"name": "38769",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/38769"
},
{
"name": "20100316 ZDI-10-032: SAP MaxDB Malformed Handshake Request Remote Code Execution Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/510125/100/0/threaded"
},
{
"name": "ADV-2010-0643",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2010/0643"
},
{
"name": "38955",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/38955"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-03-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Stack-based buffer overflow in serv.exe in SAP MaxDB 7.4.3.32, and 7.6.0.37 through 7.6.06 allows remote attackers to execute arbitrary code via an invalid length parameter in a handshake packet to TCP port 7210. NOTE: some of these details are obtained from third party information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-10T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "63047",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/63047"
},
{
"name": "maxdb-serv-bo(56950)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56950"
},
{
"name": "1023719",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1023719"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.zerodayinitiative.com/advisories/ZDI-10-032/"
},
{
"name": "38769",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/38769"
},
{
"name": "20100316 ZDI-10-032: SAP MaxDB Malformed Handshake Request Remote Code Execution Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/510125/100/0/threaded"
},
{
"name": "ADV-2010-0643",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2010/0643"
},
{
"name": "38955",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/38955"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-1185",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Stack-based buffer overflow in serv.exe in SAP MaxDB 7.4.3.32, and 7.6.0.37 through 7.6.06 allows remote attackers to execute arbitrary code via an invalid length parameter in a handshake packet to TCP port 7210. NOTE: some of these details are obtained from third party information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "63047",
"refsource": "OSVDB",
"url": "http://osvdb.org/63047"
},
{
"name": "maxdb-serv-bo(56950)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56950"
},
{
"name": "1023719",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id?1023719"
},
{
"name": "http://www.zerodayinitiative.com/advisories/ZDI-10-032/",
"refsource": "MISC",
"url": "http://www.zerodayinitiative.com/advisories/ZDI-10-032/"
},
{
"name": "38769",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/38769"
},
{
"name": "20100316 ZDI-10-032: SAP MaxDB Malformed Handshake Request Remote Code Execution Vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/510125/100/0/threaded"
},
{
"name": "ADV-2010-0643",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2010/0643"
},
{
"name": "38955",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/38955"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-1185",
"datePublished": "2010-03-29T22:00:00",
"dateReserved": "2010-03-29T00:00:00",
"dateUpdated": "2024-08-07T01:14:06.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-0307
Vulnerability from cvelistv5
Published
2008-03-11 23:00
Modified
2024-08-07 07:39
Severity ?
EPSS score ?
Summary
Integer signedness error in vserver in SAP MaxDB 7.6.0.37, and possibly other versions, allows remote attackers to execute arbitrary code via unknown vectors that trigger heap corruption.
References
| ▼ | URL | Tags |
|---|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/41107 | vdb-entry, x_refsource_XF | |
| http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=669 | third-party-advisory, x_refsource_IDEFENSE | |
| http://www.securityfocus.com/bid/28183 | vdb-entry, x_refsource_BID | |
| http://www.vupen.com/english/advisories/2008/0844/references | vdb-entry, x_refsource_VUPEN | |
| http://secunia.com/advisories/29312 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securitytracker.com/id?1019571 | vdb-entry, x_refsource_SECTRACK |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T07:39:34.804Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "maxdb-vserver-code-execution(41107)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41107"
},
{
"name": "20080310 SAP MaxDB Signedness Error Heap Corruption Vulnerability",
"tags": [
"third-party-advisory",
"x_refsource_IDEFENSE",
"x_transferred"
],
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=669"
},
{
"name": "28183",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/28183"
},
{
"name": "ADV-2008-0844",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/0844/references"
},
{
"name": "29312",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29312"
},
{
"name": "1019571",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1019571"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-03-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Integer signedness error in vserver in SAP MaxDB 7.6.0.37, and possibly other versions, allows remote attackers to execute arbitrary code via unknown vectors that trigger heap corruption."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-07T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "maxdb-vserver-code-execution(41107)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41107"
},
{
"name": "20080310 SAP MaxDB Signedness Error Heap Corruption Vulnerability",
"tags": [
"third-party-advisory",
"x_refsource_IDEFENSE"
],
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=669"
},
{
"name": "28183",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/28183"
},
{
"name": "ADV-2008-0844",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/0844/references"
},
{
"name": "29312",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29312"
},
{
"name": "1019571",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1019571"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-0307",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Integer signedness error in vserver in SAP MaxDB 7.6.0.37, and possibly other versions, allows remote attackers to execute arbitrary code via unknown vectors that trigger heap corruption."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "maxdb-vserver-code-execution(41107)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41107"
},
{
"name": "20080310 SAP MaxDB Signedness Error Heap Corruption Vulnerability",
"refsource": "IDEFENSE",
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=669"
},
{
"name": "28183",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/28183"
},
{
"name": "ADV-2008-0844",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/0844/references"
},
{
"name": "29312",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29312"
},
{
"name": "1019571",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id?1019571"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-0307",
"datePublished": "2008-03-11T23:00:00",
"dateReserved": "2008-01-16T00:00:00",
"dateUpdated": "2024-08-07T07:39:34.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-2450
Vulnerability from cvelistv5
Published
2018-08-14 16:00
Modified
2024-08-05 04:21
Severity ?
EPSS score ?
Summary
SAP MaxDB (liveCache), versions 7.8 and 7.9, allows an attacker who gets DBM operator privileges to execute crafted database queries and therefore read, modify or delete sensitive data from database.
References
| ▼ | URL | Tags |
|---|---|---|
| https://launchpad.support.sap.com/#/notes/2660005 | x_refsource_MISC | |
| http://www.securityfocus.com/bid/105063 | vdb-entry, x_refsource_BID | |
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499352742 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | SAP | SAP MaxDB (liveCache) |
Version: 7.8 Version: 7.9 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:21:33.712Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2660005"
},
{
"name": "105063",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/105063"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499352742"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP MaxDB (liveCache)",
"vendor": "SAP",
"versions": [
{
"status": "affected",
"version": "7.8"
},
{
"status": "affected",
"version": "7.9"
}
]
}
],
"datePublic": "2018-08-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP MaxDB (liveCache), versions 7.8 and 7.9, allows an attacker who gets DBM operator privileges to execute crafted database queries and therefore read, modify or delete sensitive data from database."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-08-15T09:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2660005"
},
{
"name": "105063",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/105063"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499352742"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2018-2450",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP MaxDB (liveCache)",
"version": {
"version_data": [
{
"version_name": "",
"version_value": "7.8"
},
{
"version_name": "",
"version_value": "7.9"
}
]
}
}
]
},
"vendor_name": "SAP"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP MaxDB (liveCache), versions 7.8 and 7.9, allows an attacker who gets DBM operator privileges to execute crafted database queries and therefore read, modify or delete sensitive data from database."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.support.sap.com/#/notes/2660005",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2660005"
},
{
"name": "105063",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/105063"
},
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499352742",
"refsource": "CONFIRM",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499352742"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2018-2450",
"datePublished": "2018-08-14T16:00:00",
"dateReserved": "2017-12-15T00:00:00",
"dateUpdated": "2024-08-05T04:21:33.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-2282
Vulnerability from cvelistv5
Published
2015-06-02 14:00
Modified
2024-08-06 05:10
Severity ?
EPSS score ?
Summary
Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316.
References
| ▼ | URL | Tags |
|---|---|---|
| http://seclists.org/fulldisclosure/2015/May/50 | mailing-list, x_refsource_FULLDISC | |
| http://www.securityfocus.com/bid/74643 | vdb-entry, x_refsource_BID | |
| http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html | x_refsource_MISC | |
| http://www.securityfocus.com/archive/1/535535/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://seclists.org/fulldisclosure/2015/May/96 | mailing-list, x_refsource_FULLDISC | |
| http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:10:15.939Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/May/50"
},
{
"name": "74643",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/74643"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html"
},
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"name": "20150522 SAP Security Notes May 2015",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/May/96"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-05-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/May/50"
},
{
"name": "74643",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/74643"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html"
},
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"name": "20150522 SAP Security Notes May 2015",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/May/96"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-2282",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/May/50"
},
{
"name": "74643",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/74643"
},
{
"name": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html"
},
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"name": "20150522 SAP Security Notes May 2015",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/May/96"
},
{
"name": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities",
"refsource": "MISC",
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-2282",
"datePublished": "2015-06-02T14:00:00",
"dateReserved": "2015-03-10T00:00:00",
"dateUpdated": "2024-08-06T05:10:15.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-2278
Vulnerability from cvelistv5
Published
2015-06-02 14:00
Modified
2024-08-06 05:10
Severity ?
EPSS score ?
Summary
The LZH decompression implementation (CsObjectInt::BuildHufTree function in vpa108csulzh.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (out-of-bounds read) via unspecified vectors, related to look-ups of non-simple codes, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316.
References
| ▼ | URL | Tags |
|---|---|---|
| http://seclists.org/fulldisclosure/2015/May/50 | mailing-list, x_refsource_FULLDISC | |
| http://www.securityfocus.com/bid/74643 | vdb-entry, x_refsource_BID | |
| http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html | x_refsource_MISC | |
| http://www.securityfocus.com/archive/1/535535/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://seclists.org/fulldisclosure/2015/May/96 | mailing-list, x_refsource_FULLDISC | |
| http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:10:15.851Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/May/50"
},
{
"name": "74643",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/74643"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html"
},
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"name": "20150522 SAP Security Notes May 2015",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/May/96"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-05-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The LZH decompression implementation (CsObjectInt::BuildHufTree function in vpa108csulzh.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (out-of-bounds read) via unspecified vectors, related to look-ups of non-simple codes, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/May/50"
},
{
"name": "74643",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/74643"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html"
},
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"name": "20150522 SAP Security Notes May 2015",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/May/96"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-2278",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The LZH decompression implementation (CsObjectInt::BuildHufTree function in vpa108csulzh.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (out-of-bounds read) via unspecified vectors, related to look-ups of non-simple codes, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/May/50"
},
{
"name": "74643",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/74643"
},
{
"name": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/131883/SAP-LZC-LZH-Compression-Denial-Of-Service.html"
},
{
"name": "20150513 [CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/535535/100/0/threaded"
},
{
"name": "20150522 SAP Security Notes May 2015",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/May/96"
},
{
"name": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities",
"refsource": "MISC",
"url": "http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-2278",
"datePublished": "2015-06-02T14:00:00",
"dateReserved": "2015-03-10T00:00:00",
"dateUpdated": "2024-08-06T05:10:15.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-1810
Vulnerability from cvelistv5
Published
2008-08-01 14:00
Modified
2024-08-07 08:32
Severity ?
EPSS score ?
Summary
Untrusted search path vulnerability in dbmsrv in SAP MaxDB 7.6.03.15 on Linux allows local users to gain privileges via a modified PATH environment variable.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.vupen.com/english/advisories/2008/2267/references | vdb-entry, x_refsource_VUPEN | |
| http://secunia.com/advisories/31318 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/bid/30474 | vdb-entry, x_refsource_BID | |
| http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=729 | third-party-advisory, x_refsource_IDEFENSE | |
| http://www.securitytracker.com/id?1020585 | vdb-entry, x_refsource_SECTRACK | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/44125 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T08:32:01.334Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ADV-2008-2267",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/2267/references"
},
{
"name": "31318",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/31318"
},
{
"name": "30474",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/30474"
},
{
"name": "20080730 SAP MaxDB dbmsrv Untrusted Execution Path Vulnerability",
"tags": [
"third-party-advisory",
"x_refsource_IDEFENSE",
"x_transferred"
],
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=729"
},
{
"name": "1020585",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1020585"
},
{
"name": "maxdb-dbmsrv-code-execution(44125)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44125"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-07-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Untrusted search path vulnerability in dbmsrv in SAP MaxDB 7.6.03.15 on Linux allows local users to gain privileges via a modified PATH environment variable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-07T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "ADV-2008-2267",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/2267/references"
},
{
"name": "31318",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/31318"
},
{
"name": "30474",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/30474"
},
{
"name": "20080730 SAP MaxDB dbmsrv Untrusted Execution Path Vulnerability",
"tags": [
"third-party-advisory",
"x_refsource_IDEFENSE"
],
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=729"
},
{
"name": "1020585",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1020585"
},
{
"name": "maxdb-dbmsrv-code-execution(44125)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44125"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-1810",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Untrusted search path vulnerability in dbmsrv in SAP MaxDB 7.6.03.15 on Linux allows local users to gain privileges via a modified PATH environment variable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "ADV-2008-2267",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/2267/references"
},
{
"name": "31318",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/31318"
},
{
"name": "30474",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/30474"
},
{
"name": "20080730 SAP MaxDB dbmsrv Untrusted Execution Path Vulnerability",
"refsource": "IDEFENSE",
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=729"
},
{
"name": "1020585",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id?1020585"
},
{
"name": "maxdb-dbmsrv-code-execution(44125)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44125"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-1810",
"datePublished": "2008-08-01T14:00:00",
"dateReserved": "2008-04-15T00:00:00",
"dateUpdated": "2024-08-07T08:32:01.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-0306
Vulnerability from cvelistv5
Published
2008-03-11 23:00
Modified
2024-08-07 07:39
Severity ?
EPSS score ?
Summary
sdbstarter in SAP MaxDB 7.6.0.37, and possibly other versions, allows local users to execute arbitrary commands by using unspecified environment variables to modify configuration settings.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securitytracker.com/id?1019570 | vdb-entry, x_refsource_SECTRACK | |
| http://www.vupen.com/english/advisories/2008/0844/references | vdb-entry, x_refsource_VUPEN | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/41104 | vdb-entry, x_refsource_XF | |
| http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=670 | third-party-advisory, x_refsource_IDEFENSE | |
| http://secunia.com/advisories/29312 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/bid/28185 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T07:39:34.979Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1019570",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1019570"
},
{
"name": "ADV-2008-0844",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/0844/references"
},
{
"name": "maxdb-sdbstarter-privilege-escalation(41104)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41104"
},
{
"name": "20080310 SAP MaxDB sdbstarter Privilege Escalation Vulnerability",
"tags": [
"third-party-advisory",
"x_refsource_IDEFENSE",
"x_transferred"
],
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=670"
},
{
"name": "29312",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29312"
},
{
"name": "28185",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/28185"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-03-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "sdbstarter in SAP MaxDB 7.6.0.37, and possibly other versions, allows local users to execute arbitrary commands by using unspecified environment variables to modify configuration settings."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-07T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "1019570",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1019570"
},
{
"name": "ADV-2008-0844",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/0844/references"
},
{
"name": "maxdb-sdbstarter-privilege-escalation(41104)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41104"
},
{
"name": "20080310 SAP MaxDB sdbstarter Privilege Escalation Vulnerability",
"tags": [
"third-party-advisory",
"x_refsource_IDEFENSE"
],
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=670"
},
{
"name": "29312",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29312"
},
{
"name": "28185",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/28185"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-0306",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "sdbstarter in SAP MaxDB 7.6.0.37, and possibly other versions, allows local users to execute arbitrary commands by using unspecified environment variables to modify configuration settings."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1019570",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id?1019570"
},
{
"name": "ADV-2008-0844",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/0844/references"
},
{
"name": "maxdb-sdbstarter-privilege-escalation(41104)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41104"
},
{
"name": "20080310 SAP MaxDB sdbstarter Privilege Escalation Vulnerability",
"refsource": "IDEFENSE",
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=670"
},
{
"name": "29312",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29312"
},
{
"name": "28185",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/28185"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-0306",
"datePublished": "2008-03-11T23:00:00",
"dateReserved": "2008-01-16T00:00:00",
"dateUpdated": "2024-08-07T07:39:34.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}