Search criteria
12 vulnerabilities found for business_application_software_integrated_solution by sap
CVE-2019-0279 (GCVE-0-2019-0279)
Vulnerability from nvd – Published: 2019-04-10 20:17 – Updated: 2024-08-04 17:44
VLAI?
Summary
ABAP BASIS function modules INST_CREATE_R3_RFC_DEST, INST_CREATE_TCPIP_RFCDEST, and INST_CREATE_TCPIP_RFC_DEST in SAP BASIS (fixed in versions 7.0 to 7.02, 7.10 to 7.30, 7.31, 7.40, 7.50 to 7.53) do not perform necessary authorization checks in all circumstances for an authenticated user, resulting in escalation of privileges.
Severity ?
No CVSS data available.
CWE
- ABAP BASIS function modules INST_CREATE_R3_RFC_DEST, INST_CREATE_TCPIP_RFCDEST, and INST_CREATE_TCPIP_RFC_DEST in SAP BASIS (fixed in versions 7.0 to 7.02, 7.10 to 7.30, 7.31, 7.40, 7.50 to 7.53) do not perform necessary authorization checks in all circumstances for an authenticated user, resulting in escalation of privileges.
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:16.179Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2753629"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP BASIS",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c from 7.00 to 7.02"
},
{
"status": "affected",
"version": "\u003c from 7.10 to 7.30"
},
{
"status": "affected",
"version": "\u003c 7.31"
},
{
"status": "affected",
"version": "\u003c 7.40"
},
{
"status": "affected",
"version": "\u003c from 7.50 to 7.53"
}
]
}
],
"datePublic": "2019-04-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ABAP BASIS function modules INST_CREATE_R3_RFC_DEST, INST_CREATE_TCPIP_RFCDEST, and INST_CREATE_TCPIP_RFC_DEST in SAP BASIS (fixed in versions 7.0 to 7.02, 7.10 to 7.30, 7.31, 7.40, 7.50 to 7.53) do not perform necessary authorization checks in all circumstances for an authenticated user, resulting in escalation of privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "ABAP BASIS function modules INST_CREATE_R3_RFC_DEST, INST_CREATE_TCPIP_RFCDEST, and INST_CREATE_TCPIP_RFC_DEST in SAP BASIS (fixed in versions 7.0 to 7.02, 7.10 to 7.30, 7.31, 7.40, 7.50 to 7.53) do not perform necessary authorization checks in all circumstances for an authenticated user, resulting in escalation of privileges.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-10T20:17:27",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://launchpad.support.sap.com/#/notes/2753629"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2019-0279",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP BASIS",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "from 7.00 to 7.02"
},
{
"version_name": "\u003c",
"version_value": "from 7.10 to 7.30"
},
{
"version_name": "\u003c",
"version_value": "7.31"
},
{
"version_name": "\u003c",
"version_value": "7.40"
},
{
"version_name": "\u003c",
"version_value": "from 7.50 to 7.53"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ABAP BASIS function modules INST_CREATE_R3_RFC_DEST, INST_CREATE_TCPIP_RFCDEST, and INST_CREATE_TCPIP_RFC_DEST in SAP BASIS (fixed in versions 7.0 to 7.02, 7.10 to 7.30, 7.31, 7.40, 7.50 to 7.53) do not perform necessary authorization checks in all circumstances for an authenticated user, resulting in escalation of privileges."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "ABAP BASIS function modules INST_CREATE_R3_RFC_DEST, INST_CREATE_TCPIP_RFCDEST, and INST_CREATE_TCPIP_RFC_DEST in SAP BASIS (fixed in versions 7.0 to 7.02, 7.10 to 7.30, 7.31, 7.40, 7.50 to 7.53) do not perform necessary authorization checks in all circumstances for an authenticated user, resulting in escalation of privileges."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114",
"refsource": "CONFIRM",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2753629",
"refsource": "CONFIRM",
"url": "https://launchpad.support.sap.com/#/notes/2753629"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2019-0279",
"datePublished": "2019-04-10T20:17:27",
"dateReserved": "2018-11-26T00:00:00",
"dateUpdated": "2024-08-04T17:44:16.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-2494 (GCVE-0-2018-2494)
Vulnerability from nvd – Published: 2018-12-11 23:00 – Updated: 2024-08-05 04:21
VLAI?
Summary
Necessary authorization checks for an authenticated user, resulting in escalation of privileges, have been fixed in SAP Basis AS ABAP of SAP NetWeaver 700 to 750, from 750 onwards delivered as ABAP Platform.
Severity ?
No CVSS data available.
CWE
- Missing Authorization Check
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| SAP | SAP Basis (AS ABAP of SAP NetWeaver) |
Affected:
= 7.00 to 7.02
Affected: = 7.10 to 7.30 Affected: = 7.31 Affected: = 7.40 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:21:34.075Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2698996"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Basis (AS ABAP of SAP NetWeaver)",
"vendor": "SAP",
"versions": [
{
"status": "affected",
"version": "= 7.00 to 7.02"
},
{
"status": "affected",
"version": "= 7.10 to 7.30"
},
{
"status": "affected",
"version": "= 7.31"
},
{
"status": "affected",
"version": "= 7.40"
}
]
},
{
"product": "SAP Basis (ABAP Platform)",
"vendor": "SAP",
"versions": [
{
"status": "affected",
"version": "= 7.50 to 7.53"
}
]
}
],
"datePublic": "2018-12-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Necessary authorization checks for an authenticated user, resulting in escalation of privileges, have been fixed in SAP Basis AS ABAP of SAP NetWeaver 700 to 750, from 750 onwards delivered as ABAP Platform."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing Authorization Check",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-11T22:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2698996"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2018-2494",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Basis (AS ABAP of SAP NetWeaver)",
"version": {
"version_data": [
{
"version_name": "=",
"version_value": "7.00 to 7.02"
},
{
"version_name": "=",
"version_value": "7.10 to 7.30"
},
{
"version_name": "=",
"version_value": "7.31"
},
{
"version_name": "=",
"version_value": "7.40"
}
]
}
},
{
"product_name": "SAP Basis (ABAP Platform)",
"version": {
"version_data": [
{
"version_name": "=",
"version_value": "7.50 to 7.53"
}
]
}
}
]
},
"vendor_name": "SAP"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Necessary authorization checks for an authenticated user, resulting in escalation of privileges, have been fixed in SAP Basis AS ABAP of SAP NetWeaver 700 to 750, from 750 onwards delivered as ABAP Platform."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing Authorization Check"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2698996",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2698996"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2018-2494",
"datePublished": "2018-12-11T23:00:00",
"dateReserved": "2017-12-15T00:00:00",
"dateUpdated": "2024-08-05T04:21:34.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-2367 (GCVE-0-2018-2367)
Vulnerability from nvd – Published: 2018-03-01 17:00 – Updated: 2024-08-05 04:14
VLAI?
Summary
ABAP File Interface in, SAP BASIS, from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.
Severity ?
No CVSS data available.
CWE
- Directory Traversal
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP BASIS (ABAP File Interface) |
Affected:
from 7.00 to 7.02
Affected: from 7.10 to 7.11 Affected: 7.30 Affected: 7.31 Affected: 7.40 Affected: from 7.50 to 7.52 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:14:39.579Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"
},
{
"name": "103006",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103006"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2562089"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP BASIS (ABAP File Interface)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "from 7.00 to 7.02"
},
{
"status": "affected",
"version": "from 7.10 to 7.11"
},
{
"status": "affected",
"version": "7.30"
},
{
"status": "affected",
"version": "7.31"
},
{
"status": "affected",
"version": "7.40"
},
{
"status": "affected",
"version": "from 7.50 to 7.52"
}
]
}
],
"datePublic": "2018-02-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ABAP File Interface in, SAP BASIS, from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing \"traverse to parent directory\" are passed through to the file APIs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Directory Traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-02T10:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"
},
{
"name": "103006",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103006"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://launchpad.support.sap.com/#/notes/2562089"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2018-2367",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP BASIS (ABAP File Interface)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "from 7.00 to 7.02"
},
{
"version_affected": "=",
"version_value": "from 7.10 to 7.11"
},
{
"version_affected": "=",
"version_value": "7.30"
},
{
"version_affected": "=",
"version_value": "7.31"
},
{
"version_affected": "=",
"version_value": "7.40"
},
{
"version_affected": "=",
"version_value": "from 7.50 to 7.52"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ABAP File Interface in, SAP BASIS, from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing \"traverse to parent directory\" are passed through to the file APIs."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Directory Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/",
"refsource": "CONFIRM",
"url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"
},
{
"name": "103006",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103006"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2562089",
"refsource": "CONFIRM",
"url": "https://launchpad.support.sap.com/#/notes/2562089"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2018-2367",
"datePublished": "2018-03-01T17:00:00",
"dateReserved": "2017-12-15T00:00:00",
"dateUpdated": "2024-08-05T04:14:39.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-2363 (GCVE-0-2018-2363)
Vulnerability from nvd – Published: 2018-01-09 15:00 – Updated: 2024-08-05 04:14
VLAI?
Summary
SAP NetWeaver, SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, contains code that allows you to execute arbitrary program code of the user's choice. A malicious user can therefore control the behaviour of the system or can potentially escalate privileges by executing malicious code without legitimate credentials.
Severity ?
No CVSS data available.
CWE
- Code Injection
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver |
Affected:
7.00
Affected: 7.02 Affected: 7.10 Affected: 7.11 Affected: 7.30 Affected: 7.31 Affected: 7.40 Affected: 7.50 Affected: 7.52 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:14:39.709Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blogs.sap.com/2018/01/09/sap-security-patch-day-january-2018/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/1906212"
},
{
"name": "102449",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102449"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2525392"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP NetWeaver",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "7.00"
},
{
"status": "affected",
"version": "7.02"
},
{
"status": "affected",
"version": "7.10"
},
{
"status": "affected",
"version": "7.11"
},
{
"status": "affected",
"version": "7.30"
},
{
"status": "affected",
"version": "7.31"
},
{
"status": "affected",
"version": "7.40"
},
{
"status": "affected",
"version": "7.50"
},
{
"status": "affected",
"version": "7.52"
}
]
}
],
"datePublic": "2018-01-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver, SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, contains code that allows you to execute arbitrary program code of the user\u0027s choice. A malicious user can therefore control the behaviour of the system or can potentially escalate privileges by executing malicious code without legitimate credentials."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Code Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-11T10:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blogs.sap.com/2018/01/09/sap-security-patch-day-january-2018/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://launchpad.support.sap.com/#/notes/1906212"
},
{
"name": "102449",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102449"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://launchpad.support.sap.com/#/notes/2525392"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2018-2363",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP NetWeaver",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "7.00"
},
{
"version_affected": "=",
"version_value": "7.02"
},
{
"version_affected": "=",
"version_value": "7.10"
},
{
"version_affected": "=",
"version_value": "7.11"
},
{
"version_affected": "=",
"version_value": "7.30"
},
{
"version_affected": "=",
"version_value": "7.31"
},
{
"version_affected": "=",
"version_value": "7.40"
},
{
"version_affected": "=",
"version_value": "7.50"
},
{
"version_affected": "=",
"version_value": "7.52"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP NetWeaver, SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, contains code that allows you to execute arbitrary program code of the user\u0027s choice. A malicious user can therefore control the behaviour of the system or can potentially escalate privileges by executing malicious code without legitimate credentials."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Code Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blogs.sap.com/2018/01/09/sap-security-patch-day-january-2018/",
"refsource": "CONFIRM",
"url": "https://blogs.sap.com/2018/01/09/sap-security-patch-day-january-2018/"
},
{
"name": "https://launchpad.support.sap.com/#/notes/1906212",
"refsource": "CONFIRM",
"url": "https://launchpad.support.sap.com/#/notes/1906212"
},
{
"name": "102449",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102449"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2525392",
"refsource": "CONFIRM",
"url": "https://launchpad.support.sap.com/#/notes/2525392"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2018-2363",
"datePublished": "2018-01-09T15:00:00",
"dateReserved": "2017-12-15T00:00:00",
"dateUpdated": "2024-08-05T04:14:39.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16691 (GCVE-0-2017-16691)
Vulnerability from nvd – Published: 2017-12-12 14:00 – Updated: 2024-09-17 00:31
VLAI?
Summary
SAP Note Assistant tool (SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31,7.40, from 7.50 to 7.52) supports upload of digitally signed note file of type 'SAR'. The digital signature verification is done together with the extraction of note file contained in the SAR archive. It is possible to append a tampered file to the SAR archive using SAPCAR tool and during the extraction, digital signature verification fails but the tampered file is extracted.
Severity ?
No CVSS data available.
CWE
- Digital signature verification along with note file extraction
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | SAP Note Assistant |
Affected:
SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31,7.40, from 7.50 to 7.52
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:19.944Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2546220"
},
{
"name": "101822",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/101822"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Note Assistant",
"vendor": "SAP",
"versions": [
{
"status": "affected",
"version": "SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31,7.40, from 7.50 to 7.52"
}
]
}
],
"datePublic": "2017-12-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP Note Assistant tool (SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31,7.40, from 7.50 to 7.52) supports upload of digitally signed note file of type \u0027SAR\u0027. The digital signature verification is done together with the extraction of note file contained in the SAR archive. It is possible to append a tampered file to the SAR archive using SAPCAR tool and during the extraction, digital signature verification fails but the tampered file is extracted."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Digital signature verification along with note file extraction",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-25T10:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://launchpad.support.sap.com/#/notes/2546220"
},
{
"name": "101822",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/101822"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"DATE_PUBLIC": "2017-12-12T00:00:00",
"ID": "CVE-2017-16691",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Note Assistant",
"version": {
"version_data": [
{
"version_value": "SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31,7.40, from 7.50 to 7.52"
}
]
}
}
]
},
"vendor_name": "SAP"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP Note Assistant tool (SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31,7.40, from 7.50 to 7.52) supports upload of digitally signed note file of type \u0027SAR\u0027. The digital signature verification is done together with the extraction of note file contained in the SAR archive. It is possible to append a tampered file to the SAR archive using SAPCAR tool and during the extraction, digital signature verification fails but the tampered file is extracted."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Digital signature verification along with note file extraction"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/",
"refsource": "CONFIRM",
"url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2546220",
"refsource": "CONFIRM",
"url": "https://launchpad.support.sap.com/#/notes/2546220"
},
{
"name": "101822",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/101822"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2017-16691",
"datePublished": "2017-12-12T14:00:00Z",
"dateReserved": "2017-11-09T00:00:00",
"dateUpdated": "2024-09-17T00:31:20.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16682 (GCVE-0-2017-16682)
Vulnerability from nvd – Published: 2017-12-12 14:00 – Updated: 2024-09-16 22:39
VLAI?
Summary
SAP NetWeaver Internet Transaction Server (ITS), SAP Basis from 7.00 to 7.02, 7.30, 7.31, 7.40, from 7.50 to 7.52, allows an attacker with administrator credentials to inject code that can be executed by the application and thereby control the behavior of the application.
Severity ?
No CVSS data available.
CWE
- Code Injection
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | SAP NetWeaver Internet Transaction Server (ITS) |
Affected:
from 7.00 to 7.02, 7.30, 7.31, 7.40, from 7.50 to 7.52
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:19.953Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "102143",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102143"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2526781"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP NetWeaver Internet Transaction Server (ITS)",
"vendor": "SAP",
"versions": [
{
"status": "affected",
"version": "from 7.00 to 7.02, 7.30, 7.31, 7.40, from 7.50 to 7.52"
}
]
}
],
"datePublic": "2017-12-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver Internet Transaction Server (ITS), SAP Basis from 7.00 to 7.02, 7.30, 7.31, 7.40, from 7.50 to 7.52, allows an attacker with administrator credentials to inject code that can be executed by the application and thereby control the behavior of the application."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Code Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-13T10:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"name": "102143",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102143"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://launchpad.support.sap.com/#/notes/2526781"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"DATE_PUBLIC": "2017-12-12T00:00:00",
"ID": "CVE-2017-16682",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP NetWeaver Internet Transaction Server (ITS)",
"version": {
"version_data": [
{
"version_value": "from 7.00 to 7.02, 7.30, 7.31, 7.40, from 7.50 to 7.52"
}
]
}
}
]
},
"vendor_name": "SAP"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP NetWeaver Internet Transaction Server (ITS), SAP Basis from 7.00 to 7.02, 7.30, 7.31, 7.40, from 7.50 to 7.52, allows an attacker with administrator credentials to inject code that can be executed by the application and thereby control the behavior of the application."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Code Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "102143",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102143"
},
{
"name": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/",
"refsource": "CONFIRM",
"url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2526781",
"refsource": "CONFIRM",
"url": "https://launchpad.support.sap.com/#/notes/2526781"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2017-16682",
"datePublished": "2017-12-12T14:00:00Z",
"dateReserved": "2017-11-09T00:00:00",
"dateUpdated": "2024-09-16T22:39:53.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-0279 (GCVE-0-2019-0279)
Vulnerability from cvelistv5 – Published: 2019-04-10 20:17 – Updated: 2024-08-04 17:44
VLAI?
Summary
ABAP BASIS function modules INST_CREATE_R3_RFC_DEST, INST_CREATE_TCPIP_RFCDEST, and INST_CREATE_TCPIP_RFC_DEST in SAP BASIS (fixed in versions 7.0 to 7.02, 7.10 to 7.30, 7.31, 7.40, 7.50 to 7.53) do not perform necessary authorization checks in all circumstances for an authenticated user, resulting in escalation of privileges.
Severity ?
No CVSS data available.
CWE
- ABAP BASIS function modules INST_CREATE_R3_RFC_DEST, INST_CREATE_TCPIP_RFCDEST, and INST_CREATE_TCPIP_RFC_DEST in SAP BASIS (fixed in versions 7.0 to 7.02, 7.10 to 7.30, 7.31, 7.40, 7.50 to 7.53) do not perform necessary authorization checks in all circumstances for an authenticated user, resulting in escalation of privileges.
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:16.179Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2753629"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP BASIS",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c from 7.00 to 7.02"
},
{
"status": "affected",
"version": "\u003c from 7.10 to 7.30"
},
{
"status": "affected",
"version": "\u003c 7.31"
},
{
"status": "affected",
"version": "\u003c 7.40"
},
{
"status": "affected",
"version": "\u003c from 7.50 to 7.53"
}
]
}
],
"datePublic": "2019-04-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ABAP BASIS function modules INST_CREATE_R3_RFC_DEST, INST_CREATE_TCPIP_RFCDEST, and INST_CREATE_TCPIP_RFC_DEST in SAP BASIS (fixed in versions 7.0 to 7.02, 7.10 to 7.30, 7.31, 7.40, 7.50 to 7.53) do not perform necessary authorization checks in all circumstances for an authenticated user, resulting in escalation of privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "ABAP BASIS function modules INST_CREATE_R3_RFC_DEST, INST_CREATE_TCPIP_RFCDEST, and INST_CREATE_TCPIP_RFC_DEST in SAP BASIS (fixed in versions 7.0 to 7.02, 7.10 to 7.30, 7.31, 7.40, 7.50 to 7.53) do not perform necessary authorization checks in all circumstances for an authenticated user, resulting in escalation of privileges.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-10T20:17:27",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://launchpad.support.sap.com/#/notes/2753629"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2019-0279",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP BASIS",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "from 7.00 to 7.02"
},
{
"version_name": "\u003c",
"version_value": "from 7.10 to 7.30"
},
{
"version_name": "\u003c",
"version_value": "7.31"
},
{
"version_name": "\u003c",
"version_value": "7.40"
},
{
"version_name": "\u003c",
"version_value": "from 7.50 to 7.53"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ABAP BASIS function modules INST_CREATE_R3_RFC_DEST, INST_CREATE_TCPIP_RFCDEST, and INST_CREATE_TCPIP_RFC_DEST in SAP BASIS (fixed in versions 7.0 to 7.02, 7.10 to 7.30, 7.31, 7.40, 7.50 to 7.53) do not perform necessary authorization checks in all circumstances for an authenticated user, resulting in escalation of privileges."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "ABAP BASIS function modules INST_CREATE_R3_RFC_DEST, INST_CREATE_TCPIP_RFCDEST, and INST_CREATE_TCPIP_RFC_DEST in SAP BASIS (fixed in versions 7.0 to 7.02, 7.10 to 7.30, 7.31, 7.40, 7.50 to 7.53) do not perform necessary authorization checks in all circumstances for an authenticated user, resulting in escalation of privileges."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114",
"refsource": "CONFIRM",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2753629",
"refsource": "CONFIRM",
"url": "https://launchpad.support.sap.com/#/notes/2753629"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2019-0279",
"datePublished": "2019-04-10T20:17:27",
"dateReserved": "2018-11-26T00:00:00",
"dateUpdated": "2024-08-04T17:44:16.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-2494 (GCVE-0-2018-2494)
Vulnerability from cvelistv5 – Published: 2018-12-11 23:00 – Updated: 2024-08-05 04:21
VLAI?
Summary
Necessary authorization checks for an authenticated user, resulting in escalation of privileges, have been fixed in SAP Basis AS ABAP of SAP NetWeaver 700 to 750, from 750 onwards delivered as ABAP Platform.
Severity ?
No CVSS data available.
CWE
- Missing Authorization Check
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| SAP | SAP Basis (AS ABAP of SAP NetWeaver) |
Affected:
= 7.00 to 7.02
Affected: = 7.10 to 7.30 Affected: = 7.31 Affected: = 7.40 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:21:34.075Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2698996"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Basis (AS ABAP of SAP NetWeaver)",
"vendor": "SAP",
"versions": [
{
"status": "affected",
"version": "= 7.00 to 7.02"
},
{
"status": "affected",
"version": "= 7.10 to 7.30"
},
{
"status": "affected",
"version": "= 7.31"
},
{
"status": "affected",
"version": "= 7.40"
}
]
},
{
"product": "SAP Basis (ABAP Platform)",
"vendor": "SAP",
"versions": [
{
"status": "affected",
"version": "= 7.50 to 7.53"
}
]
}
],
"datePublic": "2018-12-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Necessary authorization checks for an authenticated user, resulting in escalation of privileges, have been fixed in SAP Basis AS ABAP of SAP NetWeaver 700 to 750, from 750 onwards delivered as ABAP Platform."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing Authorization Check",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-11T22:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2698996"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2018-2494",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Basis (AS ABAP of SAP NetWeaver)",
"version": {
"version_data": [
{
"version_name": "=",
"version_value": "7.00 to 7.02"
},
{
"version_name": "=",
"version_value": "7.10 to 7.30"
},
{
"version_name": "=",
"version_value": "7.31"
},
{
"version_name": "=",
"version_value": "7.40"
}
]
}
},
{
"product_name": "SAP Basis (ABAP Platform)",
"version": {
"version_data": [
{
"version_name": "=",
"version_value": "7.50 to 7.53"
}
]
}
}
]
},
"vendor_name": "SAP"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Necessary authorization checks for an authenticated user, resulting in escalation of privileges, have been fixed in SAP Basis AS ABAP of SAP NetWeaver 700 to 750, from 750 onwards delivered as ABAP Platform."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing Authorization Check"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2698996",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2698996"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2018-2494",
"datePublished": "2018-12-11T23:00:00",
"dateReserved": "2017-12-15T00:00:00",
"dateUpdated": "2024-08-05T04:21:34.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-2367 (GCVE-0-2018-2367)
Vulnerability from cvelistv5 – Published: 2018-03-01 17:00 – Updated: 2024-08-05 04:14
VLAI?
Summary
ABAP File Interface in, SAP BASIS, from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.
Severity ?
No CVSS data available.
CWE
- Directory Traversal
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP BASIS (ABAP File Interface) |
Affected:
from 7.00 to 7.02
Affected: from 7.10 to 7.11 Affected: 7.30 Affected: 7.31 Affected: 7.40 Affected: from 7.50 to 7.52 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:14:39.579Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"
},
{
"name": "103006",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103006"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2562089"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP BASIS (ABAP File Interface)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "from 7.00 to 7.02"
},
{
"status": "affected",
"version": "from 7.10 to 7.11"
},
{
"status": "affected",
"version": "7.30"
},
{
"status": "affected",
"version": "7.31"
},
{
"status": "affected",
"version": "7.40"
},
{
"status": "affected",
"version": "from 7.50 to 7.52"
}
]
}
],
"datePublic": "2018-02-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ABAP File Interface in, SAP BASIS, from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing \"traverse to parent directory\" are passed through to the file APIs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Directory Traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-02T10:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"
},
{
"name": "103006",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103006"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://launchpad.support.sap.com/#/notes/2562089"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2018-2367",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP BASIS (ABAP File Interface)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "from 7.00 to 7.02"
},
{
"version_affected": "=",
"version_value": "from 7.10 to 7.11"
},
{
"version_affected": "=",
"version_value": "7.30"
},
{
"version_affected": "=",
"version_value": "7.31"
},
{
"version_affected": "=",
"version_value": "7.40"
},
{
"version_affected": "=",
"version_value": "from 7.50 to 7.52"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ABAP File Interface in, SAP BASIS, from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing \"traverse to parent directory\" are passed through to the file APIs."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Directory Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/",
"refsource": "CONFIRM",
"url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"
},
{
"name": "103006",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103006"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2562089",
"refsource": "CONFIRM",
"url": "https://launchpad.support.sap.com/#/notes/2562089"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2018-2367",
"datePublished": "2018-03-01T17:00:00",
"dateReserved": "2017-12-15T00:00:00",
"dateUpdated": "2024-08-05T04:14:39.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-2363 (GCVE-0-2018-2363)
Vulnerability from cvelistv5 – Published: 2018-01-09 15:00 – Updated: 2024-08-05 04:14
VLAI?
Summary
SAP NetWeaver, SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, contains code that allows you to execute arbitrary program code of the user's choice. A malicious user can therefore control the behaviour of the system or can potentially escalate privileges by executing malicious code without legitimate credentials.
Severity ?
No CVSS data available.
CWE
- Code Injection
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver |
Affected:
7.00
Affected: 7.02 Affected: 7.10 Affected: 7.11 Affected: 7.30 Affected: 7.31 Affected: 7.40 Affected: 7.50 Affected: 7.52 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:14:39.709Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blogs.sap.com/2018/01/09/sap-security-patch-day-january-2018/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/1906212"
},
{
"name": "102449",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102449"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2525392"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP NetWeaver",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "7.00"
},
{
"status": "affected",
"version": "7.02"
},
{
"status": "affected",
"version": "7.10"
},
{
"status": "affected",
"version": "7.11"
},
{
"status": "affected",
"version": "7.30"
},
{
"status": "affected",
"version": "7.31"
},
{
"status": "affected",
"version": "7.40"
},
{
"status": "affected",
"version": "7.50"
},
{
"status": "affected",
"version": "7.52"
}
]
}
],
"datePublic": "2018-01-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver, SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, contains code that allows you to execute arbitrary program code of the user\u0027s choice. A malicious user can therefore control the behaviour of the system or can potentially escalate privileges by executing malicious code without legitimate credentials."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Code Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-11T10:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blogs.sap.com/2018/01/09/sap-security-patch-day-january-2018/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://launchpad.support.sap.com/#/notes/1906212"
},
{
"name": "102449",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102449"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://launchpad.support.sap.com/#/notes/2525392"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2018-2363",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP NetWeaver",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "7.00"
},
{
"version_affected": "=",
"version_value": "7.02"
},
{
"version_affected": "=",
"version_value": "7.10"
},
{
"version_affected": "=",
"version_value": "7.11"
},
{
"version_affected": "=",
"version_value": "7.30"
},
{
"version_affected": "=",
"version_value": "7.31"
},
{
"version_affected": "=",
"version_value": "7.40"
},
{
"version_affected": "=",
"version_value": "7.50"
},
{
"version_affected": "=",
"version_value": "7.52"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP NetWeaver, SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, contains code that allows you to execute arbitrary program code of the user\u0027s choice. A malicious user can therefore control the behaviour of the system or can potentially escalate privileges by executing malicious code without legitimate credentials."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Code Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blogs.sap.com/2018/01/09/sap-security-patch-day-january-2018/",
"refsource": "CONFIRM",
"url": "https://blogs.sap.com/2018/01/09/sap-security-patch-day-january-2018/"
},
{
"name": "https://launchpad.support.sap.com/#/notes/1906212",
"refsource": "CONFIRM",
"url": "https://launchpad.support.sap.com/#/notes/1906212"
},
{
"name": "102449",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102449"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2525392",
"refsource": "CONFIRM",
"url": "https://launchpad.support.sap.com/#/notes/2525392"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2018-2363",
"datePublished": "2018-01-09T15:00:00",
"dateReserved": "2017-12-15T00:00:00",
"dateUpdated": "2024-08-05T04:14:39.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16691 (GCVE-0-2017-16691)
Vulnerability from cvelistv5 – Published: 2017-12-12 14:00 – Updated: 2024-09-17 00:31
VLAI?
Summary
SAP Note Assistant tool (SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31,7.40, from 7.50 to 7.52) supports upload of digitally signed note file of type 'SAR'. The digital signature verification is done together with the extraction of note file contained in the SAR archive. It is possible to append a tampered file to the SAR archive using SAPCAR tool and during the extraction, digital signature verification fails but the tampered file is extracted.
Severity ?
No CVSS data available.
CWE
- Digital signature verification along with note file extraction
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | SAP Note Assistant |
Affected:
SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31,7.40, from 7.50 to 7.52
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:19.944Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2546220"
},
{
"name": "101822",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/101822"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Note Assistant",
"vendor": "SAP",
"versions": [
{
"status": "affected",
"version": "SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31,7.40, from 7.50 to 7.52"
}
]
}
],
"datePublic": "2017-12-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP Note Assistant tool (SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31,7.40, from 7.50 to 7.52) supports upload of digitally signed note file of type \u0027SAR\u0027. The digital signature verification is done together with the extraction of note file contained in the SAR archive. It is possible to append a tampered file to the SAR archive using SAPCAR tool and during the extraction, digital signature verification fails but the tampered file is extracted."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Digital signature verification along with note file extraction",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-25T10:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://launchpad.support.sap.com/#/notes/2546220"
},
{
"name": "101822",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/101822"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"DATE_PUBLIC": "2017-12-12T00:00:00",
"ID": "CVE-2017-16691",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Note Assistant",
"version": {
"version_data": [
{
"version_value": "SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31,7.40, from 7.50 to 7.52"
}
]
}
}
]
},
"vendor_name": "SAP"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP Note Assistant tool (SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31,7.40, from 7.50 to 7.52) supports upload of digitally signed note file of type \u0027SAR\u0027. The digital signature verification is done together with the extraction of note file contained in the SAR archive. It is possible to append a tampered file to the SAR archive using SAPCAR tool and during the extraction, digital signature verification fails but the tampered file is extracted."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Digital signature verification along with note file extraction"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/",
"refsource": "CONFIRM",
"url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2546220",
"refsource": "CONFIRM",
"url": "https://launchpad.support.sap.com/#/notes/2546220"
},
{
"name": "101822",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/101822"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2017-16691",
"datePublished": "2017-12-12T14:00:00Z",
"dateReserved": "2017-11-09T00:00:00",
"dateUpdated": "2024-09-17T00:31:20.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16682 (GCVE-0-2017-16682)
Vulnerability from cvelistv5 – Published: 2017-12-12 14:00 – Updated: 2024-09-16 22:39
VLAI?
Summary
SAP NetWeaver Internet Transaction Server (ITS), SAP Basis from 7.00 to 7.02, 7.30, 7.31, 7.40, from 7.50 to 7.52, allows an attacker with administrator credentials to inject code that can be executed by the application and thereby control the behavior of the application.
Severity ?
No CVSS data available.
CWE
- Code Injection
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | SAP NetWeaver Internet Transaction Server (ITS) |
Affected:
from 7.00 to 7.02, 7.30, 7.31, 7.40, from 7.50 to 7.52
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:19.953Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "102143",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102143"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2526781"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP NetWeaver Internet Transaction Server (ITS)",
"vendor": "SAP",
"versions": [
{
"status": "affected",
"version": "from 7.00 to 7.02, 7.30, 7.31, 7.40, from 7.50 to 7.52"
}
]
}
],
"datePublic": "2017-12-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver Internet Transaction Server (ITS), SAP Basis from 7.00 to 7.02, 7.30, 7.31, 7.40, from 7.50 to 7.52, allows an attacker with administrator credentials to inject code that can be executed by the application and thereby control the behavior of the application."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Code Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-13T10:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"name": "102143",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102143"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://launchpad.support.sap.com/#/notes/2526781"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"DATE_PUBLIC": "2017-12-12T00:00:00",
"ID": "CVE-2017-16682",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP NetWeaver Internet Transaction Server (ITS)",
"version": {
"version_data": [
{
"version_value": "from 7.00 to 7.02, 7.30, 7.31, 7.40, from 7.50 to 7.52"
}
]
}
}
]
},
"vendor_name": "SAP"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP NetWeaver Internet Transaction Server (ITS), SAP Basis from 7.00 to 7.02, 7.30, 7.31, 7.40, from 7.50 to 7.52, allows an attacker with administrator credentials to inject code that can be executed by the application and thereby control the behavior of the application."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Code Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "102143",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102143"
},
{
"name": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/",
"refsource": "CONFIRM",
"url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2526781",
"refsource": "CONFIRM",
"url": "https://launchpad.support.sap.com/#/notes/2526781"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2017-16682",
"datePublished": "2017-12-12T14:00:00Z",
"dateReserved": "2017-11-09T00:00:00",
"dateUpdated": "2024-09-16T22:39:53.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}