ID

VAR-190001-0066


TITLE

Multiple remote vulnerabilities exist in SAP NetWeaver

Trust: 0.6

sources: CNVD: CNVD-2012-0405

DESCRIPTION

SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. There are several security vulnerabilities in SAP NetWeaver, including: (1) There are errors in the access control processing of some resources, which can be utilized to obtain the Runtime Workbench resources. (2) The access restriction implementation provides a \"PFL_CHECK_OS_FILE_EXISTENCE\" function with an error that can be exploited to enumerate system files. (3) Passing the \"TXVDestination\" parameter to TextContainerAdmin/administration_setup.jsp, the input of the \"ValueIndustry\", \"ValueRegion\" and \"ValueExtension\" parameters passed to the system_context_settings.jsp script is not filtered before being displayed to the user, which can result in injecting arbitrary HTML and Script code. (4) Inputs passed to bcbadmSettings.jsp via the \"cc0Host\", \"cc0Id\", \"cc0Path\", \"cc0Port\" and \"cc0Protocol\" parameters are not filtered before being returned to the user and can be exploited to execute arbitrary HTML and script code. SAP NetWeaver is prone to multiple cross-site scripting vulnerabilities, multiple HTML-injection vulnerabilities, a security-bypass vulnerability, and an information-disclosure vulnerability. Attackers can exploit these issues to execute arbitrary script code in the context of the website, steal cookie-based authentication information, disclose sensitive information, or bypass certain security restrictions

Trust: 0.99

sources: CNVD: CNVD-2012-0405 // BID: 51645 // IVD: 4b0c87bc-1f76-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 4b0c87bc-1f76-11e6-abef-000c29c66e3d // CNVD: CNVD-2012-0405

AFFECTED PRODUCTS

vendor:sapmodel:netweaver rwbscope:eqversion:0

Trust: 0.9

vendor:sapmodel:netweaver business communication brokerscope:eqversion:0

Trust: 0.9

vendor:sapmodel:netweaver text container administration application sp1 patscope:eqversion:7.20

Trust: 0.6

vendor:sapmodel:netweaver sp6scope:eqversion:7.02

Trust: 0.6

vendor:sapmodel:netweaver text container administration application sp1 patscope:eqversion:7.200

Trust: 0.3

vendor:sapmodel:netweaver sp6scope:eqversion:7.020

Trust: 0.3

vendor:sapmodel:netweaver text container administration application sp1 patscope:eqversion:7.20*

Trust: 0.2

vendor:sapmodel:netweaver rwbscope:eqversion:0*

Trust: 0.2

vendor:sapmodel:netweaver business communication brokerscope:eqversion:0*

Trust: 0.2

vendor:sapmodel:netweaver sp6scope:eqversion:7.02*

Trust: 0.2

sources: IVD: 4b0c87bc-1f76-11e6-abef-000c29c66e3d // CNVD: CNVD-2012-0405 // BID: 51645

CVSS

SEVERITY

CVSSV2

CVSSV3

IVD: 4b0c87bc-1f76-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

IVD: 4b0c87bc-1f76-11e6-abef-000c29c66e3d
severity: NONE
baseScore: NONE
vectorString: NONE
accessVector: NONE
accessComplexity: NONE
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: UNKNOWN

Trust: 0.2

sources: IVD: 4b0c87bc-1f76-11e6-abef-000c29c66e3d

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201202-014

TYPE

Unknown

Trust: 0.3

sources: BID: 51645

PATCH

title:SAP NetWeaver has multiple patches for remote vulnerabilitiesurl:https://www.cnvd.org.cn/patchinfo/show/8652

Trust: 0.6

sources: CNVD: CNVD-2012-0405

EXTERNAL IDS

db:BIDid:51645

Trust: 1.5

db:CNVDid:CNVD-2012-0405

Trust: 0.8

db:CNNVDid:CNNVD-201202-014

Trust: 0.6

db:IVDid:4B0C87BC-1F76-11E6-ABEF-000C29C66E3D

Trust: 0.2

sources: IVD: 4b0c87bc-1f76-11e6-abef-000c29c66e3d // CNVD: CNVD-2012-0405 // BID: 51645 // CNNVD: CNNVD-201202-014

REFERENCES

url:http://dsecrg.com/pages/vul/show.php?id=408http

Trust: 0.6

url:http://www.securityfocus.com/bid/51645

Trust: 0.6

url:http://dsecrg.com/pages/vul/show.php?id=408

Trust: 0.3

url:http://dsecrg.com/pages/vul/show.php?id=409

Trust: 0.3

url:http://dsecrg.com/pages/vul/show.php?id=410

Trust: 0.3

url:http://dsecrg.com/pages/vul/show.php?id=411

Trust: 0.3

url:http://www.sap.com/

Trust: 0.3

url:https://service.sap.com/sap/support/notes/1567389

Trust: 0.3

url:https://service.sap.com/sap/support/notes/1585652

Trust: 0.3

url:https://service.sap.com/sap/support/notes/1591146

Trust: 0.3

url:https://service.sap.com/sap/support/notes/1591749

Trust: 0.3

sources: CNVD: CNVD-2012-0405 // BID: 51645 // CNNVD: CNNVD-201202-014

CREDITS

Alexander Polyakov, Alexey Tuyrin, Neyolov Evgeny and Dmitriy Evdokimov of DSecRG

Trust: 0.9

sources: BID: 51645 // CNNVD: CNNVD-201202-014

SOURCES

db:IVDid:4b0c87bc-1f76-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2012-0405
db:BIDid:51645
db:CNNVDid:CNNVD-201202-014

LAST UPDATE DATE

2022-05-17T01:55:40.421000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2012-0405date:2012-02-03T00:00:00
db:BIDid:51645date:2012-01-25T21:30:00
db:CNNVDid:CNNVD-201202-014date:2012-02-06T00:00:00

SOURCES RELEASE DATE

db:IVDid:4b0c87bc-1f76-11e6-abef-000c29c66e3ddate:2012-02-03T00:00:00
db:CNVDid:CNVD-2012-0405date:2012-02-03T00:00:00
db:BIDid:51645date:2012-01-24T00:00:00
db:CNNVDid:CNNVD-201202-014date:1900-01-01T00:00:00