Sign-up

ID

VAR-201304-0470


TITLE

SAP NetWeaver RFC Function Arbitrary File Disclosure Vulnerability

Trust: 0.9

sources: BID: 59501 // CNNVD: CNNVD-201304-586

DESCRIPTION

Some RFC functions in SAP NetWeaver have errors when processing SPFC messages, allowing remote attackers to exploit the vulnerability to obtain arbitrary file content. SAP NetWeaver is a set of service-oriented integrated application platform of German SAP company. The platform provides a development and runtime environment for SAP applications. An arbitrary file leak vulnerability exists in SAP NetWeaver, which originates from a program that incorrectly validates user-supplied input. A remote attacker could use this vulnerability to leak arbitrary files in the context of a program and help launch further attacks. There are vulnerabilities in SAP NetWeaver 7.30, other versions may also be affected. This may aid in further attacks

Trust: 1.53

sources: CNVD: CNVD-2013-04554 // CNNVD: CNNVD-201304-586 // BID: 59501 // IVD: 73d46a74-1f27-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 73d46a74-1f27-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-04554

AFFECTED PRODUCTS

vendor:sapmodel:netweaverscope:eqversion:7.x

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:7.30

Trust: 0.3

sources: IVD: 73d46a74-1f27-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-04554 // BID: 59501

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD: CNVD-2013-04554
value: MEDIUM

Trust: 0.6

IVD: 73d46a74-1f27-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

CNVD: CNVD-2013-04554
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 73d46a74-1f27-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

sources: IVD: 73d46a74-1f27-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-04554

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201304-586

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201304-586

PATCH

title:Patch for SAP NetWeaver RFC Function Arbitrary File Disclosure Vulnerabilityurl:https://www.cnvd.org.cn/patchinfo/show/33706

Trust: 0.6

sources: CNVD: CNVD-2013-04554

EXTERNAL IDS

db:BIDid:59501

Trust: 1.5

db:CNVDid:CNVD-2013-04554

Trust: 0.8

db:SECUNIAid:53198

Trust: 0.6

db:CNNVDid:CNNVD-201304-586

Trust: 0.6

db:IVDid:73D46A74-1F27-11E6-ABEF-000C29C66E3D

Trust: 0.2

sources: IVD: 73d46a74-1f27-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-04554 // BID: 59501 // CNNVD: CNNVD-201304-586

REFERENCES

url:http://erpscan.com/advisories/dsecrg-13-011-sap-netweaver-pfl-smb-relay/

Trust: 0.9

url:http://www.secunia.com/advisories/53198/

Trust: 0.6

url:http://www.securityfocus.com/bid/59501

Trust: 0.6

url:http://www.sap.com/

Trust: 0.3

sources: CNVD: CNVD-2013-04554 // BID: 59501 // CNNVD: CNNVD-201304-586

CREDITS

Nikolay Mescherin (ERPScan)

Trust: 0.9

sources: BID: 59501 // CNNVD: CNNVD-201304-586

SOURCES

db:IVDid:73d46a74-1f27-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2013-04554
db:BIDid:59501
db:CNNVDid:CNNVD-201304-586

LAST UPDATE DATE

2022-05-17T02:02:32.400000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2013-04554date:2013-05-27T00:00:00
db:BIDid:59501date:2013-04-25T00:00:00
db:CNNVDid:CNNVD-201304-586date:2013-04-27T00:00:00

SOURCES RELEASE DATE

db:IVDid:73d46a74-1f27-11e6-abef-000c29c66e3ddate:2013-05-02T00:00:00
db:CNVDid:CNVD-2013-04554date:2013-04-29T00:00:00
db:BIDid:59501date:2013-04-25T00:00:00
db:CNNVDid:CNNVD-201304-586date:2013-04-27T00:00:00