Sign-up

ID

VAR-201311-0366


CVE

CVE-2013-6820


TITLE

SAP NetWeaver Development Infrastructure Vulnerable to arbitrary code execution

Trust: 0.8

sources: JVNDB: JVNDB-2013-005199

DESCRIPTION

Unrestricted file upload vulnerability in the SAP NetWeaver Development Infrastructure (NWDI) allows remote attackers to execute arbitrary code by uploading a file with an executable extension via unspecified vectors. Supplementary information : CWE Vulnerability type by CWE-434: Unrestricted Upload of File with Dangerous Type ( Unlimited upload of dangerous types of files ) Has been identified. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application

Trust: 1.89

sources: NVD: CVE-2013-6820 // JVNDB: JVNDB-2013-005199 // BID: 58486

AFFECTED PRODUCTS

vendor:sapmodel:netweaver development infrastructurescope:eqversion: -

Trust: 1.6

vendor:sapmodel:netweaver development infrastructurescope: - version: -

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:7.30

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.10

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.02

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.01

Trust: 0.3

vendor:sapmodel:netweaver sp8scope:eqversion:7.0

Trust: 0.3

vendor:sapmodel:netweaver sp15scope:eqversion:7.0

Trust: 0.3

vendor:sapmodel:netweaver ehp2scope:eqversion:7.0

Trust: 0.3

vendor:sapmodel:netweaver ehp1scope:eqversion:7.0

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.0

Trust: 0.3

sources: BID: 58486 // JVNDB: JVNDB-2013-005199 // CNNVD: CNNVD-201311-291 // NVD: CVE-2013-6820

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-6820
value: HIGH

Trust: 1.0

NVD: CVE-2013-6820
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201311-291
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2013-6820
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-2013-005199 // CNNVD: CNNVD-201311-291 // NVD: CVE-2013-6820

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-Other

Trust: 0.8

sources: JVNDB: JVNDB-2013-005199 // NVD: CVE-2013-6820

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201311-291

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201311-291

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-005199

PATCH
title:Acknowledgments to Security Researchersurl:http://scn.sap.com/docs/DOC-8218
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2013-005199

EXTERNAL IDS
db:NVDid:CVE-2013-6820
Trust: 2.7
db:JVNDBid:JVNDB-2013-005199
Trust: 0.8
db:CNNVDid:CNNVD-201311-291
Trust: 0.6
db:BIDid:58486
Trust: 0.3
sources:
            
            
            BID: 58486 // 
            
            
            
            JVNDB: JVNDB-2013-005199 // 
            
            
            
            CNNVD: CNNVD-201311-291 // 
            
            
            
            NVD: CVE-2013-6820

REFERENCES
url:https://service.sap.com/sap/support/notes/1757675
Trust: 1.6
url:http://scn.sap.com/docs/doc-8218
Trust: 1.6
url:http://erpscan.com/advisories/dsecrg-13-004-sap-netweaver-di-arbitrary-file-upload/
Trust: 1.4
url:https://erpscan.io/advisories/dsecrg-13-004-sap-netweaver-di-arbitrary-file-upload/
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-6820
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-6820
Trust: 0.8
url:http://www.sap.com/platform/netweaver/index.epx
Trust: 0.3
sources:
            
            
            BID: 58486 // 
            
            
            
            JVNDB: JVNDB-2013-005199 // 
            
            
            
            CNNVD: CNNVD-201311-291 // 
            
            
            
            NVD: CVE-2013-6820

CREDITS
Dmitry Chastukhin of ERPScan
Trust: 0.3
sources:
            
            
            BID: 58486

SOURCES
db:BIDid:58486
db:JVNDBid:JVNDB-2013-005199
db:CNNVDid:CNNVD-201311-291
db:NVDid:CVE-2013-6820

LAST UPDATE DATE
2024-11-23T22:56:39.360000+00:00

SOURCES UPDATE DATE
db:BIDid:58486date:2013-11-21T00:27:00
db:JVNDBid:JVNDB-2013-005199date:2013-11-21T00:00:00
db:CNNVDid:CNNVD-201311-291date:2013-11-22T00:00:00
db:NVDid:CVE-2013-6820date:2024-11-21T01:59:46.297

SOURCES RELEASE DATE
db:BIDid:58486date:2013-02-20T00:00:00
db:JVNDBid:JVNDB-2013-005199date:2013-11-21T00:00:00
db:CNNVDid:CNNVD-201311-291date:2013-11-22T00:00:00
db:NVDid:CVE-2013-6820date:2013-11-20T14:12:30.977