Sign-up

ID

VAR-201311-0367


CVE

CVE-2013-6821


TITLE

SAP NetWeaver Exportability Check Service Directory Traversal Vulnerability

Trust: 1.7

sources: IVD: 8933ff62-1f34-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-01227 // BID: 58090 // CNNVD: CNNVD-201302-486

DESCRIPTION

Directory traversal vulnerability in the Exportability Check Service in SAP NetWeaver allows remote attackers to read arbitrary files via unspecified vectors. SAP NetWeaver is the technical foundation of SAP's integrated technology platform and all SAP applications since SAP Business Suite. SAP NetWeaver is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input. Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application. This may aid in further attacks

Trust: 2.61

sources: NVD: CVE-2013-6821 // JVNDB: JVNDB-2013-005200 // CNVD: CNVD-2013-01227 // BID: 58090 // IVD: 8933ff62-1f34-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 8933ff62-1f34-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-01227

AFFECTED PRODUCTS

vendor:sapmodel:netweaverscope:eqversion: -

Trust: 1.6

vendor:sapmodel:netweaverscope: - version: -

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:7.x

Trust: 0.6

vendor:sapmodel:netweaverscope:eqversion:7.30

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.10

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.02

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.01

Trust: 0.3

vendor:sapmodel:netweaver sp8scope:eqversion:7.0

Trust: 0.3

vendor:sapmodel:netweaver sp15scope:eqversion:7.0

Trust: 0.3

vendor:sapmodel:netweaver ehp2scope:eqversion:7.0

Trust: 0.3

vendor:sapmodel:netweaver ehp1scope:eqversion:7.0

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.0

Trust: 0.3

vendor:netweavermodel: - scope:eqversion: -

Trust: 0.2

sources: IVD: 8933ff62-1f34-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-01227 // BID: 58090 // JVNDB: JVNDB-2013-005200 // CNNVD: CNNVD-201311-292 // NVD: CVE-2013-6821

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-6821
value: MEDIUM

Trust: 1.0

NVD: CVE-2013-6821
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201311-292
value: MEDIUM

Trust: 0.6

IVD: 8933ff62-1f34-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2013-6821
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

IVD: 8933ff62-1f34-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

sources: IVD: 8933ff62-1f34-11e6-abef-000c29c66e3d // JVNDB: JVNDB-2013-005200 // CNNVD: CNNVD-201311-292 // NVD: CVE-2013-6821

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.8

sources: JVNDB: JVNDB-2013-005200 // NVD: CVE-2013-6821

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201302-486 // CNNVD: CNNVD-201311-292

TYPE

Path traversal

Trust: 1.4

sources: IVD: 8933ff62-1f34-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201302-486 // CNNVD: CNNVD-201311-292

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-005200

PATCH
title:Acknowledgments to Security Researchersurl:http://scn.sap.com/docs/DOC-8218
Trust: 0.8
title:Patch for the SAP NetWeaver Exportability Check Service Directory Traversal Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/32131
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2013-01227 // 
            
            
            
            JVNDB: JVNDB-2013-005200

EXTERNAL IDS
db:NVDid:CVE-2013-6821
Trust: 2.9
db:BIDid:58090
Trust: 1.5
db:CNVDid:CNVD-2013-01227
Trust: 0.8
db:CNNVDid:CNNVD-201311-292
Trust: 0.8
db:JVNDBid:JVNDB-2013-005200
Trust: 0.8
db:CNNVDid:CNNVD-201302-486
Trust: 0.6
db:IVDid:8933FF62-1F34-11E6-ABEF-000C29C66E3D
Trust: 0.2
sources:
            
            
            IVD: 8933ff62-1f34-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2013-01227 // 
            
            
            
            BID: 58090 // 
            
            
            
            JVNDB: JVNDB-2013-005200 // 
            
            
            
            CNNVD: CNNVD-201302-486 // 
            
            
            
            CNNVD: CNNVD-201311-292 // 
            
            
            
            NVD: CVE-2013-6821

REFERENCES
url:https://service.sap.com/sap/support/notes/1628537
Trust: 1.6
url:http://scn.sap.com/docs/doc-8218
Trust: 1.6
url:http://erpscan.com/advisories/dsecrg-13-003-sap-netweaver-exportability-check-service-unauthorized-directory-traversal/
Trust: 1.4
url:https://erpscan.io/advisories/dsecrg-13-003-sap-netweaver-exportability-check-service-unauthorized-directory-traversal/
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-6821
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-6821
Trust: 0.8
url:http://www.securelist.com/en/advisories/52256http
Trust: 0.6
url:http://www.securityfocus.com/bid/58090
Trust: 0.6
url:http://www.sap.com/platform/netweaver/index.epx
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2013-01227 // 
            
            
            
            BID: 58090 // 
            
            
            
            JVNDB: JVNDB-2013-005200 // 
            
            
            
            CNNVD: CNNVD-201302-486 // 
            
            
            
            CNNVD: CNNVD-201311-292 // 
            
            
            
            NVD: CVE-2013-6821

CREDITS
Dmitry Chastukhin of ERPScan
Trust: 0.9
sources:
            
            
            BID: 58090 // 
            
            
            
            CNNVD: CNNVD-201302-486

SOURCES
db:IVDid:8933ff62-1f34-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2013-01227
db:BIDid:58090
db:JVNDBid:JVNDB-2013-005200
db:CNNVDid:CNNVD-201302-486
db:CNNVDid:CNNVD-201311-292
db:NVDid:CVE-2013-6821

LAST UPDATE DATE
2024-11-23T22:23:12.649000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2013-01227date:2013-02-25T00:00:00
db:BIDid:58090date:2013-11-21T00:47:00
db:JVNDBid:JVNDB-2013-005200date:2013-11-21T00:00:00
db:CNNVDid:CNNVD-201302-486date:2013-02-26T00:00:00
db:CNNVDid:CNNVD-201311-292date:2013-11-22T00:00:00
db:NVDid:CVE-2013-6821date:2024-11-21T01:59:46.430

SOURCES RELEASE DATE
db:IVDid:8933ff62-1f34-11e6-abef-000c29c66e3ddate:2013-02-25T00:00:00
db:CNVDid:CNVD-2013-01227date:2013-02-25T00:00:00
db:BIDid:58090date:2013-01-31T00:00:00
db:JVNDBid:JVNDB-2013-005200date:2013-11-21T00:00:00
db:CNNVDid:CNNVD-201302-486date:2013-01-31T00:00:00
db:CNNVDid:CNNVD-201311-292date:2013-11-22T00:00:00
db:NVDid:CVE-2013-6821date:2013-11-20T14:12:31.007