Description
Under certain conditions SAP HANA Extended Application Services, advanced model (XS advanced) writes credentials of platform users to a trace file of the SAP HANA system. Despite the fact that this trace file is protected from unauthorized access, the risk of leaking information is increased.
Some well-known impacts of Information Disclosure are
- loss of information and system configuration confidentiality
- information gathering for further exploits and attacks
Available fix and Supported packages
- HDB | 1.00 | 1.00
- HDB | 2.00 | 2.00
- SAP_EXTENDED_APP_SERVICES | 1 | 1
- SAP EXTENDED APP SERVICES 1 | SP000 | 000098
- SAP HANA DATABASE 1.00 | SP122 | 000022
- SAP HANA DATABASE 2.0 | SP024 | 000008
- SAP HANA DATABASE 2.0 | SP036 | 000000
Affected component
- BC-XS-RT
OP Runtime / XS Controller
CVSS
Score: 6.8
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/2724713
