Description
Process Integration Monitoring of SAP NetWeaver Application Server for Java allows an attacker with access to PIMON application, which is given to basic users to upload any file (including script files) without proper file format validation. The file is just transported as an attachment through the system and stored as an uncritical format in the database table. If a very large file gets processed, the affected resource could become completely unavailable.
Available fix and Supported packages
- SOAMON | 7.31 | 7.31
- SOAMON | 7.40 | 7.40
- SOAMON | 7.50 | 7.50
- SOA MONITORS 7.31 | SP023 | 000008
- SOA MONITORS 7.31 | SP024 | 000007
- SOA MONITORS 7.31 | SP025 | 000005
- SOA MONITORS 7.31 | SP026 | 000005
- SOA MONITORS 7.31 | SP027 | 000003
- SOA MONITORS 7.31 | SP028 | 000000
- SOA MONITORS 7.40 | SP018 | 000008
- SOA MONITORS 7.40 | SP019 | 000007
- SOA MONITORS 7.40 | SP020 | 000005
- SOA MONITORS 7.40 | SP021 | 000006
- SOA MONITORS 7.40 | SP022 | 000003
- SOA MONITORS 7.40 | SP023 | 000000
- SOA MONITORS 7.50 | SP015 | 000006
- SOA MONITORS 7.50 | SP016 | 000012
- SOA MONITORS 7.50 | SP017 | 000010
- SOA MONITORS 7.50 | SP018 | 000006
- SOA MONITORS 7.50 | SP019 | 000003
- SOA MONITORS 7.50 | SP020 | 000000
Affected component
- BC-NWA-XPI
Process Integration (PI) Monitoring
CVSS
Score: 6.5
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/2974330
