Description
UPDATE 12th January 2021: This note has been re-released with updated ‘validity’, and ‘Support Packages & Patches’ information. We enhanced the validity for all covered codelines to the lowest possible SP-level.
SAP BW Master Data Management and SAP BW4HANA allows an attacker with high privileges ability to submit a crafted request to generate and execute code without requiring any user interaction. These malicious requests could result in the execution of operating system commands that may completely compromise the confidentiality, integrity and availability of the server and any data or other applications running on it.
Available fix and Supported packages
- DW4CORE | 100 | 100
- DW4CORE | 200 | 200
- SAP_BW | 700 | 702
- SAP_BW | 730 | 730
- SAP_BW | 731 | 731
- SAP_BW | 740 | 740
- SAP_BW | 750 | 755
- SAP_BW | 782 | 782
- DW4CORE 200 | SAPK-20007INDW4CORE |
- DW4CORE 100 | SAPK-10019INDW4CORE |
- SAP_BW 740 | SAPKW74025 |
- SAP_BW 755 | SAPK-75501INSAPBW |
- SAP_BW 750 | SAPK-75020INSAPBW |
- SAP_BW 751 | SAPK-75112INSAPBW |
- | SAPK-783BHINSAPBW |
- SAP_BW 752 | SAPK-75208INSAPBW |
- SAP_BW 753 | SAPK-75306INSAPBW |
- SAP_BW 754 | SAPK-75404INSAPBW |
- SAP_BW 700 | SAPKW70041 |
- SAP_BW 701 | SAPKW70124 |
- SAP_BW 702 | SAPKW70224 |
- SAP_BW 782 | SAPK-78202INSAPBW |
- SAP_BW 731 | SAPKW73129 |
Affected component
- BW-WHM-DBA-MD
Master Data
CVSS
Score: 9.1
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/2983367
