Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

Multiple Vulnerabilities in SAP Data Services, SAP security note 2982840

Description

Remote Code Execution

SAP Data Services allow an unauthenticated attacker to send a malicious request which could result in remote code execution. This occurs due to insufficient input validation and a successful exploit would result in complete compromise of system confidentiality, integrity and availability.

CVSS: 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Denial of Service

SAP Data Services allow an unauthenticated attacker to override access permission which may cause Denial of Service when performing a file upload. On successful exploitation, the attacker can completely compromise the availability of the application.

CVSS: 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Available fix and Supported packages

  • SBOP_DS_MANAGEMENT_CONSOLE | 4.2 | 4.2
  • SAP DATA SERVICES 4.2 | SP012 | 000010
  • SAP DATA SERVICES 4.2 | SP013 | 000004
  • SAP DATA SERVICES 4.2 | SP014 | 000004

Affected component

    EIM-DS-DEP
    Deployment, Installation, Upgrade

CVSS

Score: 9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2982840

TAGS

#CVE-2019-0230
#&160-CVE-2019-0233
#&160-SAP-Data-Services
#&160-Remote-Code-Execution
#&160-Denial-of-Service

Explore More

SAP Security Patch Day RedRays

SAP Security Patch Day – April 2025

On April 8, 2025, SAP released its monthly Security Patch Day updates, addressing 19 new vulnerabilities across various SAP products and components.

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.