Description
Remote Code Execution
SAP Data Services allow an unauthenticated attacker to send a malicious request which could result in remote code execution. This occurs due to insufficient input validation and a successful exploit would result in complete compromise of system confidentiality, integrity and availability.
CVSS: 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Denial of Service
SAP Data Services allow an unauthenticated attacker to override access permission which may cause Denial of Service when performing a file upload. On successful exploitation, the attacker can completely compromise the availability of the application.
CVSS: 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Available fix and Supported packages
- SBOP_DS_MANAGEMENT_CONSOLE | 4.2 | 4.2
- SAP DATA SERVICES 4.2 | SP012 | 000010
- SAP DATA SERVICES 4.2 | SP013 | 000004
- SAP DATA SERVICES 4.2 | SP014 | 000004
Affected component
- EIM-DS-DEP
Deployment, Installation, Upgrade
CVSS
Score: 9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/2982840
