Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

Multiple Vulnerabilities in SAP Data Services, SAP security note 2982840

Description

Remote Code Execution

SAP Data Services allow an unauthenticated attacker to send a malicious request which could result in remote code execution. This occurs due to insufficient input validation and a successful exploit would result in complete compromise of system confidentiality, integrity and availability.

CVSS: 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Denial of Service

SAP Data Services allow an unauthenticated attacker to override access permission which may cause Denial of Service when performing a file upload. On successful exploitation, the attacker can completely compromise the availability of the application.

CVSS: 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Available fix and Supported packages

  • SBOP_DS_MANAGEMENT_CONSOLE | 4.2 | 4.2
  • SAP DATA SERVICES 4.2 | SP012 | 000010
  • SAP DATA SERVICES 4.2 | SP013 | 000004
  • SAP DATA SERVICES 4.2 | SP014 | 000004

Affected component

    EIM-DS-DEP
    Deployment, Installation, Upgrade

CVSS

Score: 9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2982840

TAGS

#CVE-2019-0230
#&160-CVE-2019-0233
#&160-SAP-Data-Services
#&160-Remote-Code-Execution
#&160-Denial-of-Service

Explore More

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.