Description
An authenticated user can use functions of dbpool, to which access should be restricted. This may result in an escalation of privileges.
This SAP Note supplements the corrections provided in SAP Security Note 1715734.
UPDATE 14th May 2019 : Solution provided by note 1715734 is partial. For complete solution implement this note. If you have not implemented 1715734, then implement only this note
Available fix and Supported packages
- SAP-JEE | 6.40 | 6.40
- SAP-JEECOR | 7.00 | 7.00
- SAP-JEECOR | 6.40 | 6.40
- SAP-JEECOR | 7.01 | 7.02
- SERVERCORE | 7.10 | 7.10
- SERVERCORE | 7.11 | 7.11
- SERVERCORE | 7.20 | 7.20
- SERVERCORE | 7.30 | 7.30
- SERVERCORE | 7.31 | 7.31
- SERVERCORE | 7.40 | 7.40
- SERVERCORE | 7.50 | 7.50
- J2EE ENGINE SERVERCORE 7.10 | SP012 | 000038
- J2EE ENGINE SERVERCORE 7.10 | SP013 | 000032
- J2EE ENGINE SERVERCORE 7.10 | SP014 | 000047
- J2EE ENGINE SERVERCORE 7.10 | SP015 | 000031
- J2EE ENGINE SERVERCORE 7.10 | SP016 | 000020
- J2EE ENGINE SERVERCORE 7.10 | SP020 | 000022
- J2EE ENGINE SERVERCORE 7.10 | SP021 | 000010
- J2EE ENGINE SERVERCORE 7.10 | SP022 | 000005
- J2EE ENGINE SERVERCORE 7.10 | SP023 | 000001
- J2EE ENGINE SERVERCORE 7.10 | SP024 | 000000
- J2EE ENGINE SERVERCORE 7.11 | SP007 | 000040
- J2EE ENGINE SERVERCORE 7.11 | SP008 | 000047
- J2EE ENGINE SERVERCORE 7.11 | SP009 | 000052
- J2EE ENGINE SERVERCORE 7.11 | SP010 | 000039
- J2EE ENGINE SERVERCORE 7.11 | SP011 | 000030
- J2EE ENGINE SERVERCORE 7.11 | SP015 | 000022
- J2EE ENGINE SERVERCORE 7.11 | SP016 | 000010
- J2EE ENGINE SERVERCORE 7.11 | SP017 | 000007
- J2EE ENGINE SERVERCORE 7.11 | SP018 | 000002
- J2EE ENGINE SERVERCORE 7.11 | SP019 | 000000
Affected component
- BC-JAS-TRH
Transactions and Resource Handling
CVSS
Score: 4.7
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/2664504
