Skip links

The reset logon page can be always requested, SAP security note 1479637

Description

The reset password page in the logon application can be requested even when the ume property ume.logon.logon_help is set to FALSE.This opens possibility for user to guess the password of another user.

Available fix and Supported packages

  • SAP-JEE | 6.40 | 6.40
  • SAP_JTECHS | 7.00 | 7.02
  • J2EE-APPS | 7.10 | 7.11
  • J2EE ENGINE APPLICATIONS 7.10 | SP008 | 000002
  • J2EE ENGINE APPLICATIONS 7.10 | SP009 | 000002
  • J2EE ENGINE APPLICATIONS 7.10 | SP010 | 000001
  • J2EE ENGINE APPLICATIONS 7.10 | SP011 | 000000
  • J2EE ENGINE APPLICATIONS 7.11 | SP003 | 000007
  • J2EE ENGINE APPLICATIONS 7.11 | SP004 | 000004
  • J2EE ENGINE APPLICATIONS 7.11 | SP005 | 000002
  • J2EE ENGINE APPLICATIONS 7.11 | SP006 | 000000
  • SAP J2EE ENGINE 6.40 | SP023 | 000004
  • SAP J2EE ENGINE 6.40 | SP024 | 000010
  • SAP J2EE ENGINE 6.40 | SP025 | 000018
  • SAP J2EE ENGINE 6.40 | SP026 | 000013
  • SAP JAVA TECH SERVICES 6.40 | SP027 | 000000
  • SAP JAVA TECH SERVICES 7.00 | SP019 | 000016
  • SAP JAVA TECH SERVICES 7.00 | SP020 | 000015
  • SAP JAVA TECH SERVICES 7.00 | SP021 | 000010
  • SAP JAVA TECH SERVICES 7.00 | SP022 | 000002
  • SAP JAVA TECH SERVICES 7.00 | SP023 | 000000
  • SAP JAVA TECH SERVICES 7.01 | SP004 | 000020
  • SAP JAVA TECH SERVICES 7.01 | SP005 | 000016

Affected component

    BC-JAS-SEC-LGN
    Logon, SSO

CVSS

Score: 0

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/1479637

TAGS

#logon-application-help-reset-password