Symptom
An attacker can execute functions in SAP HANA Web-based Development Workbench through code injection.
CVSS Information
CVSS Base Score: 6.0
CVSS Base Vector: AV:N/AC:M/AU:S/C:P/I:P/A:P
SAP provides this CVSS base score as an estimate of the risk posed by the issue reported in this note. This estimate does not take into account your own system configuration or operational environment. It is not intended to replace any risk assessments you are advised to conduct when deciding on the applicability or priority of this SAP security note. For more information, see the FAQ section at https://service.sap.com/securitynotes/.
CVSS Information
CVSS Base Score: 6.0
CVSS Base Vector: AV:N/AC:M/AU:S/C:P/I:P/A:P
SAP provides this CVSS base score as an estimate of the risk posed by the issue reported in this note. This estimate does not take into account your own system configuration or operational environment. It is not intended to replace any risk assessments you are advised to conduct when deciding on the applicability or priority of this SAP security note. For more information, see the FAQ section at https://service.sap.com/securitynotes/.
Other Terms
Code injection, SAP HANA Web-based Development Workbench
Reason and Prerequisites
The attacker needs a valid user account
with sap.hana.xs.ide.roles::Developer or
sap.hana.xs.ide.roles::EditorDeveloper to perform the attack.
Solution
Update your SAP HANA installation to revision 74. SPS06 is not affected by this issue.
Header Data
| Released On | 10.06.2014 00:02:47 |
| Release Status | Released for Customer |
| Component | HAN-WDE SAP HANA Web IDE |
| Priority | Correction with high priority |
| Category | Program error |
| Externally Reported |
Yes
|
No comments:
Post a Comment