Application: SAP NetWeaver
Versions Affected: SAP NetWeaver
Vendor URL: http://www.sap.com
Bugs:Command execution
Exploits: YES
Reported: 14.03.2011
Vendor response:16.03.2011
Date of Public Advisory:11.11.2011
CVSS: 6.0
Author: Alexey Tyurin
Versions Affected: SAP NetWeaver
Vendor URL: http://www.sap.com
Bugs:Command execution
Exploits: YES
Reported: 14.03.2011
Vendor response:16.03.2011
Date of Public Advisory:11.11.2011
CVSS: 6.0
Author: Alexey Tyurin
Description
TH_GREP report is vulnerable for command execution vulnerability which is working with previous patch (note 1433101). Remote OS command execution is possible
Business Risk
A remote attacker or insider can send a malicious comand to SAP NetWeaver server through internet or inside a company and conduct a unauthorised execution of code on server side. With help of this access it is possible to obtain sensitive technical and business-related information stored in the vulnerable SAP system.
