Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

 Subscribe me to your mailing list

[ERPSCAN-11-039] SAP NetWeaver TH_GREP module – Code injection vulnerability (NEW)

Application: SAP NetWeaver
Versions Affected: SAP NetWeaver
Vendor URL: http://www.sap.com
Bugs:Command execution
Exploits: YES
Reported: 14.03.2011
Vendor response:16.03.2011
Date of Public Advisory:11.11.2011
CVSS: 6.0
Author: Alexey Tyurin

Description
TH_GREP report is vulnerable for command execution vulnerability which is working with previous patch (note 1433101). Remote OS command execution is possible

Business Risk
A remote attacker or insider can send a malicious command to SAP NetWeaver server through the Internet or inside a company and conduct aт unauthorised execution of code on server side. With help of this access it is possible to obtain sensitive technical and business-related information stored in the vulnerable SAP system.

Defense

To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: