Juan Perez-Etchegoyen

**Name of the Vulnerable Software and Affected Versions** SAP HANA DB version 1.00.73.00.389160 **Description** The issue is related to the Web Dispatcher service in SAP HANA DB, which lacks protection for service data. This allows remote attackers to potentially obtain passwords by reading web dispatcher and security trace files. The exploitation of this issue may grant unauthorized access to sensitive information. **Recommendations** For SAP HANA DB version 1.00.73.00.389160, consider restricting access to the Web Dispatcher service as a temporary workaround until a patch is available. Additionally, review the security configurations to ensure that service data is properly protected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SAP HANA Database version 1.00 SPS10 and earlier **Description** The issue allows remote attackers to execute arbitrary code due to insufficient input validation. This can be achieved by sending a TrexNet packet to various methods, including `fcopydir`, `fmkdir`, `frmdir`, `getenv`, `dumpenv`, `fcopy`, `fput`, `fdel`, `fmove`, `fget`, `fappend`, `fdir`, `getTraces`, `kill`, `pexec`, `stop`, and `pythonexec`. **Recommendations** For SAP HANA Database version 1.00 SPS10 and earlier, consider disabling the affected methods until a patch is available. Restrict access to the TrexNet packet handling functionality to minimize the risk of exploitation. Avoid using the vulnerable functions in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.