Pablo Artuso

**Name of the Vulnerable Software and Affected Versions** SAP NetWeaver AS for JAVA versions 7.20, 7.30, 7.31, 7.40, 7.50 **Description** The issue allows an attacker, authenticated as an administrator, to submit a specially crafted XML file due to missing XML validation. This enables the attacker to fully compromise confidentiality by reading any file on the filesystem or fully compromise availability by causing the system to crash. However, the attack cannot be used to change any data, so there is no compromise of integrity. **Recommendations** For SAP NetWeaver AS for JAVA versions 7.20, 7.30, 7.31, 7.40, 7.50, consider implementing proper XML validation to prevent the submission of specially crafted XML files. As a temporary workaround, restrict access to the XML file submission feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SAP Solution Manager 7.2 (User Experience Monitoring) version 7.2 **Description** The issue arises from inadequate access control, allowing a network attacker authenticated as a regular user to perform operations restricted to administrators. This includes changing the User Experience Monitoring configuration, obtaining details about configured SAP Solution Manager agents, and deploying a malicious User Experience Monitoring script. **Recommendations** For SAP Solution Manager 7.2 (User Experience Monitoring) version 7.2, consider restricting access to the User Experience Monitoring configuration and agent details to minimize the risk of exploitation. As a temporary workaround, limit the use of operations that can be used to deploy scripts until a proper fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SAP Solution Manager 7.2 (User Experience Monitoring) version 7.2 **Description** The issue allows an authenticated user to upload a malicious script that can exploit an existing path traversal vulnerability. This can compromise confidentiality by exposing elements of the file system, partially compromise integrity by allowing the modification of some configurations, and partially compromise availability by making certain services unavailable. **Recommendations** For SAP Solution Manager 7.2 (User Experience Monitoring) version 7.2, consider restricting the upload of scripts to prevent exploitation of the path traversal vulnerability until a patch is available. As a temporary workaround, limit access to sensitive configurations and services to minimize the risk of modification or unavailability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: SAP NetWeaver AS JAVA (LM Configuration Wizard) versions 7.30 through 7.50 Description: The vulnerability is related to missing authentication for critical functions in the SAP NetWeaver Java Application Server. This issue allows an attacker to execute configuration tasks without prior authentication, potentially compromising the confidentiality, integrity, and availability of the system. The attacker can create an administrative user, leading to a missing authentication check. The vulnerability has been exploited in real-world incidents, with reports of mass scanning for vulnerable servers. Financial institutions, hospitals, and government entities are among the affected industries. Recommendations: For SAP NetWeaver AS JAVA (LM Configuration Wizard) versions 7.30 through 7.50, apply the patches made available by SAP to fix the missing authentication check. As a temporary workaround, consider restricting access to the LM Configuration Wizard to minimize the risk of exploitation. Avoid using the vulnerable component until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** SAP SAPCRYPTOLIB version 5.555.38 **Description** The issue concerns the DSA algorithm implementation, which does not properly check signatures. This allows remote authenticated users to impersonate arbitrary users via unspecified vectors. **Recommendations** For SAP SAPCRYPTOLIB version 5.555.38, update to a version that properly checks signatures to prevent impersonation.

**Name of the Vulnerable Software and Affected Versions** SAP Netweaver version 7.40 SP 12 **Description** The issue allows remote authenticated users with certain permissions to execute arbitrary commands. This is achieved through vectors involving a CALL 'SYSTEM' statement in the SCTC subpackage, specifically in the (1) SCTC REFRESH EXPORT TAB COMP, (2) SCTC REFRESH CHECK ENV, and (3) SCTC TMS MAINTAIN ALOG functions. **Recommendations** For SAP Netweaver version 7.40 SP 12, consider restricting access to the SCTC subpackage functions, specifically SCTC REFRESH EXPORT TAB COMP, SCTC REFRESH CHECK ENV, and SCTC TMS MAINTAIN ALOG, to minimize the risk of exploitation. As a temporary workaround, consider disabling the CALL 'SYSTEM' statement in these functions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** SAP HANA DB version 1.00.091.00.1418659308 **Description** The issue allows remote attackers to obtain sensitive topology information via an unspecified HTTP request. **Recommendations** For SAP HANA DB version 1.00.091.00.1418659308, update to a version that addresses this issue, as specified in SAP Security Note 2176128.

**Name of the Vulnerable Software and Affected Versions** SAP HANA Developer Edition DB version 1.00.091.00.1418659308 **Description** The issue is related to eval injection in the Web-based Development Workbench, allowing remote authenticated users to execute arbitrary XSJS code. This is due to incorrect code generation management in the Development Workbench component of the SAP HANA database management system. Exploitation of this issue can enable a remote attacker to execute arbitrary XSJS code. **Recommendations** For SAP HANA Developer Edition DB version 1.00.091.00.1418659308, consider disabling the Development Workbench or restricting access to it until a fix is available. As a temporary workaround, restrict the execution of XSJS code in the Development Workbench to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.