PT-2016-5629 · Sap · Sap Netweaver
Pablo Müller
+1
·
Published
2016-10-13
·
Updated
2016-11-28
·
CVE-2016-3635
CVSS v3.1
7.5
High
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
SAP Netweaver version 7.4
Description
The issue allows remote authenticated users to bypass an intended Unified Connectivity (UCON) access control list. This can lead to the execution of arbitrary Remote Function Modules (RFM) by leveraging a connection created from earlier execution of an anonymous RFM included in a Communication Assembly.
Recommendations
For SAP Netweaver version 7.4, apply the fix provided in SAP Security Note 2139366 to resolve the issue.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sap Netweaver