PT-2016-7834 · Sap+1 · Sap Internet Communication Framework+3
Ertunga Arsal
+1
·
Published
2016-12-09
·
Updated
2018-10-09
·
CVE-2016-9832
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
PricewaterhouseCoopers (PwC) ACE-ABAP version 8.10.304 for SAP Security
Description
The issue allows remote authenticated users to conduct ABAP injection attacks and execute arbitrary code. This can be achieved via SAPGUI or Internet Communication Framework (ICF) over HTTP or HTTPS. Examples of exploitation include using WEBGUI or Report.
Recommendations
For PricewaterhouseCoopers (PwC) ACE-ABAP version 8.10.304, consider restricting access to the SAPGUI and Internet Communication Framework (ICF) to minimize the risk of exploitation. As a temporary workaround, limit the use of WEBGUI and Report until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ace-Abap
Sap Internet Communication Framework
Sap Gui
Webgui