CVE-2021-41569

Name of the Vulnerable Software and Affected Versions SAS/Intrnet versions 9.4 build 1520 and earlier

Description The issue allows Local File Inclusion. The samples library, included by default in the appstart.sas file, enables end-users to access the sample.webcsf1.sas program. This program contains user-controlled macro variables passed to the DS2CSF macro. Users can escape the context of the configured user-controllable variable and append additional functions native to the macro but not included as variables within the library. This includes a function that retrieves files from the host OS.

Recommendations For SAS/Intrnet versions 9.4 build 1520 and earlier, consider disabling access to the sample.webcsf1.sas program until a patch is available. Restrict the use of the DS2CSF macro to minimize the risk of exploitation. Avoid using user-controlled macro variables in the affected library to prevent escaping the context of the configured variable. At the moment, there is no information about a newer version that contains a fix for this vulnerability.