CVE-2024-48734

Name of the Vulnerable Software and Affected Versions SAS Studio version 9.4

Description The issue concerns an unrestricted file upload in the /SASStudio/SASStudio/sasexec/{sessionID}/{InternalPath} endpoint, allowing a remote attacker to upload malicious files. This is disputed by the vendor as file upload is intended for authorized users.

Recommendations For SAS Studio version 9.4, consider restricting access to the /SASStudio/SASStudio/sasexec/{sessionID}/{InternalPath} endpoint to prevent unauthorized file uploads. As a temporary workaround, restrict file upload capabilities to only authorized users until a more permanent solution is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.