SAP HANA Extended Application Services におけるインジェクションに関する脆弱性
| Title |
SAP HANA Extended Application Services におけるインジェクションに関する脆弱性
|
| Summary |
SAP HANA Extended Application Services には、インジェクションに関する脆弱性が存在します。
|
| Possible impacts |
情報を改ざんされる可能性があります。 |
| Solution |
ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。 |
| Publication Date |
Dec. 12, 2017, midnight |
| Registration Date |
Jan. 18, 2018, 5:08 p.m. |
| Last Update |
Jan. 18, 2018, 5:08 p.m. |
|
CVSS3.0 : 重要
|
| Score |
7.5
|
| Vector |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
|
CVSS2.0 : 警告
|
| Score |
5
|
| Vector |
AV:N/AC:L/Au:N/C:N/I:P/A:N |
Affected System
| SAP |
|
SAP HANA Extended Application Services 1.0
|
CVE (情報セキュリティ 共通脆弱性識別子)
CWE (共通脆弱性タイプ一覧)
ベンダー情報
その他
Change Log
| No |
Changed Details |
Date of change |
| 0 |
[2018年01月18日]
掲載 |
Feb. 17, 2018, 10:37 a.m. |
NVD Vulnerability Information
CVE-2017-16680
| Summary |
Two potential audit log injections in SAP HANA extended application services 1.0, advanced model: 1) Certain HTTP/REST endpoints of controller service are missing user input validation which could allow unprivileged attackers to forge audit log lines. Hence the interpretation of audit log files could be hindered or misdirected. 2) User Account and Authentication writes audit logs into syslog and additionally writes the same audit entries into a log file. Entries in the log file miss escaping. Hence the interpretation of audit log files could be hindered or misdirected, while the entries in syslog are correct.
|
| Publication Date |
Dec. 12, 2017, 11:29 p.m. |
| Registration Date |
Jan. 26, 2021, 1:18 p.m. |
| Last Update |
Nov. 21, 2024, 12:16 p.m. |
Affected software configurations
| Configuration1 |
or higher |
or less |
more than |
less than |
| cpe:2.3:a:sap:hana_extended_application_services:1.0:*:*:*:*:*:*:* |
|
|
|
|
Related information, measures and tools
Common Vulnerabilities List