Description

ERPScan discovered a vulnerability in SAP NetWeaver that allows remote code execution via operating system commands through the SAP ConfigServlet without any authentication.

Remediation

Install SAP security patches 1467771, 1445998.
Change the value of EnableInvokerServletGlobally property of servlet_jsp service on the server nodes to false.

References

Breaking SAP Portal

Related Vulnerabilities

WordPress Plugin Gantry 4 Framework Remote Command Execution (4.1.3)

WordPress 'wp-admin/options.php' Remote Code Execution Vulnerability (0.6.2 - 2.3.2)

Citrix ADC/Gateway Unauthenticated Remote Code Execution

WordPress Plugin All in One SEO-Best WordPress SEO-Easily Improve SEO Rankings & Increase Traffic Remote Code Execution (4.1.0.1)

Drupal Core 8.x.x Remote Code Execution (8.0.0 - 8.7.14)

Severity

High

Classification

CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Code Execution