Описание
The function msp (aka MSPRuntimeInterface) in the P4 SERVERCORE component in SAP AS JAVA allows remote attackers to obtain sensitive system information by leveraging a missing authorization check for the (1) getInformation, (2) getParameters, (3) getServiceInfo, (4) getStatistic, or (5) getClientStatistic function, aka SAP Security Note 2331908.
The function msp (aka MSPRuntimeInterface) in the P4 SERVERCORE component in SAP AS JAVA allows remote attackers to obtain sensitive system information by leveraging a missing authorization check for the (1) getInformation, (2) getParameters, (3) getServiceInfo, (4) getStatistic, or (5) getClientStatistic function, aka SAP Security Note 2331908.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2017-5372
- https://erpscan.io/advisories/erpscan-16-037-sap-java-p4-mspruntimeinterface-information-disclosure
- https://erpscan.io/press-center/blog/sap-cyber-threat-intelligence-report-october-2016
- http://packetstormsecurity.com/files/140611/SAP-NetWeaver-AS-Java-P4-MSPRUNTIMEINTERFACE-Information-Disclosure.html
- http://seclists.org/fulldisclosure/2017/Jan/50
- http://www.securityfocus.com/bid/93504
Связанные уязвимости
The function msp (aka MSPRuntimeInterface) in the P4 SERVERCORE component in SAP AS JAVA allows remote attackers to obtain sensitive system information by leveraging a missing authorization check for the (1) getInformation, (2) getParameters, (3) getServiceInfo, (4) getStatistic, or (5) getClientStatistic function, aka SAP Security Note 2331908.