[ERPSCAN-17-045] Information disclosure in SAP NW AS Java SRM package

Application: SAP SRM
Versions Affected: SAP SRM 701 – 714
Vendor URL: SAP
Bug: Information Disclosure
Reported: 17.05.2017
Vendor response: 18.05.2017
Date of Public Advisory: 08.08.2017
Reference: SAP Security Note 2493099
Author: Vahagn Vardanyan (ERPScan)

VULNERABILITY INFORMATION

Class: Information Disclosure
Risk: Medium
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information

CVSS Base Score v3: 4.3 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) Low (L)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality Low (L)
I: Impact to Integrity None (N)
A: Impact to AvailabilityNone (N)

DESCRIPTION

An attacker can use vulnerable URL to gain information about an SAP system.

BUSINESS RISK

An attacker can use an Information disclosure vulnerability for revealing additional information (system data, debugging information, etc.) which will help to learn about a system and to plan other attacks.

VULNERABLE PACKAGES

SRM_SERVER 701, 702, 713, 714

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2493099

TECHNICAL DESCRIPTION

The vulnerable JSP is attached in this report.

Proof of Concept