CVE-2017-16691: Input Validation
First published: Tue Dec 12 2017(Updated: )
SAP Note Assistant tool (SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31,7.40, from 7.50 to 7.52) supports upload of digitally signed note file of type 'SAR'. The digital signature verification is done together with the extraction of note file contained in the SAR archive. It is possible to append a tampered file to the SAR archive using SAPCAR tool and during the extraction, digital signature verification fails but the tampered file is extracted.
Credit: cna@sap.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Sap Business Application Software Integrated Solution | =7.00 | |
| Sap Business Application Software Integrated Solution | =7.01 | |
| Sap Business Application Software Integrated Solution | =7.02 | |
| Sap Business Application Software Integrated Solution | =7.10 | |
| Sap Business Application Software Integrated Solution | =7.11 | |
| Sap Business Application Software Integrated Solution | =7.30 | |
| Sap Business Application Software Integrated Solution | =7.31 | |
| Sap Business Application Software Integrated Solution | =7.40 | |
| Sap Business Application Software Integrated Solution | =7.50 | |
| Sap Business Application Software Integrated Solution | =7.51 | |
| Sap Business Application Software Integrated Solution | =7.52 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is SAP Note Assistant tool?
SAP Note Assistant tool is a component of SAP BASIS used for managing SAP Notes.
Which versions of SAP Business Application Software Integrated Solution are affected by CVE-2017-16691?
SAP Note Assistant tool in SAP BASIS versions 7.00 to 7.52 are affected.
What is the severity of CVE-2017-16691?
The severity of CVE-2017-16691 is medium, with a CVSS score of 6.5.
How does the vulnerability in CVE-2017-16691 work?
The vulnerability allows for uploading malicious note files during the extraction process using the SAP Note Assistant tool.
Are there any patches or fixes available for CVE-2017-16691?
Yes, SAP has released a security note with fixes for CVE-2017-16691. Please refer to the SAP support portal for more information.
- collector/nvd-index
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/type
- agent/event
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/sap
- canonical/sap business application software integrated solution
- version/sap business application software integrated solution/7.00
- version/sap business application software integrated solution/7.01
- version/sap business application software integrated solution/7.02
- version/sap business application software integrated solution/7.10
- version/sap business application software integrated solution/7.11
- version/sap business application software integrated solution/7.30
- version/sap business application software integrated solution/7.31
- version/sap business application software integrated solution/7.40
- version/sap business application software integrated solution/7.50
- version/sap business application software integrated solution/7.51
- version/sap business application software integrated solution/7.52