First published: Fri Nov 19 2021(Updated: )
SAS/Intrnet 9.4 build 1520 and earlier allows Local File Inclusion. The samples library (included by default) in the appstart.sas file, allows end-users of the application to access the sample.webcsf1.sas program, which contains user-controlled macro variables that are passed to the DS2CSF macro. Users can escape the context of the configured user-controllable variable and append additional functions native to the macro but not included as variables within the library. This includes a function that retrieves files from the host OS.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Sas Sas\/intrnet | <9.4 | |
Sas Sas\/intrnet | =9.4 | |
Sas Sas\/intrnet | =9.4-build1520 | |
<9.4 | ||
=9.4 | ||
=9.4-build1520 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-41569 is a vulnerability in SAS/Intrnet 9.4 build 1520 and earlier that allows Local File Inclusion.
CVE-2021-41569 has a severity rating of 7.5 (high).
CVE-2021-41569 allows end-users to access the sample.webcsf1.sas program in the samples library, which contains user-controlled macro variables that are passed to the DS2CSF macro.
SAS/Intrnet 9.4 build 1520 and earlier are affected by CVE-2021-41569.
To fix CVE-2021-41569, update SAS/Intrnet to a version that is not affected by the vulnerability.