5.3
CVE-2023-49058
- EPSS 0.11%
- Published 12.12.2023 01:15:12
- Last modified 21.11.2024 08:32:44
- Source cna@sap.com
- Teams watchlist Login
- Open Login
SAP Master Data Governance File Upload application allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing ‘traverse to parent directory’ are passed through to the file APIs. As a result, it has a low impact to the confidentiality.
Data is provided by the National Vulnerability Database (NVD)
SAP ≫ Master Data Governance Version731
SAP ≫ Master Data Governance Version732
SAP ≫ Master Data Governance Version746
SAP ≫ Master Data Governance Version747
SAP ≫ Master Data Governance Version748
SAP ≫ Master Data Governance Version749
SAP ≫ Master Data Governance Version751
SAP ≫ Master Data Governance Version752
SAP ≫ Master Data Governance Version800
SAP ≫ Master Data Governance Version801
SAP ≫ Master Data Governance Version802
SAP ≫ Master Data Governance Version803
SAP ≫ Master Data Governance Version804
SAP ≫ Master Data Governance Version805
SAP ≫ Master Data Governance Version806
SAP ≫ Master Data Governance Version807
SAP ≫ Master Data Governance Version808
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.11% | 0.306 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
| cna@sap.com | 3.5 | 1.8 | 1.4 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
|
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.