CVE-2015-4091
https://notcve.org/view.php?id=CVE-2015-4091
XML external entity (XXE) vulnerability in SAP NetWeaver AS Java 7.4 allows remote attackers to send TCP requests to intranet servers or possibly have unspecified other impact via an XML request to tc~sld~wd~main/Main, related to "CIM UPLOAD," aka SAP Security Note 2090851. Vulnerabilidad de XXE en SAP NetWeaver AS Java 7.4 permite a atacantes remotos enviar peticiones TCP a servidores intranet o posiblemente tener otro impacto no especificado a través de una petición XML a tc~sld~wd~main/Main, relacionado con "CIM UPLOAD", también conocida como SAP Security Note 2090851. • http://packetstormsecurity.com/files/133122/SAP-NetWeaver-AS-Java-XXE-Injection.html http://seclists.org/fulldisclosure/2015/May/96 http://www.securityfocus.com/archive/1/536239/100/0/threaded http://www.securityfocus.com/bid/74850 https://erpscan.io/advisories/erpscan-15-013-sap-netweaver-as-java-cim-upload-xxe •
CVE-2015-2815
https://notcve.org/view.php?id=CVE-2015-2815
Buffer overflow in the C_SAPGPARAM function in the NetWeaver Dispatcher in SAP KERNEL 7.00 (7000.52.12.34966) and 7.40 (7400.12.21.30308) allows remote authenticated users to cause a denial of service or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2063369. Desbordamiento de buffer en la función C_SAPGPARAM en NetWeaver Dispatcher en SAP KERNEL 7.00 (7000.52.12.34966) y 7.40 (7400.12.21.30308) permite a usuarios remotos autenticados causar una denegación de servicio o posiblemente ejecutar código arbitrario a través de vectores no especificados, también conocido como la nota de seguridad de SAP 2063369. • http://packetstormsecurity.com/files/132353/SAP-NetWeaver-Dispatcher-Buffer-Overflow.html http://seclists.org/fulldisclosure/2015/Jun/61 http://www.securityfocus.com/archive/1/535825/100/800/threaded http://www.securityfocus.com/bid/73897 https://erpscan.io/advisories/erpscan-15-003-sapkernel-c_sapgparam-rce-dos • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2014-8591
https://notcve.org/view.php?id=CVE-2014-8591
Unspecified vulnerability in SAP Internet Communication Manager (ICM), as used in SAP NetWeaver 7.02 and 7.3, allows remote attackers to cause a denial of service (process termination) via unknown vectors. Vulnerabilidad no especificada en SAP Internet Communication Manager (ICM), utilizado en SAP NetWeaver 7.02 y 7.3, permite a atacantes remotos causar una denegación de servicio (terminación de proceso) a través de vectores desconocidos. • http://blog.onapsis.com/analyzing-sap-security-notes-october-2014-edition http://www.securityfocus.com/bid/71030 https://erpscan.io/advisories/erpscan-14-016-sap-netweaver-httpd-partial-http-post-requests-dos https://erpscan.io/press-center/blog/sap-critical-patch-update-october-2014 https://exchange.xforce.ibmcloud.com/vulnerabilities/98582 https://service.sap.com/sap/support/notes/1966655 https://twitter.com/SAP_Gsupport/status/524138333065449472 •
CVE-2014-8592
https://notcve.org/view.php?id=CVE-2014-8592
Unspecified vulnerability in SAP Host Agent, as used in SAP NetWeaver 7.02 and 7.3, allows remote attackers to cause a denial of service (process termination) via a crafted request. Vulnerabilidad no especificada en SAP Host Agent, utilizado en SAP NetWeaver 7.02 y 7.3, permite a atacantes remotos causar una denegación de servicio (terminación de proceso) a través de una solicitud manipulada. • http://blog.onapsis.com/analyzing-sap-security-notes-october-2014-edition https://erpscan.io/advisories/erpscan-14-017-sap-netweaver-http-partial-http-post-requests-dos https://erpscan.io/advisories/erpscan-14-018-sap-netweaver-j2ee-engine-partial-http-post-requests-dos https://erpscan.io/advisories/erpscan-14-019-sap-netweaver-j2ee-engine-partial-http-post-requests-dos https://erpscan.io/advisories/erpscan-14-020-sap-netweaver-management-console-gsaop-partial-http-requests-dos https://erpscan.io/advisories/erps •
CVE-2014-0995 – SAP NetWeaver Enqueue Server - Denial of Service
https://notcve.org/view.php?id=CVE-2014-0995
The Standalone Enqueue Server in SAP Netweaver 7.20, 7.01, and earlier allows remote attackers to cause a denial of service (uncontrolled recursion and crash) via a trace level with a wildcard in the Trace Pattern. El servidor Standalone Enqueue en SAP Netweaver 7.20, 7.01, y anteriores permite a atacantes remotos causar una denegación de servicio (recursión sin control y caída) a través de un nivel de traza con un comodín en la pauta de traza (Trace Pattern). • https://www.exploit-db.com/exploits/35000 http://blog.onapsis.com/analyzing-sap-security-notes-october-2014-edition http://packetstormsecurity.com/files/128726/SAP-Netweaver-Enqueue-Server-Trace-Pattern-Denial-Of-Service.html http://seclists.org/fulldisclosure/2014/Oct/76 http://secunia.com/advisories/60950 http://www.coresecurity.com/advisories/sap-netweaver-enqueue-server-trace-pattern-denial-service-vulnerability http://www.securityfocus.com/archive/1/533719/100/0/threaded https://exchange.xforce.ibmclou • CWE-20: Improper Input Validation •