Total
11 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-27498 | 1 Sap | 1 Host Agent | 2023-03-21 | N/A | 7.2 HIGH |
SAP Host Agent (SAPOSCOL) - version 7.22, allows an unauthenticated attacker with network access to a server port assigned to the SAP Start Service to submit a crafted request which results in a memory corruption error. This error can be used to reveal but not modify any technical information about the server. It can also make a particular service temporarily unavailable | |||||
CVE-2022-35295 | 1 Sap | 1 Host Agent | 2023-03-01 | N/A | 4.9 MEDIUM |
In SAP Host Agent (SAPOSCOL) - version 7.22, an attacker may use files created by saposcol to escalate privileges for themselves. | |||||
CVE-2023-24523 | 1 Sap | 1 Host Agent | 2023-02-21 | N/A | 8.8 HIGH |
An attacker authenticated as a non-admin user with local access to a server port assigned to the SAP Host Agent (Start Service) - versions 7.21, 7.22, can submit a crafted ConfigureOutsideDiscovery request with an operating system command which will be executed with administrator privileges. The OS command can read or modify any user or system data and can make the system unavailable. | |||||
CVE-2023-0012 | 2 Microsoft, Sap | 2 Windows, Host Agent | 2023-01-13 | N/A | 6.7 MEDIUM |
In SAP Host Agent (Windows) - versions 7.21, 7.22, an attacker who gains local membership to SAP_LocalAdmin could be able to replace executables with a malicious file that will be started under a privileged account. Note that by default all user members of SAP_LocaAdmin are denied the ability to logon locally by security policy so that this can only occur if the system has already been compromised. | |||||
CVE-2022-29614 | 1 Sap | 2 Host Agent, Netweaver Abap | 2022-10-27 | 4.6 MEDIUM | 5.0 MEDIUM |
SAP startservice - of SAP NetWeaver Application Server ABAP, Application Server Java, ABAP Platform and HANA Database - versions KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, SAPHOSTAGENT 7.22, - on Unix systems, s-bit helper program sapuxuserchk, can be abused physically resulting in a privilege escalation of an attacker leading to low impact on confidentiality and integrity, but a profound impact on availability. | |||||
CVE-2022-28774 | 1 Sap | 1 Host Agent | 2022-10-26 | 1.9 LOW | 5.5 MEDIUM |
Under certain conditions, the SAP Host Agent logfile shows information which would otherwise be restricted. | |||||
CVE-2022-29612 | 1 Sap | 2 Host Agent, Netweaver Abap | 2022-10-06 | 4.0 MEDIUM | 4.3 MEDIUM |
SAP NetWeaver, ABAP Platform and SAP Host Agent - versions KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, 8.04, KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, 8.04, SAPHOSTAGENT 7.22, allows an authenticated user to misuse a function of sapcontrol webfunctionality(startservice) in Kernel which enables malicious users to retrieve information. On successful exploitation, an attacker can obtain technical information like system number or physical address, which is otherwise restricted, causing a limited impact on the confidentiality of the application. | |||||
CVE-2020-6234 | 1 Sap | 1 Host Agent | 2022-04-29 | 6.5 MEDIUM | 7.2 HIGH |
SAP Host Agent, version 7.21, allows an attacker with admin privileges to use the operation framework to gain root privileges over the underlying operating system, leading to Privilege Escalation. | |||||
CVE-2020-6183 | 1 Sap | 1 Host Agent | 2020-02-20 | 6.4 MEDIUM | 6.5 MEDIUM |
SAP Host Agent, version 7.21, allows an unprivileged user to read the shared memory or write to the shared memory by sending request to the main SAPOSCOL process and receive responses that may contain data read with user root privileges e.g. size of any directory, system hardware and OS details, leading to Missing Authorization Check vulnerability. | |||||
CVE-2020-6186 | 1 Sap | 1 Host Agent | 2020-02-19 | 5.0 MEDIUM | 7.5 HIGH |
SAP Host Agent, version 7.21, allows an attacker to cause a slowdown in processing of username/password-based authentication requests of the SAP Host Agent, leading to Denial of Service. | |||||
CVE-2017-15297 | 1 Sap | 1 Host Agent | 2018-12-10 | 5.0 MEDIUM | 7.5 HIGH |
SAP Hostcontrol does not require authentication for the SOAP SAPControl endpoint. This is SAP Security Note 2442993. |