CVE-2017-16691
MEDIUMSAP BASIS -7.02,-7.11,-7.30,-7.31,-7.40,-7.52 - Code Injection
Title source: llmDescription
SAP Note Assistant tool (SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31,7.40, from 7.50 to 7.52) supports upload of digitally signed note file of type 'SAR'. The digital signature verification is done together with the extraction of note file contained in the SAR archive. It is possible to append a tampered file to the SAR archive using SAPCAR tool and during the extraction, digital signature verification fails but the tampered file is extracted.
References (3)
Core 3
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/
Permissions Required, Vendor Advisory x_refsource_confirm
https://launchpad.support.sap.com/#/notes/2546220
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/101822
Scores
CVSS v3
6.5
EPSS
0.0037
EPSS Percentile
58.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Details
CWE
CWE-20
Status
published
Products (12)
sap/business_application_software_integrated_solution
7.00
sap/business_application_software_integrated_solution
7.01
sap/business_application_software_integrated_solution
7.02
sap/business_application_software_integrated_solution
7.10
sap/business_application_software_integrated_solution
7.11
sap/business_application_software_integrated_solution
7.30
sap/business_application_software_integrated_solution
7.31
sap/business_application_software_integrated_solution
7.40
sap/business_application_software_integrated_solution
7.50
sap/business_application_software_integrated_solution
7.51
... and 2 more
Published
Dec 12, 2017
Tracked Since
Feb 18, 2026