Missing Authorization Check in SAP AS JAVA's MSPRuntimeInterface

Missing Authorization Check in SAP AS JAVA's MSPRuntimeInterface

CVE-2017-5372 · MEDIUM Severity

AV:N/AC:L/AU:N/C:P/I:N/A:N

The function msp (aka MSPRuntimeInterface) in the P4 SERVERCORE component in SAP AS JAVA allows remote attackers to obtain sensitive system information by leveraging a missing authorization check for the (1) getInformation, (2) getParameters, (3) getServiceInfo, (4) getStatistic, or (5) getClientStatistic function, aka SAP Security Note 2331908.

Learn more about our Cis Benchmark Audit For Server Software.