SAP Business One Hana (Chef Cookbook) – Exposure of Backup File to an Unauthorized Control Sphere via Insecure Temporary File Storage.
SAP Business One Hana Chef Cookbooks
0.1.9 and below
8.82, 9.0, 9.1, 9.2, 9.3, 10.0
A vulnerability in the backup functionality of SAP Business One Hana Chef Cookbook 0.1.9 and below uses an insecure temporary folder to create and modify application backup data. A local unprivileged attacker can read and potentially write to /tmp/backup_service allowing access to private backup data.
Vendor: Under certain conditions, SAP Business One Hana Chef Cookbook, versions – 8.82, 9.0, 9.1, 9.2, 9.3, 10.0, used to install SAP Business One for SAP HANA, allows an attacker to exploit an insecure temporary backup path and to access information which would otherwise be restricted, resulting in Information Disclosure vulnerability highly impacting the confidentiality, integrity and availability of the application.
Vendor has fixed the vulnerability, published a patch, and deprecated the repository.
Proof of Concept
- 2021-04-12 – Researcher discover vulnerabilities
- 2021-04-15 – Vendor deprecates repository
- 2021-05-10 – Vendor assigns CVE-2021-27616
- 2021-05-11 – Vendor publishes advisory
- 2021-06-08 – Researcher publishes advisory
Sick Codes: https://github.com/sickcodes || https://twitter.com/sickcodes
Miklos Zoltan: https://twitter.com/mzb4455 || https://www.privacyaffairs.com/authors/miklos/