PT-2013-23: Sensitive Information Disclosure in SAP NetWeaver Vulnerable softwareSAP NetWeaver Version: 7.20 and earlierSAP_BASIS Version: 7.31 and earlierLink: http://sap.com/Severity levelSeverity level: Medium Impact: Sensitive Information Disclosure Access Vector: Remote CVSS v2: Base Score: 4.9 Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:P)CVE: not assignedSoftware descriptionSAP NetWeaver is a service-oriented integration platform and is the technical foundation for many SAP applications since the SAP Business Suite. Vulnerability descriptionThe specialists of the Positive Research center have detected a Sensitive Information Disclosure vulnerability in SAP NetWeaver.Thus, obtaining access to the SAP server (access to the table RSECTAB is required), an attacker can retrieve passwords to access other SAP systems, for which RFC connections have been created.How to fixUpdate your software up to the latest versionAdvisory status 20.03.2013 - Vendor gets vulnerability details 12.11.2013 - Vendor releases fixed version and details 27.11.2013 - Public disclosureCreditsThe vulnerability was detected by Dmitry Sklyarov, Dmitry Gutsko, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2013-23 https://service.sap.com/sap/support/notes/1902611 Reports on the vulnerabilities previously discovered by Positive Research:http://www.ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/