Description
The default installation of SAP R/3 46C/D allows remote attackers to bypass account locking by using the RFC API instead of the SAPGUI to conduct a brute force password guessing attack, which does not lock out the account like the SAPGUI does.
Product(s):
- SAP R/3
- SAP SAPGUI 4.6c for Windows
- SAP SAPGUI 4.6d for Windows
Question to Ask Vendors:
- Can you confirm whether your systems are affected by CVE-2003-1035, and if so, what steps are you currently taking to mitigate this vulnerability?
- What is your estimated timeline for fully resolving CVE-2003-1035 in your products or services, and how will you communicate updates on this issue to us as your customer?
Recommended Actions:
- Check out the advisory links provided below.