search menu icon-carat-right cmu-wordmark

CERT Coordination Center

SAP Internet Graphics Service buffer overflow

Vulnerability Note VU#259540

Original Release Date: 2007-01-19 | Last Revised: 2007-01-19


SAP Internet Graphics Service contains a buffer overflow. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.


According to SAP,

The Internet Graphics Service (IGS) constitutes the infrastructure to enable the application developer to display graphics in an Internet browser with a minimum of effort.
The IGS fails to properly handle HTTP requests allowing a heap-based buffer overflow to occur. Note the IGS is is enabled by default in certain versions of the SAP Web Application Server.

This vulnerability may be triggered by sending a specially crafted HTTP request to a vulnerable IGS installation.


A remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system, possibly with elevated privileges.


According to public reports, SAP has addressed this issue. More information is available SAP Note 968423.

Vendor Information


SAP Unknown

Updated:  January 18, 2007



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

CVSS Metrics

Group Score Vector



This vulnerability was reported by Mariano Nu༞z Di Croce.

This document was written by Jeff Gennari.

Other Information

CVE IDs: None
Severity Metric: 11.55
Date Public: 2007-01-18
Date First Published: 2007-01-19
Date Last Updated: 2007-01-19 16:26 UTC
Document Revision: 10

Sponsored by CISA.