GCVE - cpe:2.3:a:sas:studio:9.4:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:sas:studio:9.4:*:*:*:*:*:*:*

part: a version: 9.4 update: *

Vendor	Sas (`92141fd0-1bae-5599-a81e-a7636e003c39`)
Product	Studio (`77c31964-2080-557c-a357-2615c254994b`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2024-48735`	vulnerable	2026-06-03 14:57:10.076544	Details available Directory Traversal in /SASStudio/sasexec/sessions/{sessionID}/workspace/{InternalPath} in SAS Studio 9.4 allows remote attacker to access internal files by manipulating default path during file download. NOTE: this is disputed by the vendor because these filesystem paths are allowed for authorized users. Published: 2024-10-30T00:00:00.000Z Updated: 2024-11-01T13:13:28.850Z Open on db.gcve.eu Reference links http://sas.com https://github.com/ACN-CVEs/CVE-2024-48735/blob/67e86e12393650e1df16c845ceff487d016f31f0/LFI.pdf	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-48734`	vulnerable	2026-06-03 14:57:10.076230	Details available Unrestricted file upload in /SASStudio/SASStudio/sasexec/{sessionID}/{InternalPath} in SAS Studio 9.4 allows remote attacker to upload malicious files. NOTE: this is disputed by the vendor because file upload is allowed for authorized users. Published: 2024-10-30T00:00:00.000Z Updated: 2024-11-04T18:41:15.240Z Open on db.gcve.eu Reference links http://sas.com https://github.com/ACN-CVEs/CVE-2024-48734/blob/d59cca7b03bce3a516035d1a0f488d67c3d10ae6/Unrestricted%20file%20upload.pdf	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-48733`	vulnerable	2026-06-03 14:57:10.075817	Details available SQL injection vulnerability in /SASStudio/sasexec/sessions/{sessionID}/sql in SAS Studio 9.4 allows remote attacker to execute arbitrary SQL commands via the POST body request. NOTE: this is disputed by the vendor because SQL statement execution is allowed for authorized users. Published: 2024-10-30T00:00:00.000Z Updated: 2024-11-04T18:37:56.065Z Open on db.gcve.eu Reference links http://sas.com https://github.com/ACN-CVEs/CVE-2024-48733/blob/ea2da31c3d6e0140edd6a1455e6157b8ba2f7a67/SQL%20injection.pdf	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.