Lucene search

[email protected]CVE-2003-1035

HistoryApr 15, 2004 - 4:00 a.m.

CVE-2003-1035

2004-04-1504:00:00

NVD-CWE-Other

[email protected]

web.nvd.nist.gov

sap r/3

installation

remote attackers

account locking

brute force

sapgui

rfc api

password guessing

nvd

7.7 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.011 Low

EPSS

Percentile

84.2%

JSON

The default installation of SAP R/3 46C/D allows remote attackers to bypass account locking by using the RFC API instead of the SAPGUI to conduct a brute force password guessing attack, which does not lock out the account like the SAPGUI does.

CPENameOperatorVersion
sap:sapguisap sapguieq4.6c
sap:sap_r_3sap sap r 3eq*
sap:sapguisap sapguieq4.6d

CPE	Name	Operator	Version
sap:sapgui	sap sapgui	eq	4.6c
sap:sap_r_3	sap sap r 3	eq	*
sap:sapgui	sap sapgui	eq	4.6d

References

lists.grok.org.uk/pipermail/full-disclosure/2003-March/004039.html

www.securityfocus.com/archive/1/451378/100/0/threaded

www.securityfocus.com/bid/7007

exchange.xforce.ibmcloud.com/vulnerabilities/11487

7.7 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.011 Low

EPSS

Percentile

84.2%

JSON