Lucene search

[email protected]CVE-2014-5171

HistoryJul 31, 2014 - 2:55 p.m.

CVE-2014-5171

2014-07-3114:55:00

CWE-310

[email protected]

web.nvd.nist.gov

sap

hana

form based authentication

ssl

encryption

network sniffing

security vulnerability

cve-2014-5171

7.3 High

AI Score

Confidence

Low

2.9 Low

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:A/AC:M/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

71.1%

JSON

SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

CPENameOperatorVersion
sap:hana_extended_application_servicessap hana extended application serviceseq-

CPE	Name	Operator	Version
sap:hana_extended_application_services	sap hana extended application services	eq	-

References

packetstormsecurity.com/files/127666/SAP-HANA-XS-Missing-Encryption.html

scn.sap.com/docs/DOC-8218

seclists.org/fulldisclosure/2014/Jul/149

www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-021

www.securityfocus.com/archive/1/532940/100/0/threaded

www.securityfocus.com/bid/68947

service.sap.com/sap/support/notes/1963932

7.3 High

AI Score

Confidence

Low

2.9 Low

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:A/AC:M/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

71.1%

JSON

Related for CVE-2014-5171

cvelist1 prion1