Lucene search

[email protected]CVE-2015-3994

HistoryMay 29, 2015 - 3:59 p.m.

CVE-2015-3994

2015-05-2915:59:00

CWE-20

[email protected]

web.nvd.nist.gov

sap

hana db

xs engine

security

spoofing

cve-2015-3994

nvd

6.2 Medium

AI Score

Confidence

Low

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

58.3%

JSON

The grant.xsfunc application in testApps/grantAccess/ in the XS Engine in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to spoof log entries via a crafted request, aka SAP Security Note 2109818.

CPENameOperatorVersion
sap:hanasap hanaeq1.00.73.00.389160

CPE	Name	Operator	Version
sap:hana	sap hana	eq	1.00.73.00.389160

References

packetstormsecurity.com/files/132067/SAP-HANA-Log-Injection.html

seclists.org/fulldisclosure/2015/May/118

www.onapsis.com/research/security-advisories/SAP-HANA-Log-Injection-Vulnerability-in-Extended-Application-Services

www.securityfocus.com/archive/1/535618/100/0/threaded

www.securityfocus.com/bid/74859

6.2 Medium

AI Score

Confidence

Low

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

58.3%

JSON

Related for CVE-2015-3994

securityvulns2 prion1 cvelist1