Lucene search

[email protected]CVE-2015-7828

HistoryNov 10, 2015 - 5:59 p.m.

CVE-2015-7828

2015-11-1017:59:05

CWE-20

[email protected]

web.nvd.nist.gov

sap

hana

database

remote attack

arbitrary code execution

cve-2015-7828

security vulnerability

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

8.3 High

AI Score

Confidence

High

0.064 Low

EPSS

Percentile

93.7%

JSON

SAP HANA Database 1.00 SPS10 and earlier do not require authentication, which allows remote attackers to execute arbitrary code or have unspecified other impact via a TrexNet packet to the (1) fcopydir, (2) fmkdir, (3) frmdir, (4) getenv, (5) dumpenv, (6) fcopy, (7) fput, (8) fdel, (9) fmove, (10) fget, (11) fappend, (12) fdir, (13) getTraces, (14) kill, (15) pexec, (16) stop, or (17) pythonexec method, aka SAP Security Note 2165583.

Affected configurations

NVD

Node

saphanaRange≤1.00sp10

CPENameOperatorVersion
sap:hanasap hanale1.00

CPE	Name	Operator	Version
sap:hana	sap hana	le	1.00

References

packetstormsecurity.com/files/134281/SAP-HANA-TrexNet-Command-Execution.html

seclists.org/fulldisclosure/2015/Nov/36

www.onapsis.com/blog/analyzing-sap-security-notes-august-2015-edition

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

8.3 High

AI Score

Confidence

High

0.064 Low

EPSS

Percentile

93.7%

JSON

Related for CVE-2015-7828

prion1 cvelist1 nvd1