Lucene search

[email protected]CVE-2017-8914

HistoryMay 23, 2017 - 4:29 a.m.

CVE-2017-8914

2017-05-2304:29:00

NVD-CWE-noinfo

[email protected]

web.nvd.nist.gov

sinopia

npm

package hijacking

sap hana

sap security note

cve-2017-8914

nvd

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

8.2 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

65.5%

JSON

sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers to hijack npm packages or host arbitrary files by leveraging an insecure user creation policy, aka SAP Security Note 2407694.

CPENameOperatorVersion
sap:hana_xssap hana xseq2.00
sap:hana_xssap hana xseq1.00

CPE	Name	Operator	Version
sap:hana_xs	sap hana xs	eq	2.00
sap:hana_xs	sap hana xs	eq	1.00

References

www.securityfocus.com/bid/96206

erpscan.io/advisories/erpscan-17-009-sap-hana-sinopia-default-user-creation-policy-insecure/

erpscan.io/press-center/blog/sap-cyber-threat-intelligence-report-february-2017/

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

8.2 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

65.5%

JSON

Related for CVE-2017-8914

prion1 cvelist1 erpscan1