Application: SAP NetWeaver AS Java
Versions Affected: SAP NetWeaver SLD
Vendor URL: SAP
Bugs: Information disclosure
Vendor response: 23.04.2016
Date of Public Advisory: 08.11.2016
Reference: SAP Security Note 2342940
Author: Mathieu Geli (ERPScan)
Impact: loss of information and system configuration confidentiality
Remotely Exploitable: yes
Locally Exploitable: no
CVSS Base Score v3: 5.3 / 10
CVSS Base Vector:
AV: Attack Vector (Related exploit range) | Network (N)
AC: Attack Complexity (Required attack complexity) | Low (L)
PR: Privileges Required (Level of privileges needed to exploit) | None (N)
UI: User Interaction (Required user participation) | None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Unchanged (U)
C: Impact to Confidentiality | Low (L)
I: Impact to Integrity | None (N)
A: Impact to Availability | None (N)
The SLD webdynpro component allows entering an URL anonymously and making the server send a fixed (SLD specific) payload to it.
An attacker can use Information disclosure vulnerability for revealing additional information (system data, debugging information, etc.) which will help to learn about a system and to plan other attacks.
To correct this vulnerability, install SAP Security Note 2342940.
SAP NetWeaver 7.5 information disclosure on SLD Test application.