Vulners
Lucene search
SAP NetWeaver AS JAVA 7.1 < 7.5 - Information Disclosure
| Reporter | Title | Published | Views | Family All 25 |
|---|---|---|---|---|
 | SAP NetWeaver J2EE Engine 7.40 - SQL Injection Exploit | 11 Jan 201800:00 | – | zdt |
 | Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Sap Netweaver | 10 Jan 201809:14 | – | githubexploit |
 | CVE-2016-2388 | 16 Feb 201600:00 | – | attackerkb |
 | The vulnerability of the SAP NetWeaver software integration platform, which allows a hacker to gain access to protected information | 17 Mar 201600:00 | – | bdu_fstec |
 | CVE-2016-2388 | 14 Jun 202321:10 | – | circl |
 | SAP NetWeaver Information Disclosure Vulnerability | 9 Jun 202200:00 | – | cisa_kev |
 | SAP NetWeaver Information Disclosure Vulnerability (CNVD-2016-01148) | 18 Feb 201600:00 | – | cnvd |
 | SAP NetWeaver Information Disclosure (CVE-2016-2388) | 20 Jul 202200:00 | – | checkpoint_advisories |
 | CVE-2016-2388 | 16 Feb 201615:00 | – | cve |
 | CVE-2016-2388 | 16 Feb 201615:00 | – | cvelist |
10
Application:SAP NetWeaver AS JAVA
Versions Affected: SAP NetWeaver AS JAVA 7.1 - 7.5
Vendor URL: http://SAP.com
Bugs: information disclosure
Sent: 15.09.2015
Reported: 15.09.2015
Vendor response: 16.09.2015
Date of Public Advisory: 09.02.2016
Reference: SAP Security Note 2256846
Author: Vahagn Vardanyan (ERPScan)
Description
1. ADVISORY INFORMATION
Title: SAP NetWeaver AS JAVA – information disclosure vulnerability
Advisory ID: [ERPSCAN-16-010]
Risk: Medium
Advisory URL: https://erpscan.com/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure/
Date published: 09.02.2016
Vendors contacted: SAP
2. VULNERABILITY INFORMATION
Class: Information disclosure
Impact: Resource consumption
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: CVE-2016-2388
CVSS Information
CVSS Base Score v3: 5.3 / 10
CVSS Base Vector:
AV : Access Vector (Related exploit range) Network (N)
AC : Access Complexity (Required attack complexity) Low (L)
Au : Authentication (Level of authentication needed to exploit) None (N)
C : Impact to Confidentiality Low(N)
I : Impact to Integrity None(N)
A : Impact to Availability None (N)
3. VULNERABILITY DESCRIPTION
Anonymous attacker can use a special HTTP request to get information
about SAP NetWeaver users.
4. VULNERABLE PACKAGES
SAP NetWeaver AS JAVA 7.1- 7.5
Other versions are probably affected too, but they were not checked.
5. SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2256846
6. AUTHOR
Vahagn Vardanyan (ERPScan)
7. TECHNICAL DESCRIPTION
An attacker can use Information disclosure vulnerability to reveal
additional information (system data, debugging information, etc) that
will help him to learn more about a system and to plan further
attacks.
Steps to exploit this vulnerability
1. Open http://SAP:50000/webdynpro/resources/sap.com/XXX/JWFTestAddAssignees#
page on SAP server
2. Press "Choose" button
3. In the opened window press “Search”
You will get a list of SAP users
8. REPORT TIMELINE
Sent: 15.09.2015
Reported: 15.09.2015
Vendor response: 16.09.2015
Date of Public Advisory: 09.02.2016
9. REFERENCES
https://erpscan.com/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure/
# 0day.today [2018-01-04] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 May 2016 00:00Current
5.7Medium risk
Vulners AI Score5.7
EPSS0.67754