CVE-2010-5326

Warnung

EPSS 26.42%
Veröffentlicht 13.05.2016 10:59:00
Zuletzt bearbeitet 12.04.2025 10:46:40
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack.

Betroffene Produkte Warnungen 1 Metriken 4 CWE 1 Referenzen 9

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

SAP ≫ Netweaver Application Server Java Version <= 7.30

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

SAP NetWeaver Remote Code Execution Vulnerability

Schwachstelle

SAP NetWeaver Application Server Java Platforms Invoker Servlet does not require authentication, allowing for remote code execution via a HTTP or HTTPS request.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	26.42%	0.961

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvd@nist.gov	10	10	10	AV:N/AC:L/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

http://service.sap.com/sap/support/notes/1445998

Permissions Required

http://www.onapsis.com/research/publications/sap-security-in-depth-vol4-the-invoker-servlet-a-dangerous-detour-into-sap-java-solutions

Broken Link

http://www.securityfocus.com/bid/48925

Third Party Advisory

VDB Entry

http://www.securityfocus.com/bid/90533

Third Party Advisory

VDB Entry

http://www.us-cert.gov/ncas/alerts/TA16-132A

Third Party Advisory