CVE-2010-5326

Warning

EPSS 26.42%
Published 13.05.2016 10:59:00
Last modified 12.04.2025 10:46:40
Source cve@mitre.org
Teams watchlist Login
Open Login

The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack.

Affected products Warnungen 1 Metrics 4 CWE 1 References 9

Data is provided by the National Vulnerability Database (NVD)

SAP ≫ Netweaver Application Server Java Version <= 7.30

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

SAP NetWeaver Remote Code Execution Vulnerability

Vulnerability

SAP NetWeaver Application Server Java Platforms Invoker Servlet does not require authentication, allowing for remote code execution via a HTTP or HTTPS request.

Description

Apply updates per vendor instructions.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	26.42%	0.961

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvd@nist.gov	10	10	10	AV:N/AC:L/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

http://service.sap.com/sap/support/notes/1445998

Permissions Required

http://www.onapsis.com/research/publications/sap-security-in-depth-vol4-the-invoker-servlet-a-dangerous-detour-into-sap-java-solutions

Broken Link

http://www.securityfocus.com/bid/48925

Third Party Advisory

VDB Entry

http://www.securityfocus.com/bid/90533

Third Party Advisory

VDB Entry

http://www.us-cert.gov/ncas/alerts/TA16-132A

Third Party Advisory