5.3

CVE-2016-2388

Warnung
Exploit
The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SAPNetweaver Application Server Java Version >= 7.10 <= 7.50

09.06.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

SAP NetWeaver Information Disclosure Vulnerability

Schwachstelle

The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 51.55% 0.988
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://www.exploit-db.com/exploits/43495/
Third Party Advisory
Exploit
VDB Entry
https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/
Third Party Advisory
Broken Link
http://packetstormsecurity.com/files/137128/SAP-NetWeaver-AS-JAVA-7.5-Information-Disclosure.html
Third Party Advisory
Exploit
VDB Entry
http://packetstormsecurity.com/files/145860/SAP-NetWeaver-J2EE-Engine-7.40-SQL-Injection.html
Third Party Advisory
Exploit
VDB Entry
http://seclists.org/fulldisclosure/2016/May/55
Third Party Advisory
Exploit
Mailing List
https://erpscan.io/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure/
Third Party Advisory
Broken Link
https://www.exploit-db.com/exploits/39841/
Third Party Advisory
Exploit
VDB Entry
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-2388
US Government Resource