Details of VAR-201309-0329

ID

VAR-201309-0329

CVE

CVE-2013-5723

TITLE

SAP NetWeaver ‘ ABAD0_DELETE_DERIVATION_TABLE 'function SQL Injection vulnerability

Trust: 1.2

sources: CNNVD: CNNVD-201309-065 // CNNVD: CNNVD-201309-171

DESCRIPTION

SQL injection vulnerability in SAP NetWeaver 7.30 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to "ABAD0_DELETE_DERIVATION_TABLE.". Because some of the input passed to the \"ABAD0_DELETE_DERIVATION_TABLE\" function fails to filter properly before using the SQL query, the remote attacker manipulates the SQL query by injecting arbitrary SQL code. SAP NetWeaver is a set of service-oriented integrated application platform of German SAP company. The platform provides a development and runtime environment for SAP applications. The vulnerability stems from insufficient filtering of user-submitted data before the program constructs SQL query statements. Attackers can use this vulnerability to manipulate SQL query logic to perform unauthorized operations in the underlying database. There are vulnerabilities in SAP NetWeaver 7.30, other versions may also be affected

Trust: 3.24

sources: NVD: CVE-2013-5723 // JVNDB: JVNDB-2013-004089 // CNVD: CNVD-2013-12896 // CNNVD: CNNVD-201309-065 // BID: 62147 // IVD: 01277918-1f0d-11e6-abef-000c29c66e3d // VULMON: CVE-2013-5723

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 01277918-1f0d-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-12896

AFFECTED PRODUCTS

vendor:

sap

model:

netweaver

scope:

version:

7.30

Trust: 3.5

sources: IVD: 01277918-1f0d-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-12896 // BID: 62147 // JVNDB: JVNDB-2013-004089 // CNNVD: CNNVD-201309-171 // NVD: CVE-2013-5723

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-5723
value:	HIGH
Trust: 1.0
NVD:	CVE-2013-5723
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2013-12896
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201309-171
value:	HIGH
Trust: 0.6
IVD:	01277918-1f0d-11e6-abef-000c29c66e3d
value:	HIGH
Trust: 0.2
VULMON:	CVE-2013-5723
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2013-5723
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2013-12896
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	8.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	01277918-1f0d-11e6-abef-000c29c66e3d
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	8.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

sources: IVD: 01277918-1f0d-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-12896 // VULMON: CVE-2013-5723 // JVNDB: JVNDB-2013-004089 // CNNVD: CNNVD-201309-171 // NVD: CVE-2013-5723

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.8

sources: JVNDB: JVNDB-2013-004089 // NVD: CVE-2013-5723

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201309-065 // CNNVD: CNNVD-201309-171

TYPE

SQL injection

Trust: 1.4

sources: IVD: 01277918-1f0d-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201309-065 // CNNVD: CNNVD-201309-171

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-004089

PATCH

title:	Acknowledgments to Security Researchers (SAP Security Note 1840249)	url:	http://scn.sap.com/docs/DOC-8218	Trust: 0.8
title:	SAP NetWeaver 'ABAD0_DELETE_DERIVATION_TABLE' function SQL injection vulnerability patch	url:	https://www.cnvd.org.cn/patchInfo/show/39364	Trust: 0.6

sources: CNVD: CNVD-2013-12896 // JVNDB: JVNDB-2013-004089

EXTERNAL IDS

db:	BID	id:	62147	Trust: 2.6
db:	NVD	id:	CVE-2013-5723	Trust: 2.5
db:	OSVDB	id:	96900	Trust: 1.7
db:	SECUNIA	id:	54702	Trust: 1.7
db:	SECTRACK	id:	1029018	Trust: 1.1
db:	CNVD	id:	CNVD-2013-12896	Trust: 0.8
db:	JVNDB	id:	JVNDB-2013-004089	Trust: 0.8
db:	CNNVD	id:	CNNVD-201309-065	Trust: 0.6
db:	CNNVD	id:	CNNVD-201309-171	Trust: 0.6
db:	IVD	id:	01277918-1F0D-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	VULMON	id:	CVE-2013-5723	Trust: 0.1

sources: IVD: 01277918-1f0d-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-12896 // VULMON: CVE-2013-5723 // BID: 62147 // JVNDB: JVNDB-2013-004089 // CNNVD: CNNVD-201309-065 // CNNVD: CNNVD-201309-171 // NVD: CVE-2013-5723

REFERENCES

url:	http://secunia.com/advisories/54702	Trust: 1.7
url:	http://osvdb.org/96900	Trust: 1.7
url:	http://scn.sap.com/docs/doc-8218	Trust: 1.7
url:	https://service.sap.com/sap/support/notes/1840249	Trust: 1.7
url:	http://www.securityfocus.com/bid/62147	Trust: 1.7
url:	http://erpscan.com/advisories/dsecrg-13-016-sap-netweaver-abad0_delete_derivation_table/	Trust: 1.4
url:	http://www.securitytracker.com/id/1029018	Trust: 1.1
url:	https://erpscan.io/advisories/dsecrg-13-016-sap-netweaver-abad0_delete_derivation_table/	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-5723	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-5723	Trust: 0.8
url:	http://www.securelist.com/en/advisories/54702	Trust: 0.6
url:	http://www.sap.com/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/89.html	Trust: 0.1
url:	http://tools.cisco.com/security/center/viewalert.x?alertid=30800	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2013-12896 // VULMON: CVE-2013-5723 // BID: 62147 // JVNDB: JVNDB-2013-004089 // CNNVD: CNNVD-201309-065 // CNNVD: CNNVD-201309-171 // NVD: CVE-2013-5723

CREDITS

Nikolay Mescherin of ERPScan

Trust: 0.9

sources: BID: 62147 // CNNVD: CNNVD-201309-065

SOURCES

db:	IVD	id:	01277918-1f0d-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2013-12896
db:	VULMON	id:	CVE-2013-5723
db:	BID	id:	62147
db:	JVNDB	id:	JVNDB-2013-004089
db:	CNNVD	id:	CNNVD-201309-065
db:	CNNVD	id:	CNNVD-201309-171
db:	NVD	id:	CVE-2013-5723

LAST UPDATE DATE

2024-11-23T22:59:46.712000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2013-12896	date:	2013-09-09T00:00:00
db:	VULMON	id:	CVE-2013-5723	date:	2018-12-10T00:00:00
db:	BID	id:	62147	date:	2013-08-20T00:00:00
db:	JVNDB	id:	JVNDB-2013-004089	date:	2013-09-13T00:00:00
db:	CNNVD	id:	CNNVD-201309-065	date:	2013-09-10T00:00:00
db:	CNNVD	id:	CNNVD-201309-171	date:	2013-09-13T00:00:00
db:	NVD	id:	CVE-2013-5723	date:	2024-11-21T01:58:01.010

SOURCES RELEASE DATE

db:	IVD	id:	01277918-1f0d-11e6-abef-000c29c66e3d	date:	2013-09-09T00:00:00
db:	CNVD	id:	CNVD-2013-12896	date:	2013-09-09T00:00:00
db:	VULMON	id:	CVE-2013-5723	date:	2013-09-12T00:00:00
db:	BID	id:	62147	date:	2013-08-20T00:00:00
db:	JVNDB	id:	JVNDB-2013-004089	date:	2013-09-13T00:00:00
db:	CNNVD	id:	CNNVD-201309-065	date:	2013-08-20T00:00:00
db:	CNNVD	id:	CNNVD-201309-171	date:	2013-09-13T00:00:00
db:	NVD	id:	CVE-2013-5723	date:	2013-09-12T13:31:15.587