Sign-up

ID

VAR-201311-0360


CVE

CVE-2013-6814


TITLE

SAP NetWeaver SAP Portal URI Redirection Vulnerability

Trust: 0.8

sources: IVD: ad294c52-1efc-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-14601

DESCRIPTION

The J2EE Engine in SAP NetWeaver 6.40, 7.02, and earlier allows remote attackers to redirect users to arbitrary web sites, conduct phishing attacks, and obtain sensitive information (cookies and SAPPASSPORT) via unspecified vectors. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. There is a URI redirection vulnerability in SAP NetWeaver. SAP is prone to an open-redirection weakness because the application fails to properly sanitize user-supplied input. An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. Other attacks are possible. SAP NetWeaver J2EE 6.40 and 7.02 are vulnerable

Trust: 2.61

sources: NVD: CVE-2013-6814 // JVNDB: JVNDB-2013-005193 // CNVD: CNVD-2013-14601 // BID: 63783 // IVD: ad294c52-1efc-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: ad294c52-1efc-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-14601

AFFECTED PRODUCTS

vendor:sapmodel:netweaverscope:eqversion:6.4

Trust: 1.6

vendor:sapmodel:netweaverscope:lteversion:7.02

Trust: 1.0

vendor:sapmodel:netweaverscope:eqversion:7.02

Trust: 0.9

vendor:sapmodel:netweaverscope:eqversion:6.40

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:7.31

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:7.x

Trust: 0.6

vendor:sapmodel:web application serverscope:eqversion:7.x

Trust: 0.6

vendor:sapmodel:web application serverscope:eqversion:6.x

Trust: 0.6

vendor:netweavermodel: - scope:eqversion:6.4

Trust: 0.2

vendor:netweavermodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: ad294c52-1efc-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-14601 // BID: 63783 // JVNDB: JVNDB-2013-005193 // CNNVD: CNNVD-201311-285 // NVD: CVE-2013-6814

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-6814
value: MEDIUM

Trust: 1.0

NVD: CVE-2013-6814
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2013-14601
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201311-285
value: MEDIUM

Trust: 0.6

IVD: ad294c52-1efc-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2013-6814
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2013-14601
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: ad294c52-1efc-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

sources: IVD: ad294c52-1efc-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-14601 // JVNDB: JVNDB-2013-005193 // CNNVD: CNNVD-201311-285 // NVD: CVE-2013-6814

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.8

sources: JVNDB: JVNDB-2013-005193 // NVD: CVE-2013-6814

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201311-285

TYPE

Input validation

Trust: 0.8

sources: IVD: ad294c52-1efc-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201311-285

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-005193

PATCH
title:Acknowledgments to Security Researchersurl:http://scn.sap.com/docs/DOC-8218
Trust: 0.8
title:Patch for SAP NetWeaver SAP Portal URI Redirection Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/41226
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2013-14601 // 
            
            
            
            JVNDB: JVNDB-2013-005193

EXTERNAL IDS
db:NVDid:CVE-2013-6814
Trust: 3.5
db:SECUNIAid:55778
Trust: 2.2
db:BIDid:63783
Trust: 0.9
db:CNVDid:CNVD-2013-14601
Trust: 0.8
db:CNNVDid:CNNVD-201311-285
Trust: 0.8
db:JVNDBid:JVNDB-2013-005193
Trust: 0.8
db:IVDid:AD294C52-1EFC-11E6-ABEF-000C29C66E3D
Trust: 0.2
sources:
            
            
            IVD: ad294c52-1efc-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2013-14601 // 
            
            
            
            BID: 63783 // 
            
            
            
            JVNDB: JVNDB-2013-005193 // 
            
            
            
            CNNVD: CNNVD-201311-285 // 
            
            
            
            NVD: CVE-2013-6814

REFERENCES
url:https://service.sap.com/sap/support/notes/1854826
Trust: 2.2
url:http://secunia.com/advisories/55778
Trust: 2.2
url:http://scn.sap.com/docs/doc-8218
Trust: 1.6
url:http://erpscan.com/advisories/erpscan-13-021-sap-portal-unvalidated-redirect/
Trust: 1.4
url:https://erpscan.io/advisories/erpscan-13-021-sap-portal-unvalidated-redirect/
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-6814
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-6814
Trust: 0.8
url:http://www.sap.com/platform/netweaver/index.epx
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2013-14601 // 
            
            
            
            BID: 63783 // 
            
            
            
            JVNDB: JVNDB-2013-005193 // 
            
            
            
            CNNVD: CNNVD-201311-285 // 
            
            
            
            NVD: CVE-2013-6814

CREDITS
Alexander Polyakov of ERPScan
Trust: 0.3
sources:
            
            
            BID: 63783

SOURCES
db:IVDid:ad294c52-1efc-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2013-14601
db:BIDid:63783
db:JVNDBid:JVNDB-2013-005193
db:CNNVDid:CNNVD-201311-285
db:NVDid:CVE-2013-6814

LAST UPDATE DATE
2024-11-23T23:02:50.834000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2013-14601date:2013-11-22T00:00:00
db:BIDid:63783date:2013-11-21T00:37:00
db:JVNDBid:JVNDB-2013-005193date:2013-11-21T00:00:00
db:CNNVDid:CNNVD-201311-285date:2013-11-22T00:00:00
db:NVDid:CVE-2013-6814date:2024-11-21T01:59:45.480

SOURCES RELEASE DATE
db:IVDid:ad294c52-1efc-11e6-abef-000c29c66e3ddate:2013-11-22T00:00:00
db:CNVDid:CNVD-2013-14601date:2013-11-22T00:00:00
db:BIDid:63783date:2013-10-30T00:00:00
db:JVNDBid:JVNDB-2013-005193date:2013-11-21T00:00:00
db:CNNVDid:CNNVD-201311-285date:2013-11-22T00:00:00
db:NVDid:CVE-2013-6814date:2013-11-20T14:12:30.913