Sign-up

ID

VAR-201312-0311


CVE

CVE-2013-7094


TITLE

SAP NetWeaver of RSDDCVER_COUNT_TAB_COLS In function SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2013-005538

DESCRIPTION

SQL injection vulnerability in the RSDDCVER_COUNT_TAB_COLS function in SAP NetWeaver 7.30 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. The SAP NetWeaver \"RSDDCVER_COUNT_TAB_COLS\" function fails to properly filter user-submitted input, allowing remote attackers to exploit vulnerabilities to submit special SQL queries that can retrieve or manipulate database information. SAP NetWeaver is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. Exploiting this issue could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. SAP NetWeaver 7.30 is vulnerable; other versions may also be affected

Trust: 2.61

sources: NVD: CVE-2013-7094 // JVNDB: JVNDB-2013-005538 // CNVD: CNVD-2013-15063 // BID: 64232 // IVD: 9c78f5be-1ef8-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 9c78f5be-1ef8-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-15063

AFFECTED PRODUCTS

vendor:sapmodel:netweaverscope:eqversion:7.30

Trust: 3.3

vendor:netweavermodel: - scope:eqversion:7.30

Trust: 0.2

sources: IVD: 9c78f5be-1ef8-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-15063 // BID: 64232 // JVNDB: JVNDB-2013-005538 // CNNVD: CNNVD-201312-300 // NVD: CVE-2013-7094

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-7094
value: HIGH

Trust: 1.0

NVD: CVE-2013-7094
value: HIGH

Trust: 0.8

CNVD: CNVD-2013-15063
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201312-300
value: HIGH

Trust: 0.6

IVD: 9c78f5be-1ef8-11e6-abef-000c29c66e3d
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2013-7094
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2013-15063
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:N/C:C/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 8.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 9c78f5be-1ef8-11e6-abef-000c29c66e3d
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:N/C:C/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 8.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

sources: IVD: 9c78f5be-1ef8-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-15063 // JVNDB: JVNDB-2013-005538 // CNNVD: CNNVD-201312-300 // NVD: CVE-2013-7094

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.8

sources: JVNDB: JVNDB-2013-005538 // NVD: CVE-2013-7094

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201312-300

TYPE

SQL injection

Trust: 0.8

sources: IVD: 9c78f5be-1ef8-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201312-300

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-005538

PATCH
title:Acknowledgments to Security Researchersurl:http://scn.sap.com/docs/DOC-8218
Trust: 0.8
title:SAP NetWeaver 'RSDDCVER_COUNT_TAB_COLS' patch for SQL injection vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/41624
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2013-15063 // 
            
            
            
            JVNDB: JVNDB-2013-005538

EXTERNAL IDS
db:NVDid:CVE-2013-7094
Trust: 2.9
db:BIDid:64232
Trust: 1.9
db:SECUNIAid:56061
Trust: 1.6
db:CNVDid:CNVD-2013-15063
Trust: 0.8
db:CNNVDid:CNNVD-201312-300
Trust: 0.8
db:JVNDBid:JVNDB-2013-005538
Trust: 0.8
db:XFid:89603
Trust: 0.6
db:IVDid:9C78F5BE-1EF8-11E6-ABEF-000C29C66E3D
Trust: 0.2
sources:
            
            
            IVD: 9c78f5be-1ef8-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2013-15063 // 
            
            
            
            BID: 64232 // 
            
            
            
            JVNDB: JVNDB-2013-005538 // 
            
            
            
            CNNVD: CNNVD-201312-300 // 
            
            
            
            NVD: CVE-2013-7094

REFERENCES
url:http://erpscan.com/advisories/erpscan-13-022-sap-netweaver-rsddcver_count_tab_cols-potential-sql-injection/
Trust: 2.0
url:https://service.sap.com/sap/support/notes/1836718
Trust: 1.6
url:http://secunia.com/advisories/56061
Trust: 1.6
url:http://scn.sap.com/docs/doc-8218
Trust: 1.6
url:http://www.securityfocus.com/bid/64232
Trust: 1.0
url:https://erpscan.io/advisories/erpscan-13-022-sap-netweaver-rsddcver_count_tab_cols-potential-sql-injection/
Trust: 1.0
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/89603
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-7094
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-7094
Trust: 0.8
url:http://erpscan.com/press-center/blog/sap-critical-patch-update-november-2013/
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/89603
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2013-15063 // 
            
            
            
            JVNDB: JVNDB-2013-005538 // 
            
            
            
            CNNVD: CNNVD-201312-300 // 
            
            
            
            NVD: CVE-2013-7094

CREDITS
Nikolay Mescherin of ERPScan
Trust: 0.3
sources:
            
            
            BID: 64232

SOURCES
db:IVDid:9c78f5be-1ef8-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2013-15063
db:BIDid:64232
db:JVNDBid:JVNDB-2013-005538
db:CNNVDid:CNNVD-201312-300
db:NVDid:CVE-2013-7094

LAST UPDATE DATE
2024-11-23T22:56:39.286000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2013-15063date:2013-12-16T00:00:00
db:BIDid:64232date:2013-12-17T00:17:00
db:JVNDBid:JVNDB-2013-005538date:2013-12-17T00:00:00
db:CNNVDid:CNNVD-201312-300date:2013-12-20T00:00:00
db:NVDid:CVE-2013-7094date:2024-11-21T02:00:20.180

SOURCES RELEASE DATE
db:IVDid:9c78f5be-1ef8-11e6-abef-000c29c66e3ddate:2013-12-16T00:00:00
db:CNVDid:CNVD-2013-15063date:2013-12-16T00:00:00
db:BIDid:64232date:2013-11-29T00:00:00
db:JVNDBid:JVNDB-2013-005538date:2013-12-17T00:00:00
db:CNNVDid:CNNVD-201312-300date:2013-12-17T00:00:00
db:NVDid:CVE-2013-7094date:2013-12-13T20:08:40.797