Details of VAR-201402-0239

ID

VAR-201402-0239

CVE

CVE-2014-1963

TITLE

SAP NetWeaver of Message Server Service disruption in (DoS) Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2014-001413

DESCRIPTION

Unspecified vulnerability in Message Server in SAP NetWeaver 7.20 allows remote attackers to cause a denial of service via unknown attack vectors. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. There are several vulnerabilities in SAP NetWeaver: 1. Portal handles the vulnerability of WebDyn Pro and can leak path information. 3. The relevant DIR error input lacks filtering before returning to the user, allowing remote attackers to exploit the vulnerability for cross-site scripting attacks to obtain sensitive information or hijack user sessions. 4. Some of the relevant ISpeakAdapter inputs lack filtering before returning to the user, allowing remote attackers to exploit the vulnerability for cross-site scripting attacks to obtain sensitive information or hijack user sessions. A remote attacker can exploit a vulnerability to get sensitive information or crash an application. SAP NetWeaver is prone to multiple security vulnerabilities, including: 1. An information-disclosure vulnerability 2. Multiple cross-site scripting vulnerabilities 3. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 2.43

sources: NVD: CVE-2014-1963 // JVNDB: JVNDB-2014-001413 // CNVD: CNVD-2014-01007 // BID: 65547

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-01007

AFFECTED PRODUCTS

vendor:	sap	model:	netweaver	scope:	eq	version:	7.20	Trust: 2.4
vendor:	sap	model:	netweaver	scope:	eq	version:	7.x	Trust: 0.6
vendor:	sap	model:	netweaver	scope:	eq	version:	0	Trust: 0.3

sources: CNVD: CNVD-2014-01007 // BID: 65547 // JVNDB: JVNDB-2014-001413 // CNNVD: CNNVD-201402-206 // NVD: CVE-2014-1963

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-1963
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-1963
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2014-01007
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201402-206
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2014-1963
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-01007
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2014-01007 // JVNDB: JVNDB-2014-001413 // CNNVD: CNNVD-201402-206 // NVD: CVE-2014-1963

PROBLEMTYPE DATA

problemtype:

NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2014-1963

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201402-206

TYPE

Input Validation Error

Trust: 0.3

sources: BID: 65547

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-001413

PATCH

title:	SAP Security Note 1773912	url:	http://scn.sap.com/docs/DOC-8218	Trust: 0.8
title:	SAP NetWeaver has multiple vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/43676	Trust: 0.6

sources: CNVD: CNVD-2014-01007 // JVNDB: JVNDB-2014-001413

EXTERNAL IDS

db:	NVD	id:	CVE-2014-1963	Trust: 3.0
db:	SECUNIA	id:	56947	Trust: 1.6
db:	BID	id:	65547	Trust: 0.9
db:	JVNDB	id:	JVNDB-2014-001413	Trust: 0.8
db:	CNVD	id:	CNVD-2014-01007	Trust: 0.6
db:	CNNVD	id:	CNNVD-201402-206	Trust: 0.6

sources: CNVD: CNVD-2014-01007 // BID: 65547 // JVNDB: JVNDB-2014-001413 // CNNVD: CNNVD-201402-206 // NVD: CVE-2014-1963

REFERENCES

url:	http://erpscan.com/advisories/erpscan-14-001-sap-netweaver-message-server-dos/	Trust: 2.0
url:	https://service.sap.com/sap/support/notes/1773912	Trust: 1.6
url:	http://secunia.com/advisories/56947	Trust: 1.6
url:	http://scn.sap.com/docs/doc-8218	Trust: 1.6
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/91097	Trust: 1.0
url:	https://erpscan.io/advisories/erpscan-14-001-sap-netweaver-message-server-dos/	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1963	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-1963	Trust: 0.8
url:	http://erpscan.com/advisories/erpscan-14-002-sap-portal-webdynpro-path-disclosure/	Trust: 0.6
url:	http://erpscan.com/advisories/erpscan-14-005-sap-netweaver-dir-error-xss/	Trust: 0.6
url:	http://erpscan.com/advisories/erpscan-14-006-sap-netweaver-pip-xss/	Trust: 0.6
url:	http://www.sap.com	Trust: 0.3

sources: CNVD: CNVD-2014-01007 // BID: 65547 // JVNDB: JVNDB-2014-001413 // CNNVD: CNNVD-201402-206 // NVD: CVE-2014-1963

CREDITS

Alexander Polyakov, George Nosenko and Dmitry Chastukhin

Trust: 0.3

sources: BID: 65547

SOURCES

db:	CNVD	id:	CNVD-2014-01007
db:	BID	id:	65547
db:	JVNDB	id:	JVNDB-2014-001413
db:	CNNVD	id:	CNNVD-201402-206
db:	NVD	id:	CVE-2014-1963

LAST UPDATE DATE

2024-11-23T22:23:07.882000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-01007	date:	2014-02-18T00:00:00
db:	BID	id:	65547	date:	2014-02-01T00:00:00
db:	JVNDB	id:	JVNDB-2014-001413	date:	2014-02-19T00:00:00
db:	CNNVD	id:	CNNVD-201402-206	date:	2014-02-18T00:00:00
db:	NVD	id:	CVE-2014-1963	date:	2024-11-21T02:05:21.787

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2014-01007	date:	2014-02-18T00:00:00
db:	BID	id:	65547	date:	2014-02-01T00:00:00
db:	JVNDB	id:	JVNDB-2014-001413	date:	2014-02-19T00:00:00
db:	CNNVD	id:	CNNVD-201402-206	date:	2014-02-18T00:00:00
db:	NVD	id:	CVE-2014-1963	date:	2014-02-14T15:55:07.533