Details of VAR-201404-0302

ID

VAR-201404-0302

CVE

CVE-2013-7364

TITLE

SAP J2EE Core Service Remote Arbitrary File Access Vulnerability

Trust: 0.9

sources: BID: 58175 // CNNVD: CNNVD-201303-099

DESCRIPTION

An unspecified J2EE core service in the J2EE Engine in SAP NetWeaver does not properly restrict access, which allows remote attackers to read and write to arbitrary files via unknown vectors. This may lead to further attacks

Trust: 1.98

sources: NVD: CVE-2013-7364 // JVNDB: JVNDB-2013-006310 // BID: 58175 // VULMON: CVE-2013-7364

AFFECTED PRODUCTS

vendor:	sap	model:	netweaver	scope:	eq	version:	-	Trust: 1.6
vendor:	sap	model:	netweaver	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2013-006310 // CNNVD: CNNVD-201404-132 // NVD: CVE-2013-7364

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-7364
value:	HIGH
Trust: 1.0
NVD:	CVE-2013-7364
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201404-132
value:	HIGH
Trust: 0.6
VULMON:	CVE-2013-7364
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2013-7364
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

sources: VULMON: CVE-2013-7364 // JVNDB: JVNDB-2013-006310 // CNNVD: CNNVD-201404-132 // NVD: CVE-2013-7364

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.8

sources: JVNDB: JVNDB-2013-006310 // NVD: CVE-2013-7364

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201303-099 // CNNVD: CNNVD-201404-132

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201404-132

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-006310

PATCH

title:

SAP Security Note, 1682613

url:

http://scn.sap.com/docs/DOC-8218

Trust: 0.8

sources: JVNDB: JVNDB-2013-006310

EXTERNAL IDS

db:	NVD	id:	CVE-2013-7364	Trust: 2.8
db:	BID	id:	58175	Trust: 0.9
db:	JVNDB	id:	JVNDB-2013-006310	Trust: 0.8
db:	CNNVD	id:	CNNVD-201303-099	Trust: 0.6
db:	BUGTRAQ	id:	20130222 [ONAPSIS SECURITY ADVISORY 2013-004] SAP J2EE CORE SERVICE ARBITRARY FILE ACCESS	Trust: 0.6
db:	CNNVD	id:	CNNVD-201404-132	Trust: 0.6
db:	VULMON	id:	CVE-2013-7364	Trust: 0.1

sources: VULMON: CVE-2013-7364 // BID: 58175 // JVNDB: JVNDB-2013-006310 // CNNVD: CNNVD-201303-099 // CNNVD: CNNVD-201404-132 // NVD: CVE-2013-7364

REFERENCES

url:	http://archives.neohapsis.com/archives/bugtraq/2013-02/0133.html	Trust: 2.5
url:	http://www.onapsis.com/get.php?resid=adv_onapsis-2013-004	Trust: 2.5
url:	http://www.onapsis.com/research-advisories.php	Trust: 2.5
url:	http://scn.sap.com/docs/doc-8218	Trust: 1.7
url:	https://service.sap.com/sap/support/notes/1682613	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-7364	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-7364	Trust: 0.8
url:	http://www.securityfocus.com/bid/58175	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/264.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2013-7364 // JVNDB: JVNDB-2013-006310 // CNNVD: CNNVD-201303-099 // CNNVD: CNNVD-201404-132 // NVD: CVE-2013-7364

CREDITS

Juan Perez-Etchegoyen

Trust: 0.9

sources: BID: 58175 // CNNVD: CNNVD-201303-099

SOURCES

db:	VULMON	id:	CVE-2013-7364
db:	BID	id:	58175
db:	JVNDB	id:	JVNDB-2013-006310
db:	CNNVD	id:	CNNVD-201303-099
db:	CNNVD	id:	CNNVD-201404-132
db:	NVD	id:	CVE-2013-7364

LAST UPDATE DATE

2024-11-23T22:52:52.855000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2013-7364	date:	2014-04-11T00:00:00
db:	BID	id:	58175	date:	2014-06-30T00:15:00
db:	JVNDB	id:	JVNDB-2013-006310	date:	2014-04-15T00:00:00
db:	CNNVD	id:	CNNVD-201303-099	date:	2013-03-07T00:00:00
db:	CNNVD	id:	CNNVD-201404-132	date:	2014-04-14T00:00:00
db:	NVD	id:	CVE-2013-7364	date:	2024-11-21T02:00:50.693

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2013-7364	date:	2014-04-10T00:00:00
db:	BID	id:	58175	date:	2013-02-21T00:00:00
db:	JVNDB	id:	JVNDB-2013-006310	date:	2014-04-15T00:00:00
db:	CNNVD	id:	CNNVD-201303-099	date:	2013-02-21T00:00:00
db:	CNNVD	id:	CNNVD-201404-132	date:	2014-04-14T00:00:00
db:	NVD	id:	CVE-2013-7364	date:	2014-04-10T20:55:06.167