Sign-up

ID

VAR-201404-0530


CVE

CVE-2014-3130


TITLE

SAP Netweaver ABAP Application Server of Basis of ABAP Help Vulnerability gained in documentation and translation tools

Trust: 0.8

sources: JVNDB: JVNDB-2014-002335

DESCRIPTION

The ABAP Help documentation and translation tools (BC-DOC-HLP) in Basis in SAP Netweaver ABAP Application Server does not properly restrict access, which allows local users to gain privileges and execute ABAP instructions via crafted help messages. SAP BASIS is prone to a security bypass vulnerability. Successfully exploiting this issue may allow an attacker to bypass certain security restrictions and to gain unauthorized actions

Trust: 2.16

sources: NVD: CVE-2014-3130 // JVNDB: JVNDB-2014-002335 // BID: 67108 // BID: 67304

AFFECTED PRODUCTS

vendor:sapmodel:netweaver abap application serverscope:eqversion: -

Trust: 1.6

vendor:sapmodel:netweaver application server abapscope: - version: -

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:7.31

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.30

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.20

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.10

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.03

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.02

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.01

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.0

Trust: 0.3

sources: BID: 67304 // JVNDB: JVNDB-2014-002335 // CNNVD: CNNVD-201404-608 // NVD: CVE-2014-3130

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-3130
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-3130
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201404-608
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2014-3130
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-2014-002335 // CNNVD: CNNVD-201404-608 // NVD: CVE-2014-3130

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.8

sources: JVNDB: JVNDB-2014-002335 // NVD: CVE-2014-3130

THREAT TYPE

network

Trust: 0.6

sources: BID: 67108 // BID: 67304

TYPE

Design Error

Trust: 0.6

sources: BID: 67108 // BID: 67304

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-002335

PATCH
title:SAP Security Note 1910914url:http://scn.sap.com/docs/DOC-8218
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-002335

EXTERNAL IDS
db:NVDid:CVE-2014-3130
Trust: 3.0
db:BIDid:67108
Trust: 1.3
db:JVNDBid:JVNDB-2014-002335
Trust: 0.8
db:FULLDISCid:20140428 [ONAPSIS SECURITY ADVISORY 2014-009] SAP BASIS MISSING AUTHORIZATION CHECK
Trust: 0.6
db:CNNVDid:CNNVD-201404-608
Trust: 0.6
db:BIDid:67304
Trust: 0.3
sources:
            
            
            BID: 67108 // 
            
            
            
            BID: 67304 // 
            
            
            
            JVNDB: JVNDB-2014-002335 // 
            
            
            
            CNNVD: CNNVD-201404-608 // 
            
            
            
            NVD: CVE-2014-3130

REFERENCES
url:http://seclists.org/fulldisclosure/2014/apr/302
Trust: 2.7
url:https://service.sap.com/sap/support/notes/1910914
Trust: 1.6
url:http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-009
Trust: 1.6
url:http://scn.sap.com/docs/doc-8218
Trust: 1.6
url:http://www.securityfocus.com/bid/67108
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3130
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3130
Trust: 0.8
url:http://www.onapsis.com/get.php?resid=adv_onapsis-2014-009
Trust: 0.3
url:http://scn.sap.com/community/netweaver-portal
Trust: 0.3
sources:
            
            
            BID: 67108 // 
            
            
            
            BID: 67304 // 
            
            
            
            JVNDB: JVNDB-2014-002335 // 
            
            
            
            CNNVD: CNNVD-201404-608 // 
            
            
            
            NVD: CVE-2014-3130

CREDITS
Jordan Santarsieri
Trust: 0.3
sources:
            
            
            BID: 67108

SOURCES
db:BIDid:67108
db:BIDid:67304
db:JVNDBid:JVNDB-2014-002335
db:CNNVDid:CNNVD-201404-608
db:NVDid:CVE-2014-3130

LAST UPDATE DATE
2024-11-23T22:23:06.308000+00:00

SOURCES UPDATE DATE
db:BIDid:67108date:2015-04-13T20:01:00
db:BIDid:67304date:2014-04-28T00:00:00
db:JVNDBid:JVNDB-2014-002335date:2014-05-02T00:00:00
db:CNNVDid:CNNVD-201404-608date:2014-05-06T00:00:00
db:NVDid:CVE-2014-3130date:2024-11-21T02:07:30.443

SOURCES RELEASE DATE
db:BIDid:67108date:2014-04-28T00:00:00
db:BIDid:67304date:2014-04-28T00:00:00
db:JVNDBid:JVNDB-2014-002335date:2014-05-02T00:00:00
db:CNNVDid:CNNVD-201404-608date:2014-04-30T00:00:00
db:NVDid:CVE-2014-3130date:2014-04-30T14:22:07.250