Sign-up

ID

VAR-201509-0262


CVE

CVE-2015-7239


TITLE

SAP NetWeaver J2EE Engine of BP_FIND_JOBS_WITH_PROGRAM In the module SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2015-004934

DESCRIPTION

SQL injection vulnerability in the BP_FIND_JOBS_WITH_PROGRAM function module in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. SAP NetWeaver is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. SAP NetWeaver 7.40 is vulnerable; other versions may also be affected

Trust: 1.89

sources: NVD: CVE-2015-7239 // JVNDB: JVNDB-2015-004934 // BID: 79344

AFFECTED PRODUCTS

vendor:sapmodel:netweaver j2ee enginescope:eqversion:7.40

Trust: 2.4

vendor:sapmodel:netweaverscope:eqversion:7.40

Trust: 0.3

sources: BID: 79344 // JVNDB: JVNDB-2015-004934 // CNNVD: CNNVD-201509-373 // NVD: CVE-2015-7239

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-7239
value: HIGH

Trust: 1.0

NVD: CVE-2015-7239
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201509-373
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2015-7239
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-2015-004934 // CNNVD: CNNVD-201509-373 // NVD: CVE-2015-7239

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.8

sources: JVNDB: JVNDB-2015-004934 // NVD: CVE-2015-7239

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201509-373

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201509-373

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-004934

PATCH
title:SAP Security Note 2193389url:http://scn.sap.com/docs/DOC-55451
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-004934

EXTERNAL IDS
db:NVDid:CVE-2015-7239
Trust: 2.7
db:PACKETSTORMid:134801
Trust: 1.0
db:JVNDBid:JVNDB-2015-004934
Trust: 0.8
db:CNNVDid:CNNVD-201509-373
Trust: 0.6
db:BIDid:79344
Trust: 0.3
sources:
            
            
            BID: 79344 // 
            
            
            
            JVNDB: JVNDB-2015-004934 // 
            
            
            
            CNNVD: CNNVD-201509-373 // 
            
            
            
            NVD: CVE-2015-7239

REFERENCES
url:http://erpscan.com/advisories/erpscan-15-021-sap-netweaver-7-4-bp_find_jobs_with_program-sql-injecti/
Trust: 1.9
url:https://erpscan.io/advisories/erpscan-15-021-sap-netweaver-7-4-bp_find_jobs_with_program-sql-injection/
Trust: 1.0
url:http://seclists.org/fulldisclosure/2015/dec/66
Trust: 1.0
url:http://packetstormsecurity.com/files/134801/sap-netweaver-j2ee-engine-7.40-sql-injection.html
Trust: 1.0
url:http://www.securityfocus.com/archive/1/537109/100/0/threaded
Trust: 1.0
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7239
Trust: 0.8
url:http://erpscan.com/advisories/erpscan-15-021-sap-netweaver-7-4-bp_find_jobs_with_program-sql-injection/
Trust: 0.6
url:https://help.sap.com/nw_platform
Trust: 0.3
sources:
            
            
            BID: 79344 // 
            
            
            
            JVNDB: JVNDB-2015-004934 // 
            
            
            
            CNNVD: CNNVD-201509-373 // 
            
            
            
            NVD: CVE-2015-7239

CREDITS
Vahagn Vardanyan (ERPScan)
Trust: 0.3
sources:
            
            
            BID: 79344

SOURCES
db:BIDid:79344
db:JVNDBid:JVNDB-2015-004934
db:CNNVDid:CNNVD-201509-373
db:NVDid:CVE-2015-7239

LAST UPDATE DATE
2024-11-23T22:27:05.053000+00:00

SOURCES UPDATE DATE
db:BIDid:79344date:2015-09-09T00:00:00
db:JVNDBid:JVNDB-2015-004934date:2015-09-30T00:00:00
db:CNNVDid:CNNVD-201509-373date:2015-09-21T00:00:00
db:NVDid:CVE-2015-7239date:2024-11-21T02:36:24.867

SOURCES RELEASE DATE
db:BIDid:79344date:2015-09-09T00:00:00
db:JVNDBid:JVNDB-2015-004934date:2015-09-30T00:00:00
db:CNNVDid:CNNVD-201509-373date:2015-09-21T00:00:00
db:NVDid:CVE-2015-7239date:2015-09-18T14:59:05.050