Details of VAR-201601-0534

ID

VAR-201601-0534

CVE

CVE-2016-1910

TITLE

SAP NetWeaver of User Management Engine Vulnerable to unspecified data

Trust: 0.8

sources: JVNDB: JVNDB-2016-001297

DESCRIPTION

The User Management Engine (UME) in SAP NetWeaver 7.4 allows attackers to decrypt unspecified data via unknown vectors, aka SAP Security Note 2191290. SAP Netweaver is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may lead to further attacks. SAP Netweaver 7.4 is vulnerable

Trust: 1.98

sources: NVD: CVE-2016-1910 // JVNDB: JVNDB-2016-001297 // BID: 80920 // VULMON: CVE-2016-1910

AFFECTED PRODUCTS

vendor:	sap	model:	netweaver	scope:	eq	version:	7.40	Trust: 1.6
vendor:	sap	model:	netweaver	scope:	eq	version:	7.4	Trust: 1.1

sources: BID: 80920 // JVNDB: JVNDB-2016-001297 // CNNVD: CNNVD-201601-342 // NVD: CVE-2016-1910

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-1910
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2016-1910
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201601-342
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2016-1910
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-1910
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

nvd@nist.gov:	CVE-2016-1910
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.0
Trust: 1.0

sources: VULMON: CVE-2016-1910 // JVNDB: JVNDB-2016-001297 // CNNVD: CNNVD-201601-342 // NVD: CVE-2016-1910

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.8

sources: JVNDB: JVNDB-2016-001297 // NVD: CVE-2016-1910

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201601-342

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201601-342

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-001297

EXPLOIT AVAILABILITY

sources: VULMON: CVE-2016-1910

PATCH

title:	SAP Security Notes January 2016 - Review (2191290)	url:	http://scn.sap.com/community/security/blog/2016/01/12/sap-security-notes-january-2016-review	Trust: 0.8
title:	SAP NetWeaver User Management Engine Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=59660	Trust: 0.6
title:	SAP_exploit	url:	https://github.com/vah13/SAP_exploit	Trust: 0.1
title:	Awesome CVE PoC	url:	https://github.com/lnick2023/nicenice	Trust: 0.1
title:	Awesome CVE PoC	url:	https://github.com/xbl3/awesome-cve-poc_qazbnm456	Trust: 0.1
title:	Awesome CVE PoC	url:	https://github.com/qazbnm456/awesome-cve-poc	Trust: 0.1

sources: VULMON: CVE-2016-1910 // JVNDB: JVNDB-2016-001297 // CNNVD: CNNVD-201601-342

EXTERNAL IDS

db:	NVD	id:	CVE-2016-1910	Trust: 2.8
db:	BID	id:	80920	Trust: 1.4
db:	EXPLOIT-DB	id:	43495	Trust: 1.1
db:	JVNDB	id:	JVNDB-2016-001297	Trust: 0.8
db:	CNNVD	id:	CNNVD-201601-342	Trust: 0.6
db:	VULMON	id:	CVE-2016-1910	Trust: 0.1

sources: VULMON: CVE-2016-1910 // BID: 80920 // JVNDB: JVNDB-2016-001297 // CNNVD: CNNVD-201601-342 // NVD: CVE-2016-1910

REFERENCES

url:	http://erpscan.com/advisories/erpscan-16-003-sap-netweaver-7-4-cryptographic-issues/	Trust: 1.7
url:	http://www.securityfocus.com/bid/80920	Trust: 1.2
url:	https://www.exploit-db.com/exploits/43495/	Trust: 1.2
url:	http://seclists.org/fulldisclosure/2016/apr/60	Trust: 1.1
url:	https://erpscan.io/press-center/blog/sap-security-notes-january-2016-review/	Trust: 1.1
url:	https://erpscan.io/advisories/erpscan-16-003-sap-netweaver-7-4-cryptographic-issues/	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1910	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1910	Trust: 0.8
url:	http://erpscan.com/press-center/blog/sap-security-notes-january-2016-review/	Trust: 0.6
url:	http://www.sap.com	Trust: 0.3
url:	www.sap.com/platform/netweaver	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/200.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/vah13/sap_exploit	Trust: 0.1

sources: VULMON: CVE-2016-1910 // BID: 80920 // JVNDB: JVNDB-2016-001297 // CNNVD: CNNVD-201601-342 // NVD: CVE-2016-1910

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 80920

SOURCES

db:	VULMON	id:	CVE-2016-1910
db:	BID	id:	80920
db:	JVNDB	id:	JVNDB-2016-001297
db:	CNNVD	id:	CNNVD-201601-342
db:	NVD	id:	CVE-2016-1910

LAST UPDATE DATE

2024-11-23T21:54:41.150000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2016-1910	date:	2018-12-10T00:00:00
db:	BID	id:	80920	date:	2016-09-02T19:00:00
db:	JVNDB	id:	JVNDB-2016-001297	date:	2016-01-26T00:00:00
db:	CNNVD	id:	CNNVD-201601-342	date:	2016-01-18T00:00:00
db:	NVD	id:	CVE-2016-1910	date:	2024-11-21T02:47:20.077

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2016-1910	date:	2016-01-15T00:00:00
db:	BID	id:	80920	date:	2016-01-15T00:00:00
db:	JVNDB	id:	JVNDB-2016-001297	date:	2016-01-26T00:00:00
db:	CNNVD	id:	CNNVD-201601-342	date:	2016-01-18T00:00:00
db:	NVD	id:	CVE-2016-1910	date:	2016-01-15T20:59:01.583