Details of VAR-201602-0118

ID

VAR-201602-0118

CVE

CVE-2016-2386

TITLE

SAP NetWeaver J2EE Engine of UDDI On the server SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2016-001461

DESCRIPTION

SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079

Trust: 1.71

sources: NVD: CVE-2016-2386 // JVNDB: JVNDB-2016-001461 // VULMON: CVE-2016-2386

AFFECTED PRODUCTS

vendor:	sap	model:	netweaver application server java	scope:	eq	version:	7.40	Trust: 1.0
vendor:	sap	model:	netweaver	scope:	eq	version:	j2ee engine 7.40	Trust: 0.8
vendor:	sap	model:	netweaver	scope:	eq	version:	7.40	Trust: 0.6

sources: JVNDB: JVNDB-2016-001461 // CNNVD: CNNVD-201602-296 // NVD: CVE-2016-2386

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-2386
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2016-2386
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201602-296
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2016-2386
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-2386
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

nvd@nist.gov:	CVE-2016-2386
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: VULMON: CVE-2016-2386 // JVNDB: JVNDB-2016-001461 // CNNVD: CNNVD-201602-296 // NVD: CVE-2016-2386

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.8

sources: JVNDB: JVNDB-2016-001461 // NVD: CVE-2016-2386

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201602-296

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201602-296

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-001461

EXPLOIT AVAILABILITY

sources: VULMON: CVE-2016-2386

PATCH

title:	SAP Security Notes February 2016 - Review (2101079)	url:	http://scn.sap.com/community/security/blog/2016/02/11/sap-security-notes-february-2016--review?TB_iframe=true&width=921.6&height=921.6	Trust: 0.8
title:	SAP NetWeaver J2EE Engine UDDI server SQL Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60232	Trust: 0.6
title:	https://github.com/murataydemir/CVE-2016-2386	url:	https://github.com/murataydemir/CVE-2016-2386	Trust: 0.1
title:	SAP_exploit	url:	https://github.com/vah13/SAP_exploit	Trust: 0.1
title:	Awesome CVE PoC	url:	https://github.com/xbl3/awesome-cve-poc_qazbnm456	Trust: 0.1
title:	Awesome CVE PoC	url:	https://github.com/lnick2023/nicenice	Trust: 0.1
title:	Known Exploited Vulnerabilities Detector	url:	https://github.com/Ostorlab/KEV	Trust: 0.1
title:	Awesome CVE PoC	url:	https://github.com/qazbnm456/awesome-cve-poc	Trust: 0.1
title:	The Register	url:	https://www.theregister.co.uk/2022/06/15/microsoft_patch_tuesday/	Trust: 0.1

sources: VULMON: CVE-2016-2386 // JVNDB: JVNDB-2016-001461 // CNNVD: CNNVD-201602-296

EXTERNAL IDS

db:	NVD	id:	CVE-2016-2386	Trust: 2.5
db:	EXPLOIT-DB	id:	39840	Trust: 1.7
db:	EXPLOIT-DB	id:	43495	Trust: 1.7
db:	PACKETSTORM	id:	137129	Trust: 1.7
db:	JVNDB	id:	JVNDB-2016-001461	Trust: 0.8
db:	CNNVD	id:	CNNVD-201602-296	Trust: 0.6
db:	BID	id:	83222	Trust: 0.1
db:	VULMON	id:	CVE-2016-2386	Trust: 0.1

sources: VULMON: CVE-2016-2386 // JVNDB: JVNDB-2016-001461 // CNNVD: CNNVD-201602-296 // NVD: CVE-2016-2386

REFERENCES

url:	https://www.exploit-db.com/exploits/39840/	Trust: 1.8
url:	https://github.com/vah13/sap_exploit	Trust: 1.8
url:	http://seclists.org/fulldisclosure/2016/may/56	Trust: 1.7
url:	http://packetstormsecurity.com/files/137129/sap-netweaver-as-java-7.5-sql-injection.html	Trust: 1.7
url:	https://www.exploit-db.com/exploits/43495/	Trust: 1.7
url:	https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/	Trust: 1.7
url:	https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-2386	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-2386	Trust: 0.8
url:	https://erpscan.com/press-center/blog/sap-security-notes-february-2016-review/	Trust: 0.8
url:	https://erpscan.com/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/89.html	Trust: 0.1
url:	https://github.com/murataydemir/cve-2016-2386	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.securityfocus.com/bid/83222	Trust: 0.1

sources: VULMON: CVE-2016-2386 // JVNDB: JVNDB-2016-001461 // CNNVD: CNNVD-201602-296 // NVD: CVE-2016-2386

SOURCES

db:	VULMON	id:	CVE-2016-2386
db:	JVNDB	id:	JVNDB-2016-001461
db:	CNNVD	id:	CNNVD-201602-296
db:	NVD	id:	CVE-2016-2386

LAST UPDATE DATE

2024-11-23T21:54:41.123000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2016-2386	date:	2021-04-20T00:00:00
db:	JVNDB	id:	JVNDB-2016-001461	date:	2016-02-22T00:00:00
db:	CNNVD	id:	CNNVD-201602-296	date:	2021-04-22T00:00:00
db:	NVD	id:	CVE-2016-2386	date:	2024-11-21T02:48:21.830

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2016-2386	date:	2016-02-16T00:00:00
db:	JVNDB	id:	JVNDB-2016-001461	date:	2016-02-22T00:00:00
db:	CNNVD	id:	CNNVD-201602-296	date:	2016-02-17T00:00:00
db:	NVD	id:	CVE-2016-2386	date:	2016-02-16T15:59:00.133