Details of VAR-201602-0120

ID

VAR-201602-0120

CVE

CVE-2016-2388

TITLE

SAP NetWeaver of Universal Worklist Configuration Vulnerability in obtaining important user information

Trust: 0.8

sources: JVNDB: JVNDB-2016-001526

DESCRIPTION

The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846. Vendors have confirmed this vulnerability SAP Security Note 2256846 It is released as. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlSkillfully crafted by a third party HTTP Important user information may be obtained through a request

Trust: 1.71

sources: NVD: CVE-2016-2388 // JVNDB: JVNDB-2016-001526 // VULMON: CVE-2016-2388

AFFECTED PRODUCTS

vendor:	sap	model:	netweaver application server java	scope:	lte	version:	7.50	Trust: 1.0
vendor:	sap	model:	netweaver application server java	scope:	gte	version:	7.10	Trust: 1.0
vendor:	sap	model:	netweaver	scope:	eq	version:	7.4	Trust: 0.8
vendor:	sap	model:	netweaver	scope:	eq	version:	7.40	Trust: 0.6

sources: JVNDB: JVNDB-2016-001526 // CNNVD: CNNVD-201602-298 // NVD: CVE-2016-2388

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-2388
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2016-2388
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201602-298
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2016-2388
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-2388
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

nvd@nist.gov:	CVE-2016-2388
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0

sources: VULMON: CVE-2016-2388 // JVNDB: JVNDB-2016-001526 // CNNVD: CNNVD-201602-298 // NVD: CVE-2016-2388

PROBLEMTYPE DATA

problemtype:	CWE-200	Trust: 1.8
problemtype:	CWE-Other	Trust: 0.8

sources: JVNDB: JVNDB-2016-001526 // NVD: CVE-2016-2388

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201602-298

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201602-298

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-001526

EXPLOIT AVAILABILITY

sources: VULMON: CVE-2016-2388

PATCH

title:	SAP Security Notes February 2016 - Review (2256846)	url:	http://scn.sap.com/community/security/blog/2016/02/11/sap-security-notes-february-2016--review?TB_iframe=true&width=921.6&height=921.6	Trust: 0.8
title:	SAP NetWeaver Universal Worklist Configuration Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60234	Trust: 0.6
title:	SAP_exploit	url:	https://github.com/vah13/SAP_exploit	Trust: 0.1
title:	Exp101tsArchiv30thers	url:	https://github.com/nu11secur1ty/Exp101tsArchiv30thers	Trust: 0.1
title:	awesome-cve-poc_qazbnm456	url:	https://github.com/xbl3/awesome-cve-poc_qazbnm456	Trust: 0.1
title:	The Register	url:	https://www.theregister.co.uk/2022/06/15/microsoft_patch_tuesday/	Trust: 0.1

sources: VULMON: CVE-2016-2388 // JVNDB: JVNDB-2016-001526 // CNNVD: CNNVD-201602-298

EXTERNAL IDS

db:	NVD	id:	CVE-2016-2388	Trust: 2.5
db:	EXPLOIT-DB	id:	39841	Trust: 1.7
db:	EXPLOIT-DB	id:	43495	Trust: 1.7
db:	PACKETSTORM	id:	137128	Trust: 1.7
db:	PACKETSTORM	id:	145860	Trust: 1.7
db:	JVNDB	id:	JVNDB-2016-001526	Trust: 0.8
db:	CNNVD	id:	CNNVD-201602-298	Trust: 0.6
db:	BID	id:	83219	Trust: 0.1
db:	VULMON	id:	CVE-2016-2388	Trust: 0.1

sources: VULMON: CVE-2016-2388 // JVNDB: JVNDB-2016-001526 // CNNVD: CNNVD-201602-298 // NVD: CVE-2016-2388

REFERENCES

url:	https://www.exploit-db.com/exploits/39841/	Trust: 1.8
url:	http://seclists.org/fulldisclosure/2016/may/55	Trust: 1.7
url:	http://packetstormsecurity.com/files/137128/sap-netweaver-as-java-7.5-information-disclosure.html	Trust: 1.7
url:	https://www.exploit-db.com/exploits/43495/	Trust: 1.7
url:	https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/	Trust: 1.7
url:	https://erpscan.io/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure/	Trust: 1.7
url:	http://packetstormsecurity.com/files/145860/sap-netweaver-j2ee-engine-7.40-sql-injection.html	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-2388	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-2388	Trust: 0.8
url:	https://erpscan.com/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure/	Trust: 0.8
url:	https://erpscan.com/press-center/blog/sap-security-notes-february-2016-review/	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/200.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/vah13/sap_exploit	Trust: 0.1
url:	https://www.securityfocus.com/bid/83219	Trust: 0.1

sources: VULMON: CVE-2016-2388 // JVNDB: JVNDB-2016-001526 // CNNVD: CNNVD-201602-298 // NVD: CVE-2016-2388

SOURCES

db:	VULMON	id:	CVE-2016-2388
db:	JVNDB	id:	JVNDB-2016-001526
db:	CNNVD	id:	CNNVD-201602-298
db:	NVD	id:	CVE-2016-2388

LAST UPDATE DATE

2024-11-23T21:54:41.181000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2016-2388	date:	2021-05-05T00:00:00
db:	JVNDB	id:	JVNDB-2016-001526	date:	2016-03-01T00:00:00
db:	CNNVD	id:	CNNVD-201602-298	date:	2021-04-29T00:00:00
db:	NVD	id:	CVE-2016-2388	date:	2024-11-21T02:48:22.130

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2016-2388	date:	2016-02-16T00:00:00
db:	JVNDB	id:	JVNDB-2016-001526	date:	2016-03-01T00:00:00
db:	CNNVD	id:	CNNVD-201602-298	date:	2016-02-17T00:00:00
db:	NVD	id:	CVE-2016-2388	date:	2016-02-16T15:59:02.103