Details of VAR-201604-0202

ID

VAR-201604-0202

CVE

CVE-2015-8840

TITLE

SAP NetWeaver AS JAVA Unauthorized Access Vulnerability

Trust: 1.4

sources: IVD: 4b143dc0-1e5b-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-07260 // CNNVD: CNNVD-201510-715

DESCRIPTION

The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote authenticated users to obtain sensitive information, gain privileges, or possibly have unspecified other impact via requests to (1) webcontent/cas/cas_enter.jsp, (2) webcontent/cas/cas_validate.jsp, or (3) webcontent/aas/aas_store.jsp, aka SAP Security Note 1945215. SAP NetWeaver is a set of service-oriented integrated application platform from SAP (Germany), which provides a development and operating environment for SAP applications. SAP NetWeaver AS (Application Server) Java is an application server running on NetWeaver and based on the Java programming language. An unauthorized access vulnerability exists in SAP NetWeaver AS Java. An attacker could use this vulnerability to obtain sensitive information

Trust: 3.15

sources: NVD: CVE-2015-8840 // JVNDB: JVNDB-2015-007026 // CNVD: CNVD-2015-07260 // CNNVD: CNNVD-201510-715 // BID: 77117 // IVD: 4b143dc0-1e5b-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 4b143dc0-1e5b-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-07260

AFFECTED PRODUCTS

vendor:	sap	model:	netweaver application server java	scope:	eq	version:	-	Trust: 1.0
vendor:	sap	model:	netweaver	scope:	eq	version:	7.4	Trust: 0.8
vendor:	sap	model:	netweaver as java	scope:	-	version:	-	Trust: 0.6
vendor:	sap	model:	netweaver	scope:	eq	version:	-	Trust: 0.6
vendor:	netweaver	model:	-	scope:	eq	version:	-	Trust: 0.2

sources: IVD: 4b143dc0-1e5b-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-07260 // JVNDB: JVNDB-2015-007026 // CNNVD: CNNVD-201604-100 // NVD: CVE-2015-8840

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-8840
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-8840
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2015-07260
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201604-100
value:	HIGH
Trust: 0.6
IVD:	4b143dc0-1e5b-11e6-abef-000c29c66e3d
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2015-8840
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-07260
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	4b143dc0-1e5b-11e6-abef-000c29c66e3d
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2015-8840
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2015-8840
baseSeverity:	MEDIUM
baseScore:	6.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: 4b143dc0-1e5b-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-07260 // JVNDB: JVNDB-2015-007026 // CNNVD: CNNVD-201604-100 // NVD: CVE-2015-8840

PROBLEMTYPE DATA

problemtype:	CWE-862	Trust: 1.0
problemtype:	CWE-264	Trust: 0.8

sources: JVNDB: JVNDB-2015-007026 // NVD: CVE-2015-8840

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201510-715 // CNNVD: CNNVD-201604-100

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201604-100

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-007026

PATCH

title:	SAP Security Notes July 2015 (1945215)	url:	http://scn.sap.com/community/security/blog/2015/07/15/sap-security-notes-july-2015	Trust: 0.8
title:	SAP NetWeaver AS JAVA Unauthorized Access Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/66158	Trust: 0.6
title:	SAP NetWeaver AS Java XML Data Archiving Service Repair measures for service security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60831	Trust: 0.6

sources: CNVD: CNVD-2015-07260 // JVNDB: JVNDB-2015-007026 // CNNVD: CNNVD-201604-100

EXTERNAL IDS

db:	NVD	id:	CVE-2015-8840	Trust: 2.9
db:	BID	id:	77117	Trust: 1.5
db:	CNVD	id:	CNVD-2015-07260	Trust: 0.8
db:	CNNVD	id:	CNNVD-201604-100	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-007026	Trust: 0.8
db:	CNNVD	id:	CNNVD-201510-715	Trust: 0.6
db:	IVD	id:	4B143DC0-1E5B-11E6-ABEF-000C29C66E3D	Trust: 0.2

sources: IVD: 4b143dc0-1e5b-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-07260 // BID: 77117 // JVNDB: JVNDB-2015-007026 // CNNVD: CNNVD-201510-715 // CNNVD: CNNVD-201604-100 // NVD: CVE-2015-8840

REFERENCES

url:	https://erpscan.io/advisories/erpscan-15-017-sap-netweaver-j2ee-das-service-unauthorized-access/	Trust: 1.6
url:	http://scn.sap.com/community/security/blog/2015/07/15/sap-security-notes-july-2015	Trust: 1.6
url:	http://www.securityfocus.com/bid/77117	Trust: 1.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-8840	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-8840	Trust: 0.8
url:	http://erpscan.com/advisories/erpscan-15-017-sap-netweaver-j2ee-das-service-unauthorized-access/	Trust: 0.8
url:	http://www.sap.com	Trust: 0.3

sources: CNVD: CNVD-2015-07260 // BID: 77117 // JVNDB: JVNDB-2015-007026 // CNNVD: CNNVD-201510-715 // CNNVD: CNNVD-201604-100 // NVD: CVE-2015-8840

CREDITS

Alexander Polyakov of ERPScan

Trust: 0.9

sources: BID: 77117 // CNNVD: CNNVD-201510-715

SOURCES

db:	IVD	id:	4b143dc0-1e5b-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2015-07260
db:	BID	id:	77117
db:	JVNDB	id:	JVNDB-2015-007026
db:	CNNVD	id:	CNNVD-201510-715
db:	CNNVD	id:	CNNVD-201604-100
db:	NVD	id:	CVE-2015-8840

LAST UPDATE DATE

2024-11-23T23:02:38.230000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2015-07260	date:	2015-11-05T00:00:00
db:	BID	id:	77117	date:	2016-07-06T14:23:00
db:	JVNDB	id:	JVNDB-2015-007026	date:	2016-04-13T00:00:00
db:	CNNVD	id:	CNNVD-201510-715	date:	2015-10-29T00:00:00
db:	CNNVD	id:	CNNVD-201604-100	date:	2021-04-22T00:00:00
db:	NVD	id:	CVE-2015-8840	date:	2024-11-21T02:39:17.827

SOURCES RELEASE DATE

db:	IVD	id:	4b143dc0-1e5b-11e6-abef-000c29c66e3d	date:	2015-11-05T00:00:00
db:	CNVD	id:	CNVD-2015-07260	date:	2015-11-05T00:00:00
db:	BID	id:	77117	date:	2015-10-13T00:00:00
db:	JVNDB	id:	JVNDB-2015-007026	date:	2016-04-13T00:00:00
db:	CNNVD	id:	CNNVD-201510-715	date:	2015-10-29T00:00:00
db:	CNNVD	id:	CNNVD-201604-100	date:	2016-04-08T00:00:00
db:	NVD	id:	CVE-2015-8840	date:	2016-04-08T00:59:00.120