Sign-up

ID

VAR-201704-1563


CVE

CVE-2017-7717


TITLE

SAP NetWeaver AS Java of ES UDDI Component getUserUddiElements In the method SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-003171

DESCRIPTION

SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2356504. SAP NetWeaver is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. SAP NetWeaver 7.40 is vulnerable; other versions may also be affected

Trust: 2.16

sources: NVD: CVE-2017-7717 // JVNDB: JVNDB-2017-003171 // BID: 100168 // BID: 95364

AFFECTED PRODUCTS

vendor:sapmodel:netweaver application server javascope:eqversion:7.40

Trust: 1.0

vendor:sapmodel:netweaverscope:eqversion:7.40

Trust: 0.9

vendor:sapmodel:netweaverscope:eqversion:as java 7.4

Trust: 0.8

vendor:sapmodel:customer relationship managementscope:eqversion:0

Trust: 0.3

sources: BID: 100168 // BID: 95364 // JVNDB: JVNDB-2017-003171 // CNNVD: CNNVD-201704-820 // NVD: CVE-2017-7717

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-7717
value: HIGH

Trust: 1.0

NVD: CVE-2017-7717
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201704-820
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2017-7717
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2017-7717
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2017-7717
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2017-003171 // CNNVD: CNNVD-201704-820 // NVD: CVE-2017-7717

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.8

sources: JVNDB: JVNDB-2017-003171 // NVD: CVE-2017-7717

THREAT TYPE

network

Trust: 0.6

sources: BID: 100168 // BID: 95364

TYPE

Input Validation Error

Trust: 0.6

sources: BID: 100168 // BID: 95364

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-003171

PATCH
title:Top Pageurl:https://www.sap.com/index.html
Trust: 0.8
title:SAP NetWeaver AS Java ES UDDI SQL Repair measures for injecting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=70235
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-003171 // 
            
            
            
            CNNVD: CNNVD-201704-820

EXTERNAL IDS
db:NVDid:CVE-2017-7717
Trust: 3.0
db:BIDid:100168
Trust: 1.9
db:BIDid:95364
Trust: 1.9
db:JVNDBid:JVNDB-2017-003171
Trust: 0.8
db:CNNVDid:CNNVD-201704-820
Trust: 0.6
sources:
            
            
            BID: 100168 // 
            
            
            
            BID: 95364 // 
            
            
            
            JVNDB: JVNDB-2017-003171 // 
            
            
            
            CNNVD: CNNVD-201704-820 // 
            
            
            
            NVD: CVE-2017-7717

REFERENCES
url:http://www.securityfocus.com/bid/100168
Trust: 2.2
url:https://erpscan.io/advisories/erpscan-17-003-sap-netweaver-7-4-getuseruddielements-sql-injection/
Trust: 1.6
url:http://www.securityfocus.com/bid/95364
Trust: 1.6
url:http://www.sap.com
Trust: 1.2
url:https://erpscan.com/advisories/erpscan-17-003-sap-netweaver-7-4-getuseruddielements-sql-injection/
Trust: 1.1
url:https://launchpad.support.sap.com/#/notes/2450979
Trust: 0.9
url:https://blogs.sap.com/2017/08/08/sap-security-patch-day-august-2017/
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-7717
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-7717
Trust: 0.8
url:https://service.sap.com/sap/support/notes/2356504
Trust: 0.3
sources:
            
            
            BID: 100168 // 
            
            
            
            BID: 95364 // 
            
            
            
            JVNDB: JVNDB-2017-003171 // 
            
            
            
            CNNVD: CNNVD-201704-820 // 
            
            
            
            NVD: CVE-2017-7717

CREDITS
Vahagn Vardanyan (ERPScan)
Trust: 0.9
sources:
            
            
            BID: 95364 // 
            
            
            
            CNNVD: CNNVD-201704-820

SOURCES
db:BIDid:100168
db:BIDid:95364
db:JVNDBid:JVNDB-2017-003171
db:CNNVDid:CNNVD-201704-820
db:NVDid:CVE-2017-7717

LAST UPDATE DATE
2024-11-23T22:59:19.395000+00:00

SOURCES UPDATE DATE
db:BIDid:100168date:2019-04-15T19:00:00
db:BIDid:95364date:2017-04-18T00:06:00
db:JVNDBid:JVNDB-2017-003171date:2017-05-18T00:00:00
db:CNNVDid:CNNVD-201704-820date:2021-04-22T00:00:00
db:NVDid:CVE-2017-7717date:2024-11-21T03:32:30.657

SOURCES RELEASE DATE
db:BIDid:100168date:2017-08-08T00:00:00
db:BIDid:95364date:2017-01-10T00:00:00
db:JVNDBid:JVNDB-2017-003171date:2017-05-18T00:00:00
db:CNNVDid:CNNVD-201704-820date:2017-04-14T00:00:00
db:NVDid:CVE-2017-7717date:2017-04-14T18:59:01.110