ID

VAR-201704-1573


CVE

CVE-2017-7691


TITLE

SAP TREX / Business Warehouse Accelerator Code injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-003092

DESCRIPTION

A code injection vulnerability exists in SAP TREX / Business Warehouse Accelerator (BWA). The vendor response is SAP Security Note 2419592. Successful exploits may allow an attacker to inject and run arbitrary code or obtain sensitive information that may aid in further attacks. Failed exploit attempts may result in a denial-of-service condition

Trust: 1.89

sources: NVD: CVE-2017-7691 // JVNDB: JVNDB-2017-003092 // BID: 97567

AFFECTED PRODUCTS

vendor:sapmodel:trexscope:eqversion: -

Trust: 1.6

vendor:sapmodel:trexscope:eqversion:business warehouse accelerator

Trust: 0.8

vendor:sapmodel:netweaver search and classificationscope:eqversion:0

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:0

Trust: 0.3

vendor:sapmodel:business warehouse acceleratorscope:eqversion:0

Trust: 0.3

sources: BID: 97567 // JVNDB: JVNDB-2017-003092 // CNNVD: CNNVD-201704-581 // NVD: CVE-2017-7691

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-7691
value: CRITICAL

Trust: 1.0

NVD: CVE-2017-7691
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201704-581
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2017-7691
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2017-7691
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: JVNDB: JVNDB-2017-003092 // CNNVD: CNNVD-201704-581 // NVD: CVE-2017-7691

PROBLEMTYPE DATA

problemtype:CWE-94

Trust: 1.8

sources: JVNDB: JVNDB-2017-003092 // NVD: CVE-2017-7691

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201704-581

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201704-581

CONFIGURATIONS

[
  {
    "CVE_data_version": "4.0",
    "nodes": [
      {
        "operator": "OR",
        "cpe_match": [
          {
            "vulnerable": true,
            "cpe22Uri": "cpe:/a:sap:trex"
          }
        ]
      }
    ]
  }
]

sources: JVNDB: JVNDB-2017-003092

PATCH

title:SAP Security Patch Day - April 2017 (2419592)url:https://blogs.sap.com/2017/04/11/sap-security-patch-day-april-2017/

Trust: 0.8

title:SAP TREX/Business Warehouse Accelerator Fixes for code injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=70172

Trust: 0.6

sources: JVNDB: JVNDB-2017-003092 // CNNVD: CNNVD-201704-581

EXTERNAL IDS

db:NVDid:CVE-2017-7691

Trust: 2.7

db:BIDid:97567

Trust: 1.3

db:JVNDBid:JVNDB-2017-003092

Trust: 0.8

db:CNNVDid:CNNVD-201704-581

Trust: 0.6

sources: BID: 97567 // JVNDB: JVNDB-2017-003092 // CNNVD: CNNVD-201704-581 // NVD: CVE-2017-7691

REFERENCES

url:https://blogs.sap.com/2017/04/11/sap-security-patch-day-april-2017/

Trust: 1.9

url:http://www.securityfocus.com/bid/97567

Trust: 1.0

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-7691

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2017-7691

Trust: 0.8

url:http://www.sap.com/

Trust: 0.3

url:https://service.sap.com/sap/support/notes/2419592

Trust: 0.3

sources: BID: 97567 // JVNDB: JVNDB-2017-003092 // CNNVD: CNNVD-201704-581 // NVD: CVE-2017-7691

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 97567

SOURCES

db:BIDid:97567
db:JVNDBid:JVNDB-2017-003092
db:CNNVDid:CNNVD-201704-581
db:NVDid:CVE-2017-7691

LAST UPDATE DATE

2024-11-23T22:07:27.025000+00:00


SOURCES UPDATE DATE

db:BIDid:97567date:2017-04-18T00:04:00
db:JVNDBid:JVNDB-2017-003092date:2017-05-15T00:00:00
db:CNNVDid:CNNVD-201704-581date:2017-05-17T00:00:00
db:NVDid:CVE-2017-7691date:2024-11-21T03:32:28.393

SOURCES RELEASE DATE

db:BIDid:97567date:2017-04-11T00:00:00
db:JVNDBid:JVNDB-2017-003092date:2017-05-15T00:00:00
db:CNNVDid:CNNVD-201704-581date:2017-04-11T00:00:00
db:NVDid:CVE-2017-7691date:2017-04-11T21:59:00.180