ID

VAR-201712-0108


CVE

CVE-2017-16682


TITLE

SAP NetWeaver Internet Transaction Server and SAP Basis Code injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-011211

DESCRIPTION

SAP NetWeaver Internet Transaction Server (ITS), SAP Basis from 7.00 to 7.02, 7.30, 7.31, 7.40, from 7.50 to 7.52, allows an attacker with administrator credentials to inject code that can be executed by the application and thereby control the behavior of the application. SAP Netweaver is prone to a vulnerability that lets attackers inject and execute arbitrary code. Successful exploits may allow an attacker to inject and run arbitrary code or obtain sensitive information that may aid in further attacks. Failed exploit attempts may result in a denial-of-service condition

Trust: 1.89

sources: NVD: CVE-2017-16682 // JVNDB: JVNDB-2017-011211 // BID: 102143

AFFECTED PRODUCTS

vendor:sapmodel:business application software integrated solutionscope:eqversion:7.30

Trust: 1.6

vendor:sapmodel:business application software integrated solutionscope:eqversion:7.40

Trust: 1.6

vendor:sapmodel:netweaver internet transaction serverscope:eqversion: -

Trust: 1.6

vendor:sapmodel:business application software integrated solutionscope:eqversion:7.31

Trust: 1.6

vendor:sapmodel:business application software integrated solutionscope:gteversion:7.50

Trust: 1.0

vendor:sapmodel:business application software integrated solutionscope:gteversion:7.00

Trust: 1.0

vendor:sapmodel:business application software integrated solutionscope:lteversion:7.52

Trust: 1.0

vendor:sapmodel:business application software integrated solutionscope:lteversion:7.02

Trust: 1.0

vendor:sapmodel:basisscope:eqversion:7.00 to 7.02

Trust: 0.8

vendor:sapmodel:basisscope:eqversion:7.30

Trust: 0.8

vendor:sapmodel:basisscope:eqversion:7.31

Trust: 0.8

vendor:sapmodel:basisscope:eqversion:7.40

Trust: 0.8

vendor:sapmodel:basisscope:eqversion:7.50 to 7.52

Trust: 0.8

vendor:sapmodel:netweaver internet transaction serverscope: - version: -

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:0

Trust: 0.3

sources: BID: 102143 // JVNDB: JVNDB-2017-011211 // CNNVD: CNNVD-201712-418 // NVD: CVE-2017-16682

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-16682
value: HIGH

Trust: 1.0

NVD: CVE-2017-16682
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201712-418
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2017-16682
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2017-16682
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: JVNDB: JVNDB-2017-011211 // CNNVD: CNNVD-201712-418 // NVD: CVE-2017-16682

PROBLEMTYPE DATA

problemtype:CWE-94

Trust: 1.8

sources: JVNDB: JVNDB-2017-011211 // NVD: CVE-2017-16682

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201712-418

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201712-418

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-011211

PATCH

title:December 2017 (2526781)url:https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/

Trust: 0.8

title:SAP NetWeaver Internet Transaction Server Fixes for command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=77124

Trust: 0.6

sources: JVNDB: JVNDB-2017-011211 // CNNVD: CNNVD-201712-418

EXTERNAL IDS

db:NVDid:CVE-2017-16682

Trust: 2.7

db:BIDid:102143

Trust: 1.3

db:JVNDBid:JVNDB-2017-011211

Trust: 0.8

db:CNNVDid:CNNVD-201712-418

Trust: 0.6

sources: BID: 102143 // JVNDB: JVNDB-2017-011211 // CNNVD: CNNVD-201712-418 // NVD: CVE-2017-16682

REFERENCES

url:https://launchpad.support.sap.com/#/notes/2526781

Trust: 1.9

url:https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/

Trust: 1.9

url:http://www.securityfocus.com/bid/102143

Trust: 1.0

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-16682

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2017-16682

Trust: 0.8

url:http://www.sap.com/

Trust: 0.3

sources: BID: 102143 // JVNDB: JVNDB-2017-011211 // CNNVD: CNNVD-201712-418 // NVD: CVE-2017-16682

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 102143

SOURCES

db:BIDid:102143
db:JVNDBid:JVNDB-2017-011211
db:CNNVDid:CNNVD-201712-418
db:NVDid:CVE-2017-16682

LAST UPDATE DATE

2024-08-14T14:13:09.698000+00:00


SOURCES UPDATE DATE

db:BIDid:102143date:2017-12-19T22:01:00
db:JVNDBid:JVNDB-2017-011211date:2018-01-11T00:00:00
db:CNNVDid:CNNVD-201712-418date:2017-12-13T00:00:00
db:NVDid:CVE-2017-16682date:2017-12-22T14:34:21.977

SOURCES RELEASE DATE

db:BIDid:102143date:2017-12-12T00:00:00
db:JVNDBid:JVNDB-2017-011211date:2018-01-11T00:00:00
db:CNNVDid:CNNVD-201712-418date:2017-12-13T00:00:00
db:NVDid:CVE-2017-16682date:2017-12-12T14:29:00.403