Details of VAR-201712-0108

ID

VAR-201712-0108

CVE

CVE-2017-16682

TITLE

SAP NetWeaver Internet Transaction Server and SAP Basis Code injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-011211

DESCRIPTION

SAP NetWeaver Internet Transaction Server (ITS), SAP Basis from 7.00 to 7.02, 7.30, 7.31, 7.40, from 7.50 to 7.52, allows an attacker with administrator credentials to inject code that can be executed by the application and thereby control the behavior of the application. SAP Netweaver is prone to a vulnerability that lets attackers inject and execute arbitrary code. Successful exploits may allow an attacker to inject and run arbitrary code or obtain sensitive information that may aid in further attacks. Failed exploit attempts may result in a denial-of-service condition

Trust: 1.89

sources: NVD: CVE-2017-16682 // JVNDB: JVNDB-2017-011211 // BID: 102143

AFFECTED PRODUCTS

vendor:	sap	model:	business application software integrated solution	scope:	eq	version:	7.30	Trust: 1.6
vendor:	sap	model:	business application software integrated solution	scope:	eq	version:	7.40	Trust: 1.6
vendor:	sap	model:	netweaver internet transaction server	scope:	eq	version:	-	Trust: 1.6
vendor:	sap	model:	business application software integrated solution	scope:	eq	version:	7.31	Trust: 1.6
vendor:	sap	model:	business application software integrated solution	scope:	gte	version:	7.50	Trust: 1.0
vendor:	sap	model:	business application software integrated solution	scope:	gte	version:	7.00	Trust: 1.0
vendor:	sap	model:	business application software integrated solution	scope:	lte	version:	7.52	Trust: 1.0
vendor:	sap	model:	business application software integrated solution	scope:	lte	version:	7.02	Trust: 1.0
vendor:	sap	model:	basis	scope:	eq	version:	7.00 to 7.02	Trust: 0.8
vendor:	sap	model:	basis	scope:	eq	version:	7.30	Trust: 0.8
vendor:	sap	model:	basis	scope:	eq	version:	7.31	Trust: 0.8
vendor:	sap	model:	basis	scope:	eq	version:	7.40	Trust: 0.8
vendor:	sap	model:	basis	scope:	eq	version:	7.50 to 7.52	Trust: 0.8
vendor:	sap	model:	netweaver internet transaction server	scope:	-	version:	-	Trust: 0.8
vendor:	sap	model:	netweaver	scope:	eq	version:	0	Trust: 0.3

sources: BID: 102143 // JVNDB: JVNDB-2017-011211 // CNNVD: CNNVD-201712-418 // NVD: CVE-2017-16682

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-16682
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-16682
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201712-418
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2017-16682
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2017-16682
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: JVNDB: JVNDB-2017-011211 // CNNVD: CNNVD-201712-418 // NVD: CVE-2017-16682

PROBLEMTYPE DATA

problemtype:

CWE-94

Trust: 1.8

sources: JVNDB: JVNDB-2017-011211 // NVD: CVE-2017-16682

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201712-418

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201712-418

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-011211

PATCH

title:	December 2017 (2526781)	url:	https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/	Trust: 0.8
title:	SAP NetWeaver Internet Transaction Server Fixes for command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=77124	Trust: 0.6

sources: JVNDB: JVNDB-2017-011211 // CNNVD: CNNVD-201712-418

EXTERNAL IDS

db:	NVD	id:	CVE-2017-16682	Trust: 2.7
db:	BID	id:	102143	Trust: 1.3
db:	JVNDB	id:	JVNDB-2017-011211	Trust: 0.8
db:	CNNVD	id:	CNNVD-201712-418	Trust: 0.6

sources: BID: 102143 // JVNDB: JVNDB-2017-011211 // CNNVD: CNNVD-201712-418 // NVD: CVE-2017-16682

REFERENCES

url:	https://launchpad.support.sap.com/#/notes/2526781	Trust: 1.9
url:	https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/	Trust: 1.9
url:	http://www.securityfocus.com/bid/102143	Trust: 1.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-16682	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-16682	Trust: 0.8
url:	http://www.sap.com/	Trust: 0.3

sources: BID: 102143 // JVNDB: JVNDB-2017-011211 // CNNVD: CNNVD-201712-418 // NVD: CVE-2017-16682

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 102143

SOURCES

db:	BID	id:	102143
db:	JVNDB	id:	JVNDB-2017-011211
db:	CNNVD	id:	CNNVD-201712-418
db:	NVD	id:	CVE-2017-16682

LAST UPDATE DATE

2024-08-14T14:13:09.698000+00:00

SOURCES UPDATE DATE

db:	BID	id:	102143	date:	2017-12-19T22:01:00
db:	JVNDB	id:	JVNDB-2017-011211	date:	2018-01-11T00:00:00
db:	CNNVD	id:	CNNVD-201712-418	date:	2017-12-13T00:00:00
db:	NVD	id:	CVE-2017-16682	date:	2017-12-22T14:34:21.977

SOURCES RELEASE DATE

db:	BID	id:	102143	date:	2017-12-12T00:00:00
db:	JVNDB	id:	JVNDB-2017-011211	date:	2018-01-11T00:00:00
db:	CNNVD	id:	CNNVD-201712-418	date:	2017-12-13T00:00:00
db:	NVD	id:	CVE-2017-16682	date:	2017-12-12T14:29:00.403