Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
erpscanERPScanERPSCAN-16-010
HistorySep 15, 2015 - 12:00 a.m.

SAP NetWeaver AS JAVA - information disclosure vulnerability

2015-09-1500:00:00
erpscan.io
125

0.013 Low

EPSS

Percentile

85.6%

JSON

Application: SAP NetWeaver AS JAVA **Versions Affected:**SAP NetWeaver AS JAVA 7.1 – 7.5 Vendor URL:SAP **Bugs:**Information disclosure **Reported:**15.09.2015 **Vendor response:**16.09.2015 **Date of Public Advisory:**09.02.2016 **Reference:**SAP Security Note 2256846 Author: Vahagn Vardanyan (ERPScan)

VULNERABILITY INFORMATION
Class: Information disclosure
Impact: Resource consumption
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: CVE-2016-2388

CVSS Information
CVSS Base Score v3: 5.3 / 10
CVSS Base Vector:

AV : Access Vector (Related exploit range) Network (N)
AC : Access Complexity (Required attack complexity) Low (L)
Au : Authentication (Level of authentication needed to exploit) None (N)
C : Impact to Confidentiality Low(N)
I : Impact to Integrity None(N)
A : Impact to Availability None (N)

Description
Anonymous attacker can use a special HTTP request to get information about SAP NetWeaver users.

Business risk
An attacker can use Information disclosure vulnerability to reveal additional information (system data, debugging information, etc) that will help him to learn about a system and to plan other attacks.

VULNERABLE PACKAGES
SAP NetWeaver AS JAVA 7.4, 7.5
Other versions are probably affected too, but they were not checked.

SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2256846

TECHNICAL DESCRIPTION
An attacker can use an Information disclosure vulnerability to reveal additional information (system data, debugging information, etc) that will help him to learn more about a system and to plan further attacks.

Steps to exploit this vulnerability
1. Open

http://SAP:50000/webdynpro/resources/sap.com/XXX/JWFTestAddAssignees#

1

|

http://SAP:50000/webdynpro/resources/sap.com/XXX/JWFTestAddAssignees#

—|—

page on SAP server
2. Press “Choose” button
3. In the opened window press “Search”
You will get a list of SAP users

Related

cisa_kev 1
checkpoint_advisories 1
prion 1
cvelist 1
nvd 1
cve 1
exploitpack 2
attackerkb 1
zdt 2
packetstorm 2
nessus 1
exploitdb 2
openvas 1
cisa_kev
cisa_kev
SAP NetWeaver Information Disclosure Vulnerability
2022-06-09 00:00:00
checkpoint_advisories
checkpoint_advisories
SAP NetWeaver Information Disclosure (CVE-2016-2388)
2022-07-20 00:00:00
prion
prion
Design/Logic Flaw
2016-02-16 15:59:00
cvelist
cvelist
CVE-2016-2388
2016-02-16 15:00:00
nvd
nvd
CVE-2016-2388
2016-02-16 15:59:02
cve
cve
CVE-2016-2388
2016-02-16 15:59:02
exploitpack
exploitpack
SAP NetWeaver AS JAVA 7.1 7.5 - Information Disclosure
2016-05-19 00:00:00
SAP NetWeaver J2EE Engine 7.40 - SQL Injection
2018-01-10 00:00:00
attackerkb
attackerkb
CVE-2016-2388
2016-02-16 00:00:00
zdt
zdt
SAP NetWeaver AS JAVA 7.1 < 7.5 - Information Disclosure
2016-05-19 00:00:00
SAP NetWeaver J2EE Engine 7.40 - SQL Injection Exploit
2018-01-11 00:00:00
packetstorm
packetstorm
SAP NetWeaver AS JAVA 7.5 Information Disclosure
2016-05-19 00:00:00
SAP NetWeaver J2EE Engine 7.40 SQL Injection
2018-01-12 00:00:00
nessus
nessus
SAP NetWeaver AS Java Information Disclosure (2256846)
2022-06-16 00:00:00
exploitdb
exploitdb
SAP NetWeaver AS JAVA 7.1 &lt; 7.5 - Information Disclosure
2016-05-19 00:00:00
SAP NetWeaver J2EE Engine 7.40 - SQL Injection
2018-01-10 00:00:00
openvas
openvas
SAP NetWeaver AS Java Multiple Vulnerabilities (2101079, 2191290, 2256846)
2016-05-23 00:00:00

0.013 Low

EPSS

Percentile

85.6%

JSON
Related for ERPSCAN-16-010
cisa_kev1checkpoint_advisories1prion1cvelist1nvd1cve1exploitpack2attackerkb1zdt2packetstorm2nessus1exploitdb2openvas1