Vulnerability Details CVE-2016-2388
The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.582
EPSS Ranking 98.1%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 5.0
Proposed Action
The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request.
Ransomware Campaign
Unknown
References
- http://packetstormsecurity.com/files/137128/SAP-NetWeaver-AS-JAVA-7.5-Information-Disclosure.html
- http://packetstormsecurity.com/files/145860/SAP-NetWeaver-J2EE-Engine-7.40-SQL-Injection.html
- http://seclists.org/fulldisclosure/2016/May/55
- https://erpscan.io/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure/
- https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/
- https://www.exploit-db.com/exploits/39841/
- https://www.exploit-db.com/exploits/43495/
- http://packetstormsecurity.com/files/137128/SAP-NetWeaver-AS-JAVA-7.5-Information-Disclosure.html
- http://packetstormsecurity.com/files/145860/SAP-NetWeaver-J2EE-Engine-7.40-SQL-Injection.html
- http://seclists.org/fulldisclosure/2016/May/55
- https://erpscan.io/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure/
- https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/
- https://www.exploit-db.com/exploits/39841/
- https://www.exploit-db.com/exploits/43495/
Products affected by CVE-2016-2388
-
cpe:2.3:a:sap:netweaver_application_server_java:7.10
-
cpe:2.3:a:sap:netweaver_application_server_java:7.11
-
cpe:2.3:a:sap:netweaver_application_server_java:7.20
-
cpe:2.3:a:sap:netweaver_application_server_java:7.21
-
cpe:2.3:a:sap:netweaver_application_server_java:7.22
-
cpe:2.3:a:sap:netweaver_application_server_java:7.30
-
cpe:2.3:a:sap:netweaver_application_server_java:7.31
-
cpe:2.3:a:sap:netweaver_application_server_java:7.40
-
cpe:2.3:a:sap:netweaver_application_server_java:7.45
-
cpe:2.3:a:sap:netweaver_application_server_java:7.49
-
cpe:2.3:a:sap:netweaver_application_server_java:7.50