Vulnerability Details CVE-2016-2388
The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.479
EPSS Ranking 97.6%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 5.0
Proposed Action
The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request.
Ransomware Campaign
Unknown
References
- http://packetstormsecurity.com/files/137128/SAP-NetWeaver-AS-JAVA-7.5-Information-Disclosure.html
- http://packetstormsecurity.com/files/145860/SAP-NetWeaver-J2EE-Engine-7.40-SQL-Injection.html
- http://seclists.org/fulldisclosure/2016/May/55
- https://erpscan.io/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure/
- https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/
- https://www.exploit-db.com/exploits/39841/
- https://www.exploit-db.com/exploits/43495/
- http://packetstormsecurity.com/files/137128/SAP-NetWeaver-AS-JAVA-7.5-Information-Disclosure.html
- http://packetstormsecurity.com/files/145860/SAP-NetWeaver-J2EE-Engine-7.40-SQL-Injection.html
- http://seclists.org/fulldisclosure/2016/May/55
- https://erpscan.io/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure/
- https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/
- https://www.exploit-db.com/exploits/39841/
- https://www.exploit-db.com/exploits/43495/
Products affected by CVE-2016-2388
-
cpe:2.3:a:sap:netweaver_application_server_java:7.10
-
cpe:2.3:a:sap:netweaver_application_server_java:7.11
-
cpe:2.3:a:sap:netweaver_application_server_java:7.20
-
cpe:2.3:a:sap:netweaver_application_server_java:7.21
-
cpe:2.3:a:sap:netweaver_application_server_java:7.22
-
cpe:2.3:a:sap:netweaver_application_server_java:7.30
-
cpe:2.3:a:sap:netweaver_application_server_java:7.31
-
cpe:2.3:a:sap:netweaver_application_server_java:7.40
-
cpe:2.3:a:sap:netweaver_application_server_java:7.45
-
cpe:2.3:a:sap:netweaver_application_server_java:7.49
-
cpe:2.3:a:sap:netweaver_application_server_java:7.50