Vulnerability Details CVE-2016-3635
SAP Netweaver 7.4 allows remote authenticated users to bypass an intended Unified Connectivity (UCON) access control list and execute arbitrary Remote Function Modules (RFM) by leveraging a connection created from earlier execution of an anonymous RFM included in a Communication Assembly, aka SAP Security Note 2139366.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 68.2%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 6.0
References
- http://seclists.org/fulldisclosure/2016/Oct/48
- http://www.securityfocus.com/bid/93501
- https://www.onapsis.com/research/security-advisories/sap-ucon-security-protection-bypass
- http://seclists.org/fulldisclosure/2016/Oct/48
- http://www.securityfocus.com/bid/93501
- https://www.onapsis.com/research/security-advisories/sap-ucon-security-protection-bypass