Vulnerability Details CVE-2017-5372
The function msp (aka MSPRuntimeInterface) in the P4 SERVERCORE component in SAP AS JAVA allows remote attackers to obtain sensitive system information by leveraging a missing authorization check for the (1) getInformation, (2) getParameters, (3) getServiceInfo, (4) getStatistic, or (5) getClientStatistic function, aka SAP Security Note 2331908.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.013
EPSS Ranking 78.3%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- http://packetstormsecurity.com/files/140611/SAP-NetWeaver-AS-Java-P4-MSPRUNTIMEINTERFACE-Information-Disclosure.html
- http://seclists.org/fulldisclosure/2017/Jan/50
- http://www.securityfocus.com/bid/93504
- https://erpscan.io/advisories/erpscan-16-037-sap-java-p4-mspruntimeinterface-information-disclosure/
- https://erpscan.io/press-center/blog/sap-cyber-threat-intelligence-report-october-2016/
- http://packetstormsecurity.com/files/140611/SAP-NetWeaver-AS-Java-P4-MSPRUNTIMEINTERFACE-Information-Disclosure.html
- http://seclists.org/fulldisclosure/2017/Jan/50
- http://www.securityfocus.com/bid/93504
- https://erpscan.io/advisories/erpscan-16-037-sap-java-p4-mspruntimeinterface-information-disclosure/
- https://erpscan.io/press-center/blog/sap-cyber-threat-intelligence-report-october-2016/
Products affected by CVE-2017-5372
-
cpe:2.3:a:sap:netweaver:-
-
cpe:2.3:a:sap:netweaver:2004s
-
cpe:2.3:a:sap:netweaver:4.0
-
cpe:2.3:a:sap:netweaver:6.4
-
cpe:2.3:a:sap:netweaver:600
-
cpe:2.3:a:sap:netweaver:602
-
cpe:2.3:a:sap:netweaver:603
-
cpe:2.3:a:sap:netweaver:604
-
cpe:2.3:a:sap:netweaver:605
-
cpe:2.3:a:sap:netweaver:606
-
cpe:2.3:a:sap:netweaver:617
-
cpe:2.3:a:sap:netweaver:618
-
cpe:2.3:a:sap:netweaver:7.0
-
cpe:2.3:a:sap:netweaver:7.01
-
cpe:2.3:a:sap:netweaver:7.02
-
cpe:2.3:a:sap:netweaver:7.03
-
cpe:2.3:a:sap:netweaver:7.1
-
cpe:2.3:a:sap:netweaver:7.10
-
cpe:2.3:a:sap:netweaver:7.11
-
cpe:2.3:a:sap:netweaver:7.2
-
cpe:2.3:a:sap:netweaver:7.20
-
cpe:2.3:a:sap:netweaver:7.22ext
-
cpe:2.3:a:sap:netweaver:7.3
-
cpe:2.3:a:sap:netweaver:7.30
-
cpe:2.3:a:sap:netweaver:7.31
-
cpe:2.3:a:sap:netweaver:7.4
-
cpe:2.3:a:sap:netweaver:7.40
-
cpe:2.3:a:sap:netweaver:7.41
-
cpe:2.3:a:sap:netweaver:7.49
-
cpe:2.3:a:sap:netweaver:7.5
-
cpe:2.3:a:sap:netweaver:7.50
-
cpe:2.3:a:sap:netweaver:7.51
-
cpe:2.3:a:sap:netweaver:7.52
-
cpe:2.3:a:sap:netweaver:7.53
-
cpe:2.3:a:sap:netweaver:7.77
-
cpe:2.3:a:sap:netweaver:7.81
-
cpe:2.3:a:sap:netweaver:7.85
-
cpe:2.3:a:sap:netweaver:7.86
-
cpe:2.3:a:sap:netweaver:700
-
cpe:2.3:a:sap:netweaver:701
-
cpe:2.3:a:sap:netweaver:702
-
cpe:2.3:a:sap:netweaver:707
-
cpe:2.3:a:sap:netweaver:730
-
cpe:2.3:a:sap:netweaver:731
-
cpe:2.3:a:sap:netweaver:737
-
cpe:2.3:a:sap:netweaver:740
-
cpe:2.3:a:sap:netweaver:7400.12.21.30308
-
cpe:2.3:a:sap:netweaver:747
-
cpe:2.3:a:sap:netweaver:750
-
cpe:2.3:a:sap:netweaver:751
-
cpe:2.3:a:sap:netweaver:752
-
cpe:2.3:a:sap:netweaver:753
-
cpe:2.3:a:sap:netweaver:754
-
cpe:2.3:a:sap:netweaver:755
-
cpe:2.3:a:sap:netweaver:756
-
cpe:2.3:a:sap:netweaver:757
-
cpe:2.3:a:sap:netweaver:800
-
cpe:2.3:a:sap:netweaver:802
-
cpe:2.3:a:sap:netweaver:803
-
cpe:2.3:a:sap:netweaver:804
-
cpe:2.3:a:sap:netweaver:805
-
cpe:2.3:a:sap:netweaver:806
-
cpe:2.3:a:sap:netweaver:807
-
cpe:2.3:a:sap:netweaver:application_server_java
-
cpe:2.3:a:sap:netweaver:kernel_7.22
-
cpe:2.3:a:sap:netweaver:kernel_7.53
-
cpe:2.3:a:sap:netweaver:kernel_7.54
-
cpe:2.3:a:sap:netweaver:krnl64nuc_7.22
-
cpe:2.3:a:sap:netweaver:krnl64nuc_7.22ext
-
cpe:2.3:a:sap:netweaver:krnl64uc_7.22
-
cpe:2.3:a:sap:netweaver:krnl64uc_7.22ext
-
cpe:2.3:a:sap:netweaver:krnl64uc_7.53
-
cpe:2.3:a:sap:netweaver:webdisp_7.22ext
-
cpe:2.3:a:sap:netweaver:webdisp_7.53
-
cpe:2.3:a:sap:netweaver:webdisp_7.54