Vulnerability Details : CVE-2016-2388
The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846.
Vulnerability category: Information leak
Products affected by CVE-2016-2388
- SAP » Netweaver Application Server JavaVersions from including (>=) 7.10 and up to, including, (<=) 7.50cpe:2.3:a:sap:netweaver_application_server_java:*:*:*:*:*:*:*:*
CVE-2016-2388 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
SAP NetWeaver Information Disclosure Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2016-2388
Added on
2022-06-09
Action due date
2022-06-30
Exploit prediction scoring system (EPSS) score for CVE-2016-2388
1.26%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 85 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-2388
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2016-2388
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-2388
-
https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/
SAP Security Notes February 2016 - Manufacturing CybersecurityThird Party Advisory
-
https://www.exploit-db.com/exploits/43495/
SAP NetWeaver J2EE Engine 7.40 - SQL InjectionExploit;Third Party Advisory;VDB Entry
-
http://packetstormsecurity.com/files/145860/SAP-NetWeaver-J2EE-Engine-7.40-SQL-Injection.html
SAP NetWeaver J2EE Engine 7.40 SQL Injection ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
http://packetstormsecurity.com/files/137128/SAP-NetWeaver-AS-JAVA-7.5-Information-Disclosure.html
SAP NetWeaver AS JAVA 7.5 Information Disclosure ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://erpscan.io/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure/
[ERPSCAN-16-010] SAP NetWeaver AS JAVA - information disclosure vulnerabilityThird Party Advisory
-
https://www.exploit-db.com/exploits/39841/
SAP NetWeaver AS JAVA 7.1 < 7.5 - Information DisclosureExploit;Third Party Advisory;VDB Entry
-
http://seclists.org/fulldisclosure/2016/May/55
Full Disclosure: [ERPSCAN-16-010] SAP NetWeaver AS JAVA – information disclosure vulnerabilityExploit;Mailing List;Third Party Advisory
Jump to