Vulnerability Details : CVE-2016-6150
The multi-tenant database container feature in SAP HANA does not properly encrypt communications, which allows remote attackers to bypass intended access restrictions and possibly have unspecified other impact via unknown vectors, aka SAP Security Note 2233550.
Vulnerability category: BypassGain privilege
Products affected by CVE-2016-6150
- cpe:2.3:a:sap:hana:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-6150
1.27%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 85 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-6150
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2016-6150
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-6150
-
https://layersevensecurity.com/wp-content/uploads/2016/02/Layer-Seven-Security_SAP-Security-Notes_January-2016.pdf
Page not found - Layer Seven SecurityTechnical Description;Third Party Advisory
-
http://seclists.org/fulldisclosure/2016/Aug/96
Full Disclosure: Onapsis Security Advisory ONAPSIS-2016-040: SAP HANA potential wrong encryption
-
http://packetstormsecurity.com/files/138453/SAP-HANA-DB-Encryption-Issue.html
SAP HANA DB Encryption Issue ≈ Packet Storm
-
http://www.securityfocus.com/bid/92064
SAP HANA CVE-2016-6150 Access Bypass VulnerabilityThird Party Advisory;VDB Entry
-
https://www.onapsis.com/research/security-advisories/sap-hana-potential-wrong-encryption
SAP HANA Potential Wrong Encryption | OnapsisPermissions Required;Third Party Advisory
Jump to