CVE-2017-16682 : SAP NetWeaver Internet Transaction Server (ITS), SAP Basis from 7.00 to 7.02, 7.

SAP NetWeaver Internet Transaction Server (ITS), SAP Basis from 7.00 to 7.02, 7.30, 7.31, 7.40, from 7.50 to 7.52, allows an attacker with administrator credentials to inject code that can be executed by the application and thereby control the behavior of the application.

Published 2017-12-12 14:29:00

Updated 2017-12-22 14:34:22

Source SAP SE

View at NVD, CVE.org

Products affected by CVE-2017-16682

SAP » Netweaver Internet Transaction Server » Version: N/A
cpe:2.3:a:sap:netweaver_internet_transaction_server:-:*:*:*:*:*:*:*
Matching versions
SAP » Business Application Software Integrated Solution
Versions from including (>=) 7.00 and up to, including, (<=) 7.02
cpe:2.3:a:sap:business_application_software_integrated_solution:*:*:*:*:*:*:*:*
Matching versions
SAP » Business Application Software Integrated Solution
Versions from including (>=) 7.50 and up to, including, (<=) 7.52
cpe:2.3:a:sap:business_application_software_integrated_solution:*:*:*:*:*:*:*:*
Matching versions
SAP » Business Application Software Integrated Solution » Version: 7.30
cpe:2.3:a:sap:business_application_software_integrated_solution:7.30:*:*:*:*:*:*:*
Matching versions
SAP » Business Application Software Integrated Solution » Version: 7.31
cpe:2.3:a:sap:business_application_software_integrated_solution:7.31:*:*:*:*:*:*:*
Matching versions
SAP » Business Application Software Integrated Solution » Version: 7.40
cpe:2.3:a:sap:business_application_software_integrated_solution:7.40:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2017-16682

EPSS FAQ

0.80%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 72 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-16682

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:P	8.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.2	HIGH	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	1.2	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2017-16682

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-16682

https://launchpad.support.sap.com/#/notes/2526781

SAP ONE Support Launchpad: Log On
Permissions Required
http://www.securityfocus.com/bid/102143

SAP Netweaver CVE-2017-16682 Remote Code Injection Vulnerability
Third Party Advisory;VDB Entry
https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/

SAP Security Patch Day – December 2017 | SAP Blogs
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2017-16682

Products affected by CVE-2017-16682

Exploit prediction scoring system (EPSS) score for CVE-2017-16682

CVSS scores for CVE-2017-16682

CWE ids for CVE-2017-16682

References for CVE-2017-16682