All the vulnerabilites related to SAP - Solution Manager
var-201407-0410
Vulnerability from variot
The License Measurement servlet in SAP Solution Manager 7.1 allows remote attackers to bypass authentication via unspecified vectors, related to a verb tampering attack and SAP_JTECHS. SAP Solution Manager is a system management platform that integrates system monitoring, SAP support desktop, self-service, and ASAP implementation. Attackers exploit vulnerabilities to bypass certain security restrictions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Onapsis Security Advisory2014-023: HTTP verb tampering issue in SAP_JTECHS
This advisory can be downloaded in PDF format from http://www.onapsis.com/.
By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences.
- Impact on Business
By exploiting this vulnerability a remote unauthenticated attacker would be able to access restricted functionality and information.
Risk Level: Medium
-
Advisory Information
-
- Public Release Date: 2014-07-29
-
- Subscriber Notification Date: 2014-07-29
-
- Last Revised: 2014-07-25
-
- Security Advisory ID: ONAPSIS-2012-023
-
- Onapsis SVS ID: ONAPSIS-00061
-
- Researcher: Nahuel D. S\xe1nchez
-
- Initial Base CVSS v2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
-
Vulnerability Information
-
- Vendor: SAP
-
- Affected Components:
-
SAP Solution Manager 7.1 (Check SAP Note 1778940 for detailed information on affected releases)
-
- Vulnerability Class: Authentication Bypass (CWE-302)
-
- Remotely Exploitable: Yes
-
- Locally Exploitable: No
-
- Authentication Required: No
-
- Detection Module available in Onapsis X1: Yes
-
- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-023
-
Affected Components Description
The License Measurement Servlet allows system administrators to review System's license usage and perform system tests.
Technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability.
- Solution
SAP has released SAP Note 1778940 which provides patched versions of the affected components.
The patches can be downloaded from https://service.sap.com/sap/support/notes/1778940 .
Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.
- Report Timeline
2012-07-30: Onapsis provides vulnerability information to SAP AG. 2014-04-08: SAP releases security patches. 2014-07-29: Onapsis notifies availability of security advisory.
About Onapsis, Inc.
Onapsis provides innovative security software solutions to protect ERP systems from cyber-attacks. Through unmatched ERP security, compliance and continuous monitoring products, Onapsis secures the business-critical infrastructure of its global customers against espionage, sabotage and financial fraud threats.
Onapsis X1, the company's flagship product, is the industry's first comprehensive solution for the automated security assessment of SAP platforms. Being the first and only SAP-certified solution of its kind, Onapsis X1 allows customers to perform automated Vulnerability Assessments, Security & Compliance Audits and Penetration Tests over their entire SAP platform.
Onapsis is backed by the Onapsis Research Labs, a world-renowned team of SAP & ERP security experts who are continuously invited to lecture at the leading IT security conferences, such as RSA and BlackHat, and featured by mainstream media such as CNN, Reuters, IDG and New York Times.
For further information about our solutions, please contact us at info@onapsis.com and visit our website at www.onapsis.com. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Onapsis Research Team
iEYEARECAAYFAlPXtaIACgkQz3i6WNVBcDXjLwCggwu7sLoMy8KuSuZVAnlSR/7j DrUAoNp3hUvPzYg8+zQ0vRpnGtjTEHeR =vdlU -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201407-0410",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "solution manager",
"scope": "eq",
"trust": 2.4,
"vendor": "sap",
"version": "7.1"
},
{
"model": "solution manager",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "7.x"
}
],
"sources": [
{
"db": "IVD",
"id": "3fc0f74c-1ec4-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2014-05118"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-003658"
},
{
"db": "NVD",
"id": "CVE-2014-5175"
},
{
"db": "CNNVD",
"id": "CNNVD-201407-733"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:solution_manager:7.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2014-5175"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Nahuel D. Snchez",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201407-733"
}
],
"trust": 0.6
},
"cve": "CVE-2014-5175",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 7.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2014-5175",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CNVD-2014-05118",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "3fc0f74c-1ec4-11e6-abef-000c29c66e3d",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.9 [IVD]"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2014-5175",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2014-05118",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201407-733",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "IVD",
"id": "3fc0f74c-1ec4-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "3fc0f74c-1ec4-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2014-05118"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-003658"
},
{
"db": "NVD",
"id": "CVE-2014-5175"
},
{
"db": "CNNVD",
"id": "CNNVD-201407-733"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The License Measurement servlet in SAP Solution Manager 7.1 allows remote attackers to bypass authentication via unspecified vectors, related to a verb tampering attack and SAP_JTECHS. SAP Solution Manager is a system management platform that integrates system monitoring, SAP support desktop, self-service, and ASAP implementation. Attackers exploit vulnerabilities to bypass certain security restrictions. \n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\nOnapsis Security Advisory2014-023: HTTP verb tampering issue in SAP_JTECHS\n\nThis advisory can be downloaded in PDF format from http://www.onapsis.com/. \n\nBy downloading this advisory from the Onapsis Resource Center, you will\ngain access to beforehand information on upcoming advisories,\npresentations and new research projects from the Onapsis Research Labs,\nas well as exclusive access to special promotions for upcoming trainings\nand conferences. \n\n\n1. Impact on Business \n\nBy exploiting this vulnerability a remote unauthenticated attacker would\nbe able to access restricted functionality and information. \n\nRisk Level: Medium\n\n2. Advisory Information\n\n- - Public Release Date: 2014-07-29\n\n- - Subscriber Notification Date: 2014-07-29\n\n- - Last Revised: 2014-07-25\n\n- - Security Advisory ID: ONAPSIS-2012-023\n\n- - Onapsis SVS ID: ONAPSIS-00061\n\n- - Researcher: Nahuel D. S\\xe1nchez\n\n- - Initial Base CVSS v2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n3. Vulnerability Information\n\n- - Vendor: SAP\n\n- - Affected Components:\n\n - SAP Solution Manager 7.1\n (Check SAP Note 1778940 for detailed information on affected releases)\n\n- - Vulnerability Class: Authentication Bypass (CWE-302)\n\n- - Remotely Exploitable: Yes\n\n- - Locally Exploitable: No\n\n- - Authentication Required: No\n\n- - Detection Module available in Onapsis X1: Yes\n\n- - Original Advisory:\nhttp://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-023\n\n\n4. Affected Components Description\n\nThe License Measurement Servlet allows system administrators to review\nSystem\u0027s license usage and perform system tests. \n\n5. \n\nTechnical details about this issue are not disclosed at this moment with\nthe purpose of providing enough time to affected customers to patch\ntheir systems and protect against the exploitation of the described\nvulnerability. \n\n6. Solution\n\nSAP has released SAP Note 1778940 which provides patched versions of the\naffected components. \n\nThe patches can be downloaded from\nhttps://service.sap.com/sap/support/notes/1778940 . \n\nOnapsis strongly recommends SAP customers to download the related\nsecurity fixes and apply them to the affected components in order to\nreduce business risks. \n\n7. Report Timeline\n\n2012-07-30: Onapsis provides vulnerability information to SAP AG. \n2014-04-08: SAP releases security patches. \n2014-07-29: Onapsis notifies availability of security advisory. \n\n\nAbout Onapsis, Inc. \n\nOnapsis provides innovative security software solutions to protect ERP\nsystems from cyber-attacks. Through unmatched ERP security, compliance\nand continuous monitoring products, Onapsis secures the\nbusiness-critical infrastructure of its global customers against\nespionage, sabotage and financial fraud threats. \n\nOnapsis X1, the company\u0027s flagship product, is the industry\u0027s first\ncomprehensive solution for the automated security assessment of SAP\nplatforms. Being the first and only SAP-certified solution of its kind,\nOnapsis X1 allows customers to perform automated Vulnerability\nAssessments, Security \u0026 Compliance Audits and Penetration Tests over\ntheir entire SAP platform. \n\nOnapsis is backed by the Onapsis Research Labs, a world-renowned team of\nSAP \u0026 ERP security experts who are continuously invited to lecture at\nthe leading IT security conferences, such as RSA and BlackHat, and\nfeatured by mainstream media such as CNN, Reuters, IDG and New York Times. \n\nFor further information about our solutions, please contact us at\ninfo@onapsis.com and visit our website at www.onapsis.com. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.12 (GNU/Linux)\nComment: Onapsis Research Team\n\niEYEARECAAYFAlPXtaIACgkQz3i6WNVBcDXjLwCggwu7sLoMy8KuSuZVAnlSR/7j\nDrUAoNp3hUvPzYg8+zQ0vRpnGtjTEHeR\n=vdlU\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2014-5175"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-003658"
},
{
"db": "CNVD",
"id": "CNVD-2014-05118"
},
{
"db": "BID",
"id": "68949"
},
{
"db": "IVD",
"id": "3fc0f74c-1ec4-11e6-abef-000c29c66e3d"
},
{
"db": "PACKETSTORM",
"id": "127668"
}
],
"trust": 2.7
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2014-5175",
"trust": 2.7
},
{
"db": "BID",
"id": "68949",
"trust": 1.9
},
{
"db": "SECUNIA",
"id": "59548",
"trust": 1.6
},
{
"db": "PACKETSTORM",
"id": "127668",
"trust": 0.9
},
{
"db": "CNVD",
"id": "CNVD-2014-05118",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2014-003658",
"trust": 0.8
},
{
"db": "XF",
"id": "94932",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201407-733",
"trust": 0.6
},
{
"db": "IVD",
"id": "3FC0F74C-1EC4-11E6-ABEF-000C29C66E3D",
"trust": 0.2
}
],
"sources": [
{
"db": "IVD",
"id": "3fc0f74c-1ec4-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2014-05118"
},
{
"db": "BID",
"id": "68949"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-003658"
},
{
"db": "PACKETSTORM",
"id": "127668"
},
{
"db": "NVD",
"id": "CVE-2014-5175"
},
{
"db": "CNNVD",
"id": "CNNVD-201407-733"
}
]
},
"id": "VAR-201407-0410",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "3fc0f74c-1ec4-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2014-05118"
}
],
"trust": 0.08
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "3fc0f74c-1ec4-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2014-05118"
}
]
},
"last_update_date": "2023-12-18T12:08:03.819000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SAP Security Note 1778940",
"trust": 0.8,
"url": "http://scn.sap.com/docs/doc-8218"
},
{
"title": "SAP Solution Manager",
"trust": 0.8,
"url": "https://help.sap.com/saphelp_smehp1/helpdata/ja/b3/64c33af662c514e10000000a114084/frameset.htm"
},
{
"title": "SAP Solution Manager License Measurement Servlet Security Vulnerability Patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/49211"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-05118"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-003658"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-287",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-003658"
},
{
"db": "NVD",
"id": "CVE-2014-5175"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-023"
},
{
"trust": 1.7,
"url": "https://service.sap.com/sap/support/notes/1778940"
},
{
"trust": 1.6,
"url": "http://scn.sap.com/docs/doc-8218"
},
{
"trust": 1.6,
"url": "http://seclists.org/fulldisclosure/2014/jul/151"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/68949"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/59548"
},
{
"trust": 1.0,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/94932"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-5175"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-5175"
},
{
"trust": 0.8,
"url": "http://packetstormsecurity.com/files/127668/sap_jtechs-http-verb-tampering.html"
},
{
"trust": 0.6,
"url": "http://secunia.com/advisories/59548/"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/94932"
},
{
"trust": 0.1,
"url": "https://www.onapsis.com."
},
{
"trust": 0.1,
"url": "http://www.onapsis.com/."
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-05118"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-003658"
},
{
"db": "PACKETSTORM",
"id": "127668"
},
{
"db": "NVD",
"id": "CVE-2014-5175"
},
{
"db": "CNNVD",
"id": "CNNVD-201407-733"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "3fc0f74c-1ec4-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2014-05118"
},
{
"db": "BID",
"id": "68949"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-003658"
},
{
"db": "PACKETSTORM",
"id": "127668"
},
{
"db": "NVD",
"id": "CVE-2014-5175"
},
{
"db": "CNNVD",
"id": "CNNVD-201407-733"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-08-21T00:00:00",
"db": "IVD",
"id": "3fc0f74c-1ec4-11e6-abef-000c29c66e3d"
},
{
"date": "2014-08-21T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-05118"
},
{
"date": "2014-07-29T00:00:00",
"db": "BID",
"id": "68949"
},
{
"date": "2014-08-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-003658"
},
{
"date": "2014-07-29T23:01:57",
"db": "PACKETSTORM",
"id": "127668"
},
{
"date": "2014-07-31T14:55:04.300000",
"db": "NVD",
"id": "CVE-2014-5175"
},
{
"date": "2014-07-31T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201407-733"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-08-21T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-05118"
},
{
"date": "2014-08-05T00:19:00",
"db": "BID",
"id": "68949"
},
{
"date": "2014-08-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-003658"
},
{
"date": "2017-08-29T01:35:12.203000",
"db": "NVD",
"id": "CVE-2014-5175"
},
{
"date": "2014-08-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201407-733"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "127668"
},
{
"db": "CNNVD",
"id": "CNNVD-201407-733"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP Solution Manager License Measurement Servlet Security Bypass Vulnerability",
"sources": [
{
"db": "IVD",
"id": "3fc0f74c-1ec4-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2014-05118"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "authorization issue",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201407-733"
}
],
"trust": 0.6
}
}
var-201605-0004
Vulnerability from variot
The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack. Attacks on this vulnerability 2013 From 2016 Observed in year. This vulnerability "Detour" It is called an attack. Vendors have confirmed this vulnerability SAP Security Note 1445998 It is released as.By a third party HTTP Or HTTPS Arbitrary code may be executed via a request. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. The SAP Netweaver Invoker Servlet has a security vulnerability that allows an attacker to call any servlet even if it is declared in a web.xml file. This includes any servlet classes available in the application classloader, such as those in the WEB-INF\classes, WEB-INF\lib, and WEB-INF\additinal-lib application directories. Multiple servlets included with Java applications are not designed for direct client access, but instead interact inside the application, thus causing arbitrary calls to be performed and invisible operations on the SAP server. An attacker may leverage this issue to execute arbitrary script code within the context of the affected application
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201605-0004",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "netweaver",
"scope": "eq",
"trust": 1.5,
"vendor": "sap",
"version": "7.30"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 1.1,
"vendor": "sap",
"version": "7.0"
},
{
"model": "netweaver application server java",
"scope": "lte",
"trust": 1.0,
"vendor": "sap",
"version": "7.30"
},
{
"model": "netweaver sp15",
"scope": "eq",
"trust": 0.9,
"vendor": "sap",
"version": "7.0"
},
{
"model": "netweaver sp8",
"scope": "eq",
"trust": 0.9,
"vendor": "sap",
"version": "7.0"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 0.9,
"vendor": "sap",
"version": "7.10"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 0.9,
"vendor": "sap",
"version": "7.02"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 0.9,
"vendor": "sap",
"version": "7.01"
},
{
"model": "netweaver application server java",
"scope": "lt",
"trust": 0.8,
"vendor": "sap",
"version": "7.3"
},
{
"model": "solution manager",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "supply chain management",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "product lifecycle management",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "netweaver composition environment",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "exchange infrastructure",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "enterprise portal",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
},
{
"model": "netweaver sp15",
"scope": "eq",
"trust": 0.2,
"vendor": "sap",
"version": "7.0*"
},
{
"model": "netweaver sp8",
"scope": "eq",
"trust": 0.2,
"vendor": "sap",
"version": "7.0*"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 0.2,
"vendor": "sap",
"version": "7.10*"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 0.2,
"vendor": "sap",
"version": "7.30*"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 0.2,
"vendor": "sap",
"version": "7.02*"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 0.2,
"vendor": "sap",
"version": "7.01*"
}
],
"sources": [
{
"db": "IVD",
"id": "39506c1a-1f8e-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-2905"
},
{
"db": "BID",
"id": "90533"
},
{
"db": "BID",
"id": "48925"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-002737"
},
{
"db": "NVD",
"id": "CVE-2010-5326"
},
{
"db": "CNNVD",
"id": "CNNVD-201605-399"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_java:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "7.30",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2010-5326"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Onapsis Security",
"sources": [
{
"db": "BID",
"id": "90533"
},
{
"db": "BID",
"id": "48925"
},
{
"db": "CNNVD",
"id": "CNNVD-201107-453"
}
],
"trust": 1.2
},
"cve": "CVE-2010-5326",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": true,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2010-5326",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": null,
"accessVector": null,
"authentication": null,
"author": "IVD",
"availabilityImpact": null,
"baseScore": null,
"confidentialityImpact": null,
"exploitabilityScore": null,
"id": "39506c1a-1f8e-11e6-abef-000c29c66e3d",
"impactScore": null,
"integrityImpact": null,
"severity": null,
"trust": 0.2,
"vectorString": null,
"version": "unknown"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 10.0,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2010-5326",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2010-5326",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNNVD",
"id": "CNNVD-201605-399",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "IVD",
"id": "39506c1a-1f8e-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2010-5326",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "39506c1a-1f8e-11e6-abef-000c29c66e3d"
},
{
"db": "VULMON",
"id": "CVE-2010-5326"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-002737"
},
{
"db": "NVD",
"id": "CVE-2010-5326"
},
{
"db": "CNNVD",
"id": "CNNVD-201605-399"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a \"Detour\" attack. Attacks on this vulnerability 2013 From 2016 Observed in year. This vulnerability \"Detour\" It is called an attack. Vendors have confirmed this vulnerability SAP Security Note 1445998 It is released as.By a third party HTTP Or HTTPS Arbitrary code may be executed via a request. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. The SAP Netweaver Invoker Servlet has a security vulnerability that allows an attacker to call any servlet even if it is declared in a web.xml file. This includes any servlet classes available in the application classloader, such as those in the WEB-INF\\\\classes, WEB-INF\\\\lib, and WEB-INF\\\\additinal-lib application directories. Multiple servlets included with Java applications are not designed for direct client access, but instead interact inside the application, thus causing arbitrary calls to be performed and invisible operations on the SAP server. \nAn attacker may leverage this issue to execute arbitrary script code within the context of the affected application",
"sources": [
{
"db": "NVD",
"id": "CVE-2010-5326"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-002737"
},
{
"db": "CNVD",
"id": "CNVD-2011-2905"
},
{
"db": "BID",
"id": "90533"
},
{
"db": "BID",
"id": "48925"
},
{
"db": "IVD",
"id": "39506c1a-1f8e-11e6-abef-000c29c66e3d"
},
{
"db": "VULMON",
"id": "CVE-2010-5326"
}
],
"trust": 2.97
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "48925",
"trust": 3.2
},
{
"db": "NVD",
"id": "CVE-2010-5326",
"trust": 2.8
},
{
"db": "USCERT",
"id": "TA16-132A",
"trust": 2.5
},
{
"db": "BID",
"id": "90533",
"trust": 2.0
},
{
"db": "CNVD",
"id": "CNVD-2011-2905",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2016-002737",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201107-453",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201605-399",
"trust": 0.6
},
{
"db": "IVD",
"id": "39506C1A-1F8E-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "VULMON",
"id": "CVE-2010-5326",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "39506c1a-1f8e-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-2905"
},
{
"db": "VULMON",
"id": "CVE-2010-5326"
},
{
"db": "BID",
"id": "90533"
},
{
"db": "BID",
"id": "48925"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-002737"
},
{
"db": "NVD",
"id": "CVE-2010-5326"
},
{
"db": "CNNVD",
"id": "CNNVD-201107-453"
},
{
"db": "CNNVD",
"id": "CNNVD-201605-399"
}
]
},
"id": "VAR-201605-0004",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "39506c1a-1f8e-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-2905"
}
],
"trust": 1.3171288840000002
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "39506c1a-1f8e-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-2905"
}
]
},
"last_update_date": "2023-12-18T13:03:19.061000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Invoker Servlet",
"trust": 0.8,
"url": "http://help.sap.com/saphelp_nw70ehp2/helpdata/en/bb/f2b9d88ba4e8459e5a69cb513597ec/frameset.htm"
},
{
"title": "US-CERT \u30a2\u30e9\u30fc\u30c8\u60c5\u5831\uff1aSAP \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30ce\u30fc\u30c8 1445998 \u3067\u89e3\u6c7a\u6e08\u307f\u306e\u554f\u984c\u306b\u3064\u3044\u3066\u518d\u5ea6\u306e\u304a\u77e5\u3089\u305b",
"trust": 0.8,
"url": "https://support.sap.com/ja.html"
},
{
"title": "Patch for SAP Netweaver Invoker Servlet Remote Code Execution Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/4568"
},
{
"title": "SAP NetWeaver Application Server Invoker Servlet Fixes for arbitrary code execution vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=61715"
},
{
"title": "The Register",
"trust": 0.2,
"url": "https://www.theregister.co.uk/2021/04/06/sap_patch_attacks/"
},
{
"title": "Threatpost",
"trust": 0.1,
"url": "https://threatpost.com/sap-bugs-cyberattack-compromise/165265/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-2905"
},
{
"db": "VULMON",
"id": "CVE-2010-5326"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-002737"
},
{
"db": "CNNVD",
"id": "CNNVD-201605-399"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-noinfo",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2010-5326"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://www.onapsis.com/threat-report-tip-iceberg-wild-exploitation-cyber-attacks-sap-business-applications"
},
{
"trust": 2.5,
"url": "http://www.onapsis.com/research/publications/sap-security-in-depth-vol4-the-invoker-servlet-a-dangerous-detour-into-sap-java-solutions"
},
{
"trust": 2.5,
"url": "http://www.us-cert.gov/ncas/alerts/ta16-132a"
},
{
"trust": 2.3,
"url": "http://www.securityfocus.com/bid/48925"
},
{
"trust": 1.8,
"url": "http://www.securityfocus.com/bid/90533"
},
{
"trust": 1.7,
"url": "http://service.sap.com/sap/support/notes/1445998"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-5326"
},
{
"trust": 0.8,
"url": "http://jvn.jp/ta/jvnta91951276/index.html"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-5326"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/bid/48925/info"
},
{
"trust": 0.6,
"url": "http://www.onapsis.com/resources/download.php?id=7wkeuqheij%2bqq3jv4qpdjl1ffrxqqxpj5uloink%2bzeilka6bds1fhqzomd%2bpokyossoouymyxkdykay2dgrh\u0026lang=en ."
},
{
"trust": 0.3,
"url": "http://www.sap.com/platform/netweaver/index.epx"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.theregister.co.uk/2021/04/06/sap_patch_attacks/"
},
{
"trust": 0.1,
"url": "https://threatpost.com/sap-bugs-cyberattack-compromise/165265/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-2905"
},
{
"db": "VULMON",
"id": "CVE-2010-5326"
},
{
"db": "BID",
"id": "90533"
},
{
"db": "BID",
"id": "48925"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-002737"
},
{
"db": "NVD",
"id": "CVE-2010-5326"
},
{
"db": "CNNVD",
"id": "CNNVD-201107-453"
},
{
"db": "CNNVD",
"id": "CNNVD-201605-399"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "39506c1a-1f8e-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-2905"
},
{
"db": "VULMON",
"id": "CVE-2010-5326"
},
{
"db": "BID",
"id": "90533"
},
{
"db": "BID",
"id": "48925"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-002737"
},
{
"db": "NVD",
"id": "CVE-2010-5326"
},
{
"db": "CNNVD",
"id": "CNNVD-201107-453"
},
{
"db": "CNNVD",
"id": "CNNVD-201605-399"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-07-29T00:00:00",
"db": "IVD",
"id": "39506c1a-1f8e-11e6-abef-000c29c66e3d"
},
{
"date": "2011-07-29T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-2905"
},
{
"date": "2016-05-13T00:00:00",
"db": "VULMON",
"id": "CVE-2010-5326"
},
{
"date": "2016-05-11T00:00:00",
"db": "BID",
"id": "90533"
},
{
"date": "2011-07-28T00:00:00",
"db": "BID",
"id": "48925"
},
{
"date": "2016-05-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-002737"
},
{
"date": "2016-05-13T10:59:00.173000",
"db": "NVD",
"id": "CVE-2010-5326"
},
{
"date": "1900-01-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201107-453"
},
{
"date": "2016-05-16T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201605-399"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-07-29T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-2905"
},
{
"date": "2021-04-20T00:00:00",
"db": "VULMON",
"id": "CVE-2010-5326"
},
{
"date": "2016-07-05T22:21:00",
"db": "BID",
"id": "90533"
},
{
"date": "2011-07-28T00:00:00",
"db": "BID",
"id": "48925"
},
{
"date": "2016-05-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-002737"
},
{
"date": "2021-04-20T18:41:50.707000",
"db": "NVD",
"id": "CVE-2010-5326"
},
{
"date": "2011-08-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201107-453"
},
{
"date": "2021-04-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201605-399"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201107-453"
},
{
"db": "CNNVD",
"id": "CNNVD-201605-399"
}
],
"trust": 1.2
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP Netweaver Invoker Servlet Remote code execution vulnerability",
"sources": [
{
"db": "IVD",
"id": "39506c1a-1f8e-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2011-2905"
},
{
"db": "BID",
"id": "48925"
},
{
"db": "CNNVD",
"id": "CNNVD-201107-453"
}
],
"trust": 1.7
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Code injection",
"sources": [
{
"db": "IVD",
"id": "39506c1a-1f8e-11e6-abef-000c29c66e3d"
},
{
"db": "CNNVD",
"id": "CNNVD-201107-453"
}
],
"trust": 0.8
}
}
var-201402-0436
Vulnerability from variot
SAP Solution Manager is a system management platform that integrates system monitoring, SAP support desktop, self-service, and ASAP implementation. The SAP Solution Manager application failed to properly verify validation, allowing remote attackers to exploit vulnerabilities to bypass sensitive restrictions and obtain sensitive information
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201402-0436",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "solution manager",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "7.x"
}
],
"sources": [
{
"db": "IVD",
"id": "4f42f716-1eeb-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2014-01008"
}
]
},
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2014-01008",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "4f42f716-1eeb-11e6-abef-000c29c66e3d",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.9 [IVD]"
}
],
"cvssV3": [],
"severity": [
{
"author": "CNVD",
"id": "CNVD-2014-01008",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "4f42f716-1eeb-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "4f42f716-1eeb-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2014-01008"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP Solution Manager is a system management platform that integrates system monitoring, SAP support desktop, self-service, and ASAP implementation. The SAP Solution Manager application failed to properly verify validation, allowing remote attackers to exploit vulnerabilities to bypass sensitive restrictions and obtain sensitive information",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01008"
},
{
"db": "IVD",
"id": "4f42f716-1eeb-11e6-abef-000c29c66e3d"
}
],
"trust": 0.72
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2014-01008",
"trust": 0.8
},
{
"db": "IVD",
"id": "4F42F716-1EEB-11E6-ABEF-000C29C66E3D",
"trust": 0.2
}
],
"sources": [
{
"db": "IVD",
"id": "4f42f716-1eeb-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2014-01008"
}
]
},
"id": "VAR-201402-0436",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "4f42f716-1eeb-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2014-01008"
}
],
"trust": 0.08
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "4f42f716-1eeb-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2014-01008"
}
]
},
"last_update_date": "2022-05-17T02:00:02.726000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SAP Solution Manager security bypass vulnerability patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/43677"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01008"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 0.6,
"url": "http://erpscan.com/advisories/erpscan-14-004-sap-netweaver-solution-manager-missing-authorization-check-information-disclosure/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01008"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "4f42f716-1eeb-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2014-01008"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-02-18T00:00:00",
"db": "IVD",
"id": "4f42f716-1eeb-11e6-abef-000c29c66e3d"
},
{
"date": "2014-02-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-01008"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-02-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-01008"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP Solution Manager Security Bypass Vulnerability",
"sources": [
{
"db": "IVD",
"id": "4f42f716-1eeb-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2014-01008"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Access verification error",
"sources": [
{
"db": "IVD",
"id": "4f42f716-1eeb-11e6-abef-000c29c66e3d"
}
],
"trust": 0.2
}
}
var-201404-0529
Vulnerability from variot
The Java Server Pages in the Software Lifecycle Manager (SLM) in SAP NetWeaver allows remote attackers to obtain sensitive information via a crafted request, related to SAP Solution Manager 7.1. SAP Solution Manager is a system management platform that integrates system monitoring, SAP support desktop, self-service, and ASAP implementation. Successfully exploiting this issue may allow an attacker to obtain sensitive information that may aid in further attacks
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201404-0529",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "netweaver software lifecycle manager",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": "7.1"
},
{
"model": "software lifecycle manager",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "7.1"
},
{
"model": "solution manager",
"scope": "eq",
"trust": 0.6,
"vendor": "sap",
"version": "7.1"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "netweaver lifecycle manager",
"version": "7.1"
}
],
"sources": [
{
"db": "IVD",
"id": "7036ead8-1eda-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2014-02753"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002334"
},
{
"db": "NVD",
"id": "CVE-2014-3129"
},
{
"db": "CNNVD",
"id": "CNNVD-201404-607"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver_software_lifecycle_manager:7.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2014-3129"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Nahuel D. S\u00e1nchez",
"sources": [
{
"db": "BID",
"id": "67147"
}
],
"trust": 0.3
},
"cve": "CVE-2014-3129",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2014-3129",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2014-02753",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "7036ead8-1eda-11e6-abef-000c29c66e3d",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.9 [IVD]"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2014-3129",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2014-02753",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201404-607",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "7036ead8-1eda-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "7036ead8-1eda-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2014-02753"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002334"
},
{
"db": "NVD",
"id": "CVE-2014-3129"
},
{
"db": "CNNVD",
"id": "CNNVD-201404-607"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The Java Server Pages in the Software Lifecycle Manager (SLM) in SAP NetWeaver allows remote attackers to obtain sensitive information via a crafted request, related to SAP Solution Manager 7.1. SAP Solution Manager is a system management platform that integrates system monitoring, SAP support desktop, self-service, and ASAP implementation. \nSuccessfully exploiting this issue may allow an attacker to obtain sensitive information that may aid in further attacks",
"sources": [
{
"db": "NVD",
"id": "CVE-2014-3129"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002334"
},
{
"db": "CNVD",
"id": "CNVD-2014-02753"
},
{
"db": "BID",
"id": "67147"
},
{
"db": "IVD",
"id": "7036ead8-1eda-11e6-abef-000c29c66e3d"
}
],
"trust": 2.61
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2014-3129",
"trust": 2.9
},
{
"db": "SECTRACK",
"id": "1030157",
"trust": 2.4
},
{
"db": "BID",
"id": "67147",
"trust": 1.9
},
{
"db": "CNVD",
"id": "CNVD-2014-02753",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201404-607",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002334",
"trust": 0.8
},
{
"db": "FULLDISC",
"id": "20140428 [ONAPSIS SECURITY ADVISORY 2014-005] INFORMATION DISCLOSURE IN SAP SOFTWARE LIFECLYCLE MANAGER",
"trust": 0.6
},
{
"db": "IVD",
"id": "7036EAD8-1EDA-11E6-ABEF-000C29C66E3D",
"trust": 0.2
}
],
"sources": [
{
"db": "IVD",
"id": "7036ead8-1eda-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2014-02753"
},
{
"db": "BID",
"id": "67147"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002334"
},
{
"db": "NVD",
"id": "CVE-2014-3129"
},
{
"db": "CNNVD",
"id": "CNNVD-201404-607"
}
]
},
"id": "VAR-201404-0529",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "7036ead8-1eda-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2014-02753"
}
],
"trust": 0.08
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "7036ead8-1eda-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2014-02753"
}
]
},
"last_update_date": "2023-12-18T13:09:25.843000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SAP Security Note 1894049",
"trust": 0.8,
"url": "http://scn.sap.com/docs/doc-8218"
},
{
"title": "Patch for SAP Solution Manager Remote Information Disclosure Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/45316"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-02753"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002334"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-200",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-002334"
},
{
"db": "NVD",
"id": "CVE-2014-3129"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.0,
"url": "http://seclists.org/fulldisclosure/2014/apr/294"
},
{
"trust": 2.4,
"url": "http://www.securitytracker.com/id/1030157"
},
{
"trust": 1.6,
"url": "http://scn.sap.com/docs/doc-8218"
},
{
"trust": 1.6,
"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-005"
},
{
"trust": 1.6,
"url": "https://service.sap.com/sap/support/notes/1894049"
},
{
"trust": 1.0,
"url": "http://www.securityfocus.com/bid/67147"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3129"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3129"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-02753"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002334"
},
{
"db": "NVD",
"id": "CVE-2014-3129"
},
{
"db": "CNNVD",
"id": "CNNVD-201404-607"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "7036ead8-1eda-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2014-02753"
},
{
"db": "BID",
"id": "67147"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002334"
},
{
"db": "NVD",
"id": "CVE-2014-3129"
},
{
"db": "CNNVD",
"id": "CNNVD-201404-607"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-05-05T00:00:00",
"db": "IVD",
"id": "7036ead8-1eda-11e6-abef-000c29c66e3d"
},
{
"date": "2014-05-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-02753"
},
{
"date": "2014-04-30T00:00:00",
"db": "BID",
"id": "67147"
},
{
"date": "2014-05-02T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-002334"
},
{
"date": "2014-04-30T14:22:07.203000",
"db": "NVD",
"id": "CVE-2014-3129"
},
{
"date": "2014-04-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201404-607"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-05-06T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-02753"
},
{
"date": "2014-05-14T00:41:00",
"db": "BID",
"id": "67147"
},
{
"date": "2014-05-02T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-002334"
},
{
"date": "2014-05-10T04:06:31.780000",
"db": "NVD",
"id": "CVE-2014-3129"
},
{
"date": "2014-05-06T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201404-607"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201404-607"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP Solution Manager Remote Information Disclosure Vulnerability",
"sources": [
{
"db": "IVD",
"id": "7036ead8-1eda-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2014-02753"
},
{
"db": "BID",
"id": "67147"
}
],
"trust": 1.1
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "information disclosure",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201404-607"
}
],
"trust": 0.6
}
}
var-202302-1246
Vulnerability from variot
SAP Solution Manager (System Monitoring) - version 720, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. SAP Solution Manager is a system monitoring system of SAP, Germany, which can facilitate the monitoring of technology-related and application-related functions of enterprises. When the malicious data is viewed, sensitive information can be obtained or user sessions can be hijacked
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202302-1246",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "solution manager",
"scope": "eq",
"trust": 2.4,
"vendor": "sap",
"version": "720"
},
{
"model": "solution manager",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2024-23331"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-003548"
},
{
"db": "NVD",
"id": "CVE-2023-23852"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:solution_manager:720:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2023-23852"
}
]
},
"cve": "CVE-2023-23852",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2024-23331",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 2.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "OTHER",
"availabilityImpact": "None",
"baseScore": 6.1,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "JVNDB-2023-003548",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2023-23852",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "cna@sap.com",
"id": "CVE-2023-23852",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2023-003548",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2024-23331",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202302-1017",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2024-23331"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-003548"
},
{
"db": "CNNVD",
"id": "CNNVD-202302-1017"
},
{
"db": "NVD",
"id": "CVE-2023-23852"
},
{
"db": "NVD",
"id": "CVE-2023-23852"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP Solution Manager (System Monitoring) - version 720, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. SAP Solution Manager is a system monitoring system of SAP, Germany, which can facilitate the monitoring of technology-related and application-related functions of enterprises. When the malicious data is viewed, sensitive information can be obtained or user sessions can be hijacked",
"sources": [
{
"db": "NVD",
"id": "CVE-2023-23852"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-003548"
},
{
"db": "CNVD",
"id": "CNVD-2024-23331"
},
{
"db": "VULMON",
"id": "CVE-2023-23852"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2023-23852",
"trust": 3.9
},
{
"db": "JVNDB",
"id": "JVNDB-2023-003548",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2024-23331",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202302-1017",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2023-23852",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2024-23331"
},
{
"db": "VULMON",
"id": "CVE-2023-23852"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-003548"
},
{
"db": "CNNVD",
"id": "CNNVD-202302-1017"
},
{
"db": "NVD",
"id": "CVE-2023-23852"
}
]
},
"id": "VAR-202302-1246",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2024-23331"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2024-23331"
}
]
},
"last_update_date": "2024-05-21T23:11:03.652000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "FEBRUARY\u00a02023",
"trust": 0.8,
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"title": "Patch for SAP Solution Manager Cross-Site Scripting Vulnerability (CNVD-2024-23331)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/546561"
},
{
"title": "SAP Solution Manager Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=226334"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2023-23852 "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2024-23331"
},
{
"db": "VULMON",
"id": "CVE-2023-23852"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-003548"
},
{
"db": "CNNVD",
"id": "CNNVD-202302-1017"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.0
},
{
"problemtype": "Cross-site scripting (CWE-79) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-003548"
},
{
"db": "NVD",
"id": "CVE-2023-23852"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://launchpad.support.sap.com/#/notes/3266751"
},
{
"trust": 1.7,
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-23852"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2023-23852/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/79.html"
},
{
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2023-23852"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2024-23331"
},
{
"db": "VULMON",
"id": "CVE-2023-23852"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-003548"
},
{
"db": "CNNVD",
"id": "CNNVD-202302-1017"
},
{
"db": "NVD",
"id": "CVE-2023-23852"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2024-23331"
},
{
"db": "VULMON",
"id": "CVE-2023-23852"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-003548"
},
{
"db": "CNNVD",
"id": "CNNVD-202302-1017"
},
{
"db": "NVD",
"id": "CVE-2023-23852"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-05-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2024-23331"
},
{
"date": "2023-02-14T00:00:00",
"db": "VULMON",
"id": "CVE-2023-23852"
},
{
"date": "2023-09-12T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2023-003548"
},
{
"date": "2023-02-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202302-1017"
},
{
"date": "2023-02-14T04:15:11.353000",
"db": "NVD",
"id": "CVE-2023-23852"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2024-05-20T00:00:00",
"db": "CNVD",
"id": "CNVD-2024-23331"
},
{
"date": "2023-02-14T00:00:00",
"db": "VULMON",
"id": "CVE-2023-23852"
},
{
"date": "2023-09-12T02:20:00",
"db": "JVNDB",
"id": "JVNDB-2023-003548"
},
{
"date": "2023-02-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202302-1017"
},
{
"date": "2023-04-11T22:15:07.753000",
"db": "NVD",
"id": "CVE-2023-23852"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202302-1017"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP\u00a0Solution\u00a0Manager\u00a0 Cross-site scripting vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-003548"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202302-1017"
}
],
"trust": 0.6
}
}
cve-2023-23852
Vulnerability from cvelistv5
Published
2023-02-14 03:12
Modified
2024-08-02 10:42
Severity ?
EPSS score ?
Summary
SAP Solution Manager (System Monitoring) - version 720, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| SAP | Solution Manager |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:42:27.212Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3266751"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Solution Manager",
"vendor": "SAP",
"versions": [
{
"status": "affected",
"version": "720"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP Solution Manager (System Monitoring) - version 720, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.\u003c/p\u003e"
}
],
"value": "SAP Solution Manager (System Monitoring) - version 720, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-11T21:22:15.619Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://launchpad.support.sap.com/#/notes/3266751"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2023-23852",
"datePublished": "2023-02-14T03:12:23.399Z",
"dateReserved": "2023-01-19T00:05:29.415Z",
"dateUpdated": "2024-08-02T10:42:27.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-23855
Vulnerability from cvelistv5
Published
2023-02-14 03:14
Modified
2024-08-02 10:42
Severity ?
EPSS score ?
Summary
SAP Solution Manager - version 720, allows an authenticated attacker to redirect users to a malicious site due to insufficient URL validation. A successful attack could lead an attacker to read or modify the information or expose the user to a phishing attack. As a result, it has a low impact to confidentiality, integrity and availability.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| SAP | Solution Manager |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:42:26.959Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3270509"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Solution Manager",
"vendor": "SAP",
"versions": [
{
"status": "affected",
"version": "720"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP Solution Manager - version 720, allows an authenticated attacker to redirect users to a malicious site due to insufficient URL validation. A successful attack could lead an attacker to read or modify the information or expose the user to a phishing attack. As a result, it has a low impact to confidentiality, integrity and availability.\u003c/p\u003e"
}
],
"value": "SAP Solution Manager - version 720, allows an authenticated attacker to redirect users to a malicious site due to insufficient URL validation. A successful attack could lead an attacker to read or modify the information or expose the user to a phishing attack. As a result, it has a low impact to confidentiality, integrity and availability.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-11T21:21:34.343Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://launchpad.support.sap.com/#/notes/3270509"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2023-23855",
"datePublished": "2023-02-14T03:14:29.486Z",
"dateReserved": "2023-01-19T00:05:29.415Z",
"dateUpdated": "2024-08-02T10:42:26.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}