Vulnerability-Lookup

CVE-2016-2386 (GCVE-0-2016-2386)

Vulnerability from cvelistv5 – Published: 2016-02-16 15:00 – Updated: 2025-10-21 23:55

CISA KEV

Summary

SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

Assigner

mitre

References

URL

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: 2814e0fe-3e1c-499c-8299-714b52390719

Vulnerability ID: CVE-2016-2386

Status: Confirmed

Status Updated: 2022-06-09 00:00 UTC

Exploited: Yes

Timestamps

First Seen: 2022-06-09

Asserted: 2022-06-09

Scope

Notes: KEV entry: SAP NetWeaver SQL Injection Vulnerability | Affected: SAP / NetWeaver | Description: SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | Required action: Apply updates per vendor instructions. | Due date: 2022-06-30 | Known ransomware campaign use (KEV): Unknown | Notes (KEV): https://nvd.nist.gov/vuln/detail/CVE-2016-2386

Evidence

Type: Vendor Report

Signal: Successful Exploitation

Confidence: 80%

Source: cisa-kev

Details

Cwes	CWE-89
Feed	CISA Known Exploited Vulnerabilities Catalog
Product	NetWeaver
Due Date	2022-06-30
Date Added	2022-06-09
Vendorproject	SAP
Vulnerabilityname	SAP NetWeaver SQL Injection Vulnerability
Knownransomwarecampaignuse	Unknown

References

CVE-2016-2386

Created: 2026-02-02 12:27 UTC | Updated: 2026-02-06 07:17 UTC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T23:24:49.308Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html"
          },
          {
            "name": "39840",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/39840/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/vah13/SAP_exploit"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/"
          },
          {
            "name": "43495",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/43495/"
          },
          {
            "name": "20160523 [ERPSCAN-16-011] SAP NetWeaver AS JAVA - SQL injection vulnerability",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2016/May/56"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2016-2386",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-04T21:00:31.641195Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2022-06-09",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-2386"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-89",
                "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:55:55.277Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-2386"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2022-06-09T00:00:00+00:00",
            "value": "CVE-2016-2386 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-02-10T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-12-10T17:57:01.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html"
        },
        {
          "name": "39840",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/39840/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vah13/SAP_exploit"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/"
        },
        {
          "name": "43495",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/43495/"
        },
        {
          "name": "20160523 [ERPSCAN-16-011] SAP NetWeaver AS JAVA - SQL injection vulnerability",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2016/May/56"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2016-2386",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/",
              "refsource": "MISC",
              "url": "https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/"
            },
            {
              "name": "http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html"
            },
            {
              "name": "39840",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/39840/"
            },
            {
              "name": "https://github.com/vah13/SAP_exploit",
              "refsource": "MISC",
              "url": "https://github.com/vah13/SAP_exploit"
            },
            {
              "name": "https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/",
              "refsource": "MISC",
              "url": "https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/"
            },
            {
              "name": "43495",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/43495/"
            },
            {
              "name": "20160523 [ERPSCAN-16-011] SAP NetWeaver AS JAVA - SQL injection vulnerability",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2016/May/56"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2016-2386",
    "datePublished": "2016-02-16T15:00:00.000Z",
    "dateReserved": "2016-02-16T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:55:55.277Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2016-2386",
      "cwes": "[\"CWE-89\"]",
      "dateAdded": "2022-06-09",
      "dueDate": "2022-06-30",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://nvd.nist.gov/vuln/detail/CVE-2016-2386",
      "product": "NetWeaver",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.",
      "vendorProject": "SAP",
      "vulnerabilityName": "SAP NetWeaver SQL Injection Vulnerability"
    },
    "fkie_nvd": {
      "cisaActionDue": "2022-06-30",
      "cisaExploitAdd": "2022-06-09",
      "cisaRequiredAction": "Apply updates per vendor instructions.",
      "cisaVulnerabilityName": "SAP NetWeaver SQL Injection Vulnerability",
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_java:7.40:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F5308FCE-8B2C-4B4D-BEE7-3CF544570B68\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad de inyecci\\u00f3n SQL en el servidor UDDI en SAP NetWeaver J2EE Engine 7.40 permite a atacantes remotos ejecutar comandos SQL arbitrarios a trav\\u00e9s de vectores no especificados, tambi\\u00e9n conocida como SAP Security Note 2101079.\"}]",
      "id": "CVE-2016-2386",
      "lastModified": "2024-11-21T02:48:21.830",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false}]}",
      "published": "2016-02-16T15:59:00.133",
      "references": "[{\"url\": \"http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2016/May/56\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/vah13/SAP_exploit\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://www.exploit-db.com/exploits/39840/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://www.exploit-db.com/exploits/43495/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2016/May/56\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/vah13/SAP_exploit\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://www.exploit-db.com/exploits/39840/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://www.exploit-db.com/exploits/43495/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2016-2386\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2016-02-16T15:59:00.133\",\"lastModified\":\"2025-10-22T00:15:49.967\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de inyecci\u00f3n SQL en el servidor UDDI en SAP NetWeaver J2EE Engine 7.40 permite a atacantes remotos ejecutar comandos SQL arbitrarios a trav\u00e9s de vectores no especificados, tambi\u00e9n conocida como SAP Security Note 2101079.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false}]},\"cisaExploitAdd\":\"2022-06-09\",\"cisaActionDue\":\"2022-06-30\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"SAP NetWeaver SQL Injection Vulnerability\",\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_java:7.40:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F5308FCE-8B2C-4B4D-BEE7-3CF544570B68\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2016/May/56\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\",\"Third Party Advisory\"]},{\"url\":\"https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/vah13/SAP_exploit\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.exploit-db.com/exploits/39840/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://www.exploit-db.com/exploits/43495/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2016/May/56\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\",\"Third Party Advisory\"]},{\"url\":\"https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/vah13/SAP_exploit\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.exploit-db.com/exploits/39840/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://www.exploit-db.com/exploits/43495/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-2386\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://www.exploit-db.com/exploits/39840/\", \"name\": \"39840\", \"tags\": [\"exploit\", \"x_refsource_EXPLOIT-DB\", \"x_transferred\"]}, {\"url\": \"https://github.com/vah13/SAP_exploit\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://www.exploit-db.com/exploits/43495/\", \"name\": \"43495\", \"tags\": [\"exploit\", \"x_refsource_EXPLOIT-DB\", \"x_transferred\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2016/May/56\", \"name\": \"20160523 [ERPSCAN-16-011] SAP NetWeaver AS JAVA - SQL injection vulnerability\", \"tags\": [\"mailing-list\", \"x_refsource_FULLDISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-05T23:24:49.308Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2016-2386\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-04T21:00:31.641195Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2022-06-09\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-2386\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2022-06-09T00:00:00+00:00\", \"value\": \"CVE-2016-2386 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-2386\", \"tags\": [\"government-resource\"]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-04T21:00:34.415Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"datePublic\": \"2016-02-10T00:00:00.000Z\", \"references\": [{\"url\": \"https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://www.exploit-db.com/exploits/39840/\", \"name\": \"39840\", \"tags\": [\"exploit\", \"x_refsource_EXPLOIT-DB\"]}, {\"url\": \"https://github.com/vah13/SAP_exploit\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://www.exploit-db.com/exploits/43495/\", \"name\": \"43495\", \"tags\": [\"exploit\", \"x_refsource_EXPLOIT-DB\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2016/May/56\", \"name\": \"20160523 [ERPSCAN-16-011] SAP NetWeaver AS JAVA - SQL injection vulnerability\", \"tags\": [\"mailing-list\", \"x_refsource_FULLDISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2018-12-10T17:57:01.000Z\"}, \"x_legacyV4Record\": {\"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"n/a\"}]}, \"product_name\": \"n/a\"}]}, \"vendor_name\": \"n/a\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/\", \"name\": \"https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/\", \"refsource\": \"MISC\"}, {\"url\": \"http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html\", \"name\": \"http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html\", \"refsource\": \"MISC\"}, {\"url\": \"https://www.exploit-db.com/exploits/39840/\", \"name\": \"39840\", \"refsource\": \"EXPLOIT-DB\"}, {\"url\": \"https://github.com/vah13/SAP_exploit\", \"name\": \"https://github.com/vah13/SAP_exploit\", \"refsource\": \"MISC\"}, {\"url\": \"https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/\", \"name\": \"https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/\", \"refsource\": \"MISC\"}, {\"url\": \"https://www.exploit-db.com/exploits/43495/\", \"name\": \"43495\", \"refsource\": \"EXPLOIT-DB\"}, {\"url\": \"http://seclists.org/fulldisclosure/2016/May/56\", \"name\": \"20160523 [ERPSCAN-16-011] SAP NetWeaver AS JAVA - SQL injection vulnerability\", \"refsource\": \"FULLDISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"n/a\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2016-2386\", \"STATE\": \"PUBLIC\", \"ASSIGNER\": \"cve@mitre.org\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2016-2386\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T23:55:55.277Z\", \"dateReserved\": \"2016-02-16T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2016-02-16T15:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

VAR-201602-0118

Vulnerability from variot - Updated: 2023-12-26 23:01

SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201602-0118",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "netweaver application server java",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "7.40"
      },
      {
        "model": "netweaver",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "sap",
        "version": "j2ee engine 7.40"
      },
      {
        "model": "netweaver",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "sap",
        "version": "7.40"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001461"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-2386"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-296"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.40:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2016-2386"
      }
    ]
  },
  "cve": "CVE-2016-2386",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "HIGH",
            "trust": 1.0,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 7.5,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "CVE-2016-2386",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.9,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2016-2386",
            "trust": 1.0,
            "value": "CRITICAL"
          },
          {
            "author": "NVD",
            "id": "CVE-2016-2386",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201602-296",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "VULMON",
            "id": "CVE-2016-2386",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2016-2386"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001461"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-2386"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-296"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2016-2386"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001461"
      },
      {
        "db": "VULMON",
        "id": "CVE-2016-2386"
      }
    ],
    "trust": 1.71
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=39840",
        "trust": 0.2,
        "type": "exploit"
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2016-2386"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2016-2386",
        "trust": 2.5
      },
      {
        "db": "EXPLOIT-DB",
        "id": "39840",
        "trust": 1.7
      },
      {
        "db": "EXPLOIT-DB",
        "id": "43495",
        "trust": 1.7
      },
      {
        "db": "PACKETSTORM",
        "id": "137129",
        "trust": 1.7
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001461",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-296",
        "trust": 0.6
      },
      {
        "db": "BID",
        "id": "83222",
        "trust": 0.1
      },
      {
        "db": "VULMON",
        "id": "CVE-2016-2386",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2016-2386"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001461"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-2386"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-296"
      }
    ]
  },
  "id": "VAR-201602-0118",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.27111164
  },
  "last_update_date": "2023-12-26T23:01:19.730000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "SAP Security Notes February 2016 - Review (2101079)",
        "trust": 0.8,
        "url": "http://scn.sap.com/community/security/blog/2016/02/11/sap-security-notes-february-2016--review?tb_iframe=true\u0026width=921.6\u0026height=921.6"
      },
      {
        "title": "SAP NetWeaver J2EE Engine UDDI server SQL Repair measures for injecting vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=60232"
      },
      {
        "title": "https://github.com/murataydemir/CVE-2016-2386",
        "trust": 0.1,
        "url": "https://github.com/murataydemir/cve-2016-2386 "
      },
      {
        "title": "SAP_exploit",
        "trust": 0.1,
        "url": "https://github.com/vah13/sap_exploit "
      },
      {
        "title": "Awesome CVE PoC",
        "trust": 0.1,
        "url": "https://github.com/xbl3/awesome-cve-poc_qazbnm456 "
      },
      {
        "title": "Awesome CVE PoC",
        "trust": 0.1,
        "url": "https://github.com/lnick2023/nicenice "
      },
      {
        "title": "Known Exploited Vulnerabilities Detector",
        "trust": 0.1,
        "url": "https://github.com/ostorlab/kev "
      },
      {
        "title": "Awesome CVE PoC",
        "trust": 0.1,
        "url": "https://github.com/qazbnm456/awesome-cve-poc "
      },
      {
        "title": "The Register",
        "trust": 0.1,
        "url": "https://www.theregister.co.uk/2022/06/15/microsoft_patch_tuesday/"
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2016-2386"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001461"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-296"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-89",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001461"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-2386"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.8,
        "url": "https://www.exploit-db.com/exploits/39840/"
      },
      {
        "trust": 1.8,
        "url": "https://github.com/vah13/sap_exploit"
      },
      {
        "trust": 1.7,
        "url": "http://seclists.org/fulldisclosure/2016/may/56"
      },
      {
        "trust": 1.7,
        "url": "http://packetstormsecurity.com/files/137129/sap-netweaver-as-java-7.5-sql-injection.html"
      },
      {
        "trust": 1.7,
        "url": "https://www.exploit-db.com/exploits/43495/"
      },
      {
        "trust": 1.7,
        "url": "https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/"
      },
      {
        "trust": 1.7,
        "url": "https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-2386"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-2386"
      },
      {
        "trust": 0.8,
        "url": "https://erpscan.com/press-center/blog/sap-security-notes-february-2016-review/"
      },
      {
        "trust": 0.8,
        "url": "https://erpscan.com/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/89.html"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/murataydemir/cve-2016-2386"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://www.securityfocus.com/bid/83222"
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2016-2386"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001461"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-2386"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-296"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULMON",
        "id": "CVE-2016-2386"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001461"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-2386"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-296"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2016-02-16T00:00:00",
        "db": "VULMON",
        "id": "CVE-2016-2386"
      },
      {
        "date": "2016-02-22T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2016-001461"
      },
      {
        "date": "2016-02-16T15:59:00.133000",
        "db": "NVD",
        "id": "CVE-2016-2386"
      },
      {
        "date": "2016-02-17T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201602-296"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-04-20T00:00:00",
        "db": "VULMON",
        "id": "CVE-2016-2386"
      },
      {
        "date": "2016-02-22T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2016-001461"
      },
      {
        "date": "2021-04-20T19:30:51.777000",
        "db": "NVD",
        "id": "CVE-2016-2386"
      },
      {
        "date": "2021-04-22T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201602-296"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-296"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "SAP NetWeaver J2EE Engine of  UDDI On the server  SQL Injection vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-001461"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "SQL injection",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-296"
      }
    ],
    "trust": 0.6
  }
}

GHSA-G384-79GW-FWH4

Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2025-10-22 00:31

Details

SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2016-2386"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-02-16T15:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.",
  "id": "GHSA-g384-79gw-fwh4",
  "modified": "2025-10-22T00:31:12Z",
  "published": "2022-05-13T01:10:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2386"
    },
    {
      "type": "WEB",
      "url": "https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vah13/SAP_exploit"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-2386"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/39840"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/43495"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2016/May/56"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2016-2386

Vulnerability from fkie_nvd - Published: 2016-02-16 15:59 - Updated: 2025-10-22 00:15

CISA KEV

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.

References

URL	Tags
cve@mitre.org	http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html	Exploit, Third Party Advisory, VDB Entry
cve@mitre.org	http://seclists.org/fulldisclosure/2016/May/56	Exploit, Mailing List, Third Party Advisory
cve@mitre.org	https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/	Broken Link, Third Party Advisory
cve@mitre.org	https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/	Broken Link, Third Party Advisory
cve@mitre.org	https://github.com/vah13/SAP_exploit	Exploit, Third Party Advisory
cve@mitre.org	https://www.exploit-db.com/exploits/39840/	Exploit, Third Party Advisory, VDB Entry
cve@mitre.org	https://www.exploit-db.com/exploits/43495/	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2016/May/56	Exploit, Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/	Broken Link, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/	Broken Link, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/vah13/SAP_exploit	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.exploit-db.com/exploits/39840/	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://www.exploit-db.com/exploits/43495/	Exploit, Third Party Advisory, VDB Entry
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-2386

Impacted products

	Vendor	Product	Version
	sap	netweaver_application_server_java	7.40

JSON

To clipboard

{
  "cisaActionDue": "2022-06-30",
  "cisaExploitAdd": "2022-06-09",
  "cisaRequiredAction": "Apply updates per vendor instructions.",
  "cisaVulnerabilityName": "SAP NetWeaver SQL Injection Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:netweaver_application_server_java:7.40:*:*:*:*:*:*:*",
              "matchCriteriaId": "F5308FCE-8B2C-4B4D-BEE7-3CF544570B68",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de inyecci\u00f3n SQL en el servidor UDDI en SAP NetWeaver J2EE Engine 7.40 permite a atacantes remotos ejecutar comandos SQL arbitrarios a trav\u00e9s de vectores no especificados, tambi\u00e9n conocida como SAP Security Note 2101079."
    }
  ],
  "id": "CVE-2016-2386",
  "lastModified": "2025-10-22T00:15:49.967",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2016-02-16T15:59:00.133",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2016/May/56"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Broken Link",
        "Third Party Advisory"
      ],
      "url": "https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Broken Link",
        "Third Party Advisory"
      ],
      "url": "https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/vah13/SAP_exploit"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "https://www.exploit-db.com/exploits/39840/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "https://www.exploit-db.com/exploits/43495/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2016/May/56"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link",
        "Third Party Advisory"
      ],
      "url": "https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link",
        "Third Party Advisory"
      ],
      "url": "https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/vah13/SAP_exploit"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "https://www.exploit-db.com/exploits/39840/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "https://www.exploit-db.com/exploits/43495/"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-2386"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

CNVD-2016-01147

Vulnerability from cnvd - Published: 2016-02-19

Title

SAP NetWeaver J2EE Engine UDDI服务器SQL注入漏洞

Description

SAP NetWeaver J2EE Engine是德国思爱普（SAP）公司的一个面向服务的集成化应用平台的J2EE引擎。 SAP NetWeaver J2EE Engine 7.40版本的UDDI服务器中存在SQL注入漏洞。远程攻击者可利用该漏洞执行任意SQL命令。

Severity

高

Patch Name

SAP NetWeaver J2EE Engine UDDI服务器SQL注入漏洞的补丁

Patch Description

SAP NetWeaver J2EE Engine是德国思爱普（SAP）公司的一个面向服务的集成化应用平台的J2EE引擎。 SAP NetWeaver J2EE Engine 7.40版本的UDDI服务器中存在SQL注入漏洞。远程攻击者可利用该漏洞执行任意SQL命令。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复此安全问题，详情请关注厂商主页： http://www.sap.com

Reference

https://erpscan.com/press-center/blog/sap-security-notes-february-2016-review/ https://erpscan.com/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2386

Impacted products

Name
SAP NetWeaver J2EE Engine 7.40

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-2386"
    }
  },
  "description": "SAP NetWeaver J2EE Engine\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u9762\u5411\u670d\u52a1\u7684\u96c6\u6210\u5316\u5e94\u7528\u5e73\u53f0\u7684J2EE\u5f15\u64ce\u3002\r\n\r\nSAP NetWeaver J2EE Engine 7.40\u7248\u672c\u7684UDDI\u670d\u52a1\u5668\u4e2d\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610fSQL\u547d\u4ee4\u3002",
  "discovererName": "Vahagn Vardanyan (ERPScan)",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttp://www.sap.com",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-01147",
  "openTime": "2016-02-19",
  "patchDescription": "SAP NetWeaver J2EE Engine\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u9762\u5411\u670d\u52a1\u7684\u96c6\u6210\u5316\u5e94\u7528\u5e73\u53f0\u7684J2EE\u5f15\u64ce\u3002\r\n\r\nSAP NetWeaver J2EE Engine 7.40\u7248\u672c\u7684UDDI\u670d\u52a1\u5668\u4e2d\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610fSQL\u547d\u4ee4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP NetWeaver J2EE Engine UDDI\u670d\u52a1\u5668SQL\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "SAP NetWeaver J2EE Engine 7.40"
  },
  "referenceLink": "https://erpscan.com/press-center/blog/sap-security-notes-february-2016-review/\r\nhttps://erpscan.com/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/\r\nhttps://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2386",
  "serverity": "\u9ad8",
  "submitTime": "2016-02-18",
  "title": "SAP NetWeaver J2EE Engine UDDI\u670d\u52a1\u5668SQL\u6ce8\u5165\u6f0f\u6d1e"
}

GSD-2016-2386

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.

Aliases

CVE-2016-2386

Aliases

CVE-2016-2386

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2016-2386",
    "description": "SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.",
    "id": "GSD-2016-2386",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2016-2386"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2016-2386"
      ],
      "details": "SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.",
      "id": "GSD-2016-2386",
      "modified": "2023-12-13T01:21:19.546247Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2016-2386",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/",
            "refsource": "MISC",
            "url": "https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/"
          },
          {
            "name": "http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html"
          },
          {
            "name": "39840",
            "refsource": "EXPLOIT-DB",
            "url": "https://www.exploit-db.com/exploits/39840/"
          },
          {
            "name": "https://github.com/vah13/SAP_exploit",
            "refsource": "MISC",
            "url": "https://github.com/vah13/SAP_exploit"
          },
          {
            "name": "https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/",
            "refsource": "MISC",
            "url": "https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/"
          },
          {
            "name": "43495",
            "refsource": "EXPLOIT-DB",
            "url": "https://www.exploit-db.com/exploits/43495/"
          },
          {
            "name": "20160523 [ERPSCAN-16-011] SAP NetWeaver AS JAVA - SQL injection vulnerability",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2016/May/56"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_application_server_java:7.40:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2016-2386"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-89"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20160523 [ERPSCAN-16-011] SAP NetWeaver AS JAVA - SQL injection vulnerability",
              "refsource": "FULLDISC",
              "tags": [
                "Exploit",
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://seclists.org/fulldisclosure/2016/May/56"
            },
            {
              "name": "http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html"
            },
            {
              "name": "39840",
              "refsource": "EXPLOIT-DB",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "https://www.exploit-db.com/exploits/39840/"
            },
            {
              "name": "43495",
              "refsource": "EXPLOIT-DB",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "https://www.exploit-db.com/exploits/43495/"
            },
            {
              "name": "https://github.com/vah13/SAP_exploit",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/vah13/SAP_exploit"
            },
            {
              "name": "https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/"
            },
            {
              "name": "https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH"
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-04-20T19:30Z",
      "publishedDate": "2016-02-16T15:59Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2016-2386 (GCVE-0-2016-2386)

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Vendor Report Successful Exploitation Confidence: 80% Source: cisa-kev

Details

References

VAR-201602-0118

GHSA-G384-79GW-FWH4

FKIE_CVE-2016-2386

CNVD-2016-01147

GSD-2016-2386

Tags

Sightings

Nomenclature