Vulnerability-Lookup

CNVD-2016-12244

Vulnerability from cnvd - Published: 2016-12-14

Title

PwC ACE-ABAP远程代码执行漏洞

Description

ACE（Automated Controls Evaluator）是PwC（普华永道）公司发展的一款可以用来分析SAP安全设置，分辨特权访问和潜在的职责分离的工具。ABAP（Advanced Business Application Programming）。 PwC ACE-ABAP存在远程代码执行漏洞。利用该漏洞，远程攻击者可以执行任意代码。失败的攻击会造成拒绝服务。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://www.esnc.de/security-advisories/vulnerability-in-pwc-ace-for-sap-security/index.html

Reference

http://www.securityfocus.com/bid/94733

Impacted products

Name
PwC ACE-ABAP 8.10.304

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "94733"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-9832",
      "cveUrl": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9832"
    }
  },
  "description": "ACE\uff08Automated Controls Evaluator\uff09\u662fPwC\uff08\u666e\u534e\u6c38\u9053\uff09\u516c\u53f8\u53d1\u5c55\u7684\u4e00\u6b3e\u53ef\u4ee5\u7528\u6765\u5206\u6790SAP\u5b89\u5168\u8bbe\u7f6e\uff0c\u5206\u8fa8\u7279\u6743\u8bbf\u95ee\u548c\u6f5c\u5728\u7684\u804c\u8d23\u5206\u79bb\u7684\u5de5\u5177\u3002ABAP\uff08Advanced Business Application Programming\uff09\u3002\r\n\r\nPwC ACE-ABAP\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002\u5229\u7528\u8be5\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u5931\u8d25\u7684\u653b\u51fb\u4f1a\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002",
  "discovererName": "Ertunga Arsal and Mert Suoglu of ESNC GmbH.",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.esnc.de/security-advisories/vulnerability-in-pwc-ace-for-sap-security/index.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-12244",
  "openTime": "2016-12-14",
  "products": {
    "product": "PwC ACE-ABAP 8.10.304"
  },
  "referenceLink": "http://www.securityfocus.com/bid/94733",
  "serverity": "\u4e2d",
  "submitTime": "2016-12-08",
  "title": "PwC ACE-ABAP\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e"
}

CVE-2016-9832 (GCVE-0-2016-9832)

Vulnerability from cvelistv5 – Published: 2016-12-09 11:00 – Updated: 2024-08-06 02:59

Summary

PricewaterhouseCoopers (PwC) ACE-ABAP 8.10.304 for SAP Security allows remote authenticated users to conduct ABAP injection attacks and execute arbitrary code via (1) SAPGUI or (2) Internet Communication Framework (ICF) over HTTP or HTTPS, as demonstrated by WEBGUI or Report.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	http://www.securityfocus.com/archive/1/539883/30/…	x_refsource_MISC
	http://www.securityfocus.com/bid/94733	vdb-entryx_refsource_BID
	http://packetstormsecurity.com/files/140062/PwC-A…	x_refsource_MISC
	http://seclists.org/fulldisclosure/2016/Dec/33	mailing-listx_refsource_FULLDISC
	https://www.esnc.de/security-advisories/vulnerabi…	x_refsource_MISC
	http://www.securityfocus.com/archive/1/539883/100…	mailing-listx_refsource_BUGTRAQ

Date Public ?

2016-12-09 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T02:59:03.546Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/539883/30/0/threaded"
          },
          {
            "name": "94733",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/94733"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/140062/PwC-ACE-Software-For-SAP-Security-8.10.304-ABAP-Injection.html"
          },
          {
            "name": "20161209 [ESNC-2041217] Critical Security Vulnerability in PwC ACE Software for SAP Security",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2016/Dec/33"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.esnc.de/security-advisories/vulnerability-in-pwc-ace-for-sap-security"
          },
          {
            "name": "20161207 [ESNC-2041217] Critical Security Vulnerability in PwC ACE Software for SAP Security",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/539883/100/0/threaded"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-12-09T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "PricewaterhouseCoopers (PwC) ACE-ABAP 8.10.304 for SAP Security allows remote authenticated users to conduct ABAP injection attacks and execute arbitrary code via (1) SAPGUI or (2) Internet Communication Framework (ICF) over HTTP or HTTPS, as demonstrated by WEBGUI or Report."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-09T18:57:01.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.securityfocus.com/archive/1/539883/30/0/threaded"
        },
        {
          "name": "94733",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/94733"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/140062/PwC-ACE-Software-For-SAP-Security-8.10.304-ABAP-Injection.html"
        },
        {
          "name": "20161209 [ESNC-2041217] Critical Security Vulnerability in PwC ACE Software for SAP Security",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2016/Dec/33"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.esnc.de/security-advisories/vulnerability-in-pwc-ace-for-sap-security"
        },
        {
          "name": "20161207 [ESNC-2041217] Critical Security Vulnerability in PwC ACE Software for SAP Security",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/539883/100/0/threaded"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2016-9832",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "PricewaterhouseCoopers (PwC) ACE-ABAP 8.10.304 for SAP Security allows remote authenticated users to conduct ABAP injection attacks and execute arbitrary code via (1) SAPGUI or (2) Internet Communication Framework (ICF) over HTTP or HTTPS, as demonstrated by WEBGUI or Report."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.securityfocus.com/archive/1/539883/30/0/threaded",
              "refsource": "MISC",
              "url": "http://www.securityfocus.com/archive/1/539883/30/0/threaded"
            },
            {
              "name": "94733",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/94733"
            },
            {
              "name": "http://packetstormsecurity.com/files/140062/PwC-ACE-Software-For-SAP-Security-8.10.304-ABAP-Injection.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/140062/PwC-ACE-Software-For-SAP-Security-8.10.304-ABAP-Injection.html"
            },
            {
              "name": "20161209 [ESNC-2041217] Critical Security Vulnerability in PwC ACE Software for SAP Security",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2016/Dec/33"
            },
            {
              "name": "https://www.esnc.de/security-advisories/vulnerability-in-pwc-ace-for-sap-security",
              "refsource": "MISC",
              "url": "https://www.esnc.de/security-advisories/vulnerability-in-pwc-ace-for-sap-security"
            },
            {
              "name": "20161207 [ESNC-2041217] Critical Security Vulnerability in PwC ACE Software for SAP Security",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/539883/100/0/threaded"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2016-9832",
    "datePublished": "2016-12-09T11:00:00.000Z",
    "dateReserved": "2016-12-05T00:00:00.000Z",
    "dateUpdated": "2024-08-06T02:59:03.546Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2016-12244

CVE-2016-9832 (GCVE-0-2016-9832)

Tags

Sightings

Nomenclature