CVE-2016-2386
CVE-2016-2386
In short
A flaw in SAP NetWeaver's UDDI server allows attackers to inject malicious SQL commands without authentication, potentially gaining complete access to the database and all sensitive data stored there.
Technical detail
SQL injection vulnerability in the UDDI server component of SAP NetWeaver J2EE Engine 7.40 exploited via unspecified input vectors, enabling unauthenticated remote code execution within the database context. Attack requires network access to the UDDI service; successful exploitation results in full database compromise including data exfiltration and modification.
Summary generated and translated by AI from the official description.
SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 6
githubgithub.com/murataydemir/CVE-2016-2386★ 2cve_referencepacketstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.htmlunverifiedcve_referencewww.exploit-db.com/exploits/39840/unverifiedcve_referencewww.exploit-db.com/exploits/43495/unverifiedexploitdbwww.exploit-db.com/exploits/43495unverifiedexploitdbwww.exploit-db.com/exploits/39840unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2016/May/56https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/https://github.com/vah13/SAP_exploithttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-2386https://www.exploit-db.com/exploits/39840/https://www.exploit-db.com/exploits/43495/