CVE-2016-2388
CVE-2016-2388
In short
SAP NetWeaver AS JAVA 7.4's Universal Worklist Configuration allows attackers to retrieve sensitive user information through specially crafted HTTP requests, potentially exposing confidential data.
Technical detail
CWE-200 information disclosure vulnerability in SAP NetWeaver AS JAVA 7.4's Universal Worklist Configuration allows unauthenticated remote attackers to extract sensitive user data via crafted HTTP requests. The vulnerability requires network access to the affected application and results in unauthorized information exposure.
Summary generated and translated by AI from the official description.
The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products
n/a · n/apublic PoCs found — 6
cve_referencepacketstormsecurity.com/files/137128/SAP-NetWeaver-AS-JAVA-7.5-Information-Disclosure.htmlunverifiedcve_referencepacketstormsecurity.com/files/145860/SAP-NetWeaver-J2EE-Engine-7.40-SQL-Injection.htmlunverifiedcve_referencewww.exploit-db.com/exploits/39841/unverifiedcve_referencewww.exploit-db.com/exploits/43495/unverifiedexploitdbwww.exploit-db.com/exploits/43495unverifiedexploitdbwww.exploit-db.com/exploits/39841unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/137128/SAP-NetWeaver-AS-JAVA-7.5-Information-Disclosure.htmlhttp://packetstormsecurity.com/files/145860/SAP-NetWeaver-J2EE-Engine-7.40-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2016/May/55https://erpscan.io/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure/https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-2388https://www.exploit-db.com/exploits/39841/https://www.exploit-db.com/exploits/43495/