Vulnerability detail
Enriched intelligence for a single CVE
Critical
CVE-2016-2386
PUBLISHEDSQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via...
- Vendor
- SAP
- Product
- NetWeaver J2EE Engine
- Published
- Feb 16, 2016
- EPSS
- —
Description
SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV:N/AC:L/Au:N/C:P/I:P/A:P
Exploitation status
Exploited in the wild
Recorded 2022-06-09 00:00:00 UTC · Source
SSVC decision points
- Exploitation
- active
- Automatable
- Yes
- Technical impact
- total
References
- https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/
- http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html
- https://www.exploit-db.com/exploits/39840/
- https://github.com/vah13/SAP_exploit
- https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/
- https://www.exploit-db.com/exploits/43495/
- http://seclists.org/fulldisclosure/2016/May/56
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| CISA | Jun 09, 2022 |
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2020-08-13 12:07:09 UTC · 2 stars
[CVE-2016-2386] SAP NetWeaver AS JAVA UDDI Component SQL Injection
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel