CVE-2016-2386
SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- February 16, 2016
- Published Date
- February 16, 2016
- Last Updated
- February 04, 2025
- Vendor
- n/a
- Product
- n/a
- Description
- SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.
CVSS Scores
CVSS v3.1
9.8 - CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SSVC Information
- Exploitation
- active
- Automatable
- Yes
- Technical Impact
- total
References
https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/
http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html
https://www.exploit-db.com/exploits/39840/
https://github.com/vah13/SAP_exploit
https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/
https://www.exploit-db.com/exploits/43495/
http://seclists.org/fulldisclosure/2016/May/56
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CISA | 2022-06-09 00:00:00 UTC |
Potential Proof of Concepts
Warning: These PoCs have not been tested and could contain malware. Use at your own risk.
murataydemir/CVE-2016-2386
Type: github • Created: 2020-08-13 12:07:09 UTC • Stars: 2
[CVE-2016-2386] SAP NetWeaver AS JAVA UDDI Component SQL Injection