Vulnerability Name:

CCN-160452

Published:2019-05-02
Updated:2019-05-02
Summary:Multiple SAP applications could allow a remote attacker to gain unauthorized access to the system, caused by an error in basic settings for Reg_info and Sec_info. An attacker could exploit this vulnerability using the 10KBLAZE exploit to view and modify critical and sensitive business data, gain full access to databases and lead to a complete compromise of the application.
CVSS v3 Severity:10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
9.0 Critical (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Consequences:Gain Access
References:Source: XF
Type: UNKNOWN
sap-reginfo-unauth-access(160452)

Source: CCN
Type: SAP Web site
SAP Support Note 1408081

Source: CCN
Type: Bleeping Computer Web site
Public 10KBLAZE Exploits May Impact 90% of SAP Production Systems

Source: CCN
Type: The Onapsis Security Blog, May 02, 2019
New Critical Public Exploits Put SAP Applications at Risk

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:sap:netweaver:*:*:*:*:*:*:*:*
  • OR cpe:/a:sap:hana:-:*:*:*:*:*:*:*
  • OR cpe:/a:sap:business_intelligence_development_workbench:-:*:*:*:*:*:*:*
  • OR cpe:/a:sap:erp:6.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    sap netweaver *
    sap hana -
    sap business intelligence development workbench -
    sap erp 6.0