[ERPSCAN-16-027] SAP Portal webdynpro – information disclosure

Application: SAP NetWeaver J2EE 7.31
Vendor URL: SAP
Bug: Information Disclosure
Reported: 20.04.2013
Vendor response: 21.04.2013
Date of Public Advisory: 14.06.2016
Reference: SAP Security Note 2197262
Author: Alexander Polyakov


Class: Information disclosure
Impact: Direct access to the information about the used software version
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information

CVSS Base Score v3: 5.3 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged(U)
C: Impact to Confidentiality Low (L)
I: Impact to Integrity None (N)
A: Impact to Availability None (N)


An attacker can discover the SAP Portal webdynpro version.

Business risk

An attacker can use an Information disclosure vulnerability to reveal additional information (system data, debugging information, etc.) which helps him to learn about a system and to plan further attacks.


SAP NetWeaver AS JAVA 7.31
Other versions are probably affected too, but they were not checked.


To correct this vulnerability, install SAP Security Note 2197262


An attacker can discover information relating to the SAP Portal webdynpro version.
This information could be used to allow the attacker to specialize further attacks.