[ERPSCAN-16-027] SAP Portal webdynpro – information disclosure
Application: SAP NetWeaver J2EE 7.31
Vendor URL: SAP
Bug: Information Disclosure
Vendor response: 21.04.2013
Date of Public Advisory: 14.06.2016
Reference: SAP Security Note 2197262
Author: Alexander Polyakov
Class: Information disclosure
Impact: Direct access to the information about the used software version
Remotely Exploitable: Yes
Locally Exploitable: No
CVSS Base Score v3: 5.3 / 10
CVSS Base Vector:
|AV: Attack Vector (Related exploit range)||Network (N)|
|AC: Attack Complexity (Required attack complexity)||Low (L)|
|PR: Privileges Required (Level of privileges needed to exploit)||None (N)|
|UI: User Interaction (Required user participation)||None (N)|
|S: Scope (Change in scope due to impact caused to components beyond the vulnerable component)||Unchanged(U)|
|C: Impact to Confidentiality||Low (L)|
|I: Impact to Integrity||None (N)|
|A: Impact to Availability||None (N)|
An attacker can discover the SAP Portal webdynpro version.
An attacker can use an Information disclosure vulnerability to reveal additional information (system data, debugging information, etc.) which helps him to learn about a system and to plan further attacks.
SAP NetWeaver AS JAVA 7.31
Other versions are probably affected too, but they were not checked.
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2197262
An attacker can discover information relating to the SAP Portal webdynpro version.
This information could be used to allow the attacker to specialize further attacks.