CVE-2016-6145

Name of the Vulnerable Software and Affected Versions SAP HANA DB version 1.00.091.00.1418659308

Description The issue concerns the SQL interface in SAP HANA DB, where it provides different error messages for failed login attempts depending on whether the username exists and is locked when the detailed error on connect option is not supported or is configured as "False". This allows remote attackers to enumerate database users via a series of login attempts.

Recommendations For SAP HANA DB version 1.00.091.00.1418659309308, consider configuring the detailed error on connect option as "True" to prevent detailed error messages from being displayed for failed login attempts. Additionally, restrict access to the SQL interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.