PT-2016-1176 · Sap · Sap Netweaver J2Ee Engine
Vahagn Vardanyan
·
Published
2016-02-16
·
Updated
2025-02-04
·
CVE-2016-2386
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
SAP NetWeaver J2EE Engine version 7.40
Description
The issue is related to a SQL injection vulnerability in the UDDI server of the SAP NetWeaver J2EE Engine. This vulnerability allows remote attackers to execute arbitrary SQL commands via unspecified vectors. The vulnerability is due to the lack of protection measures for the SQL query structure, which can be exploited by a remote attacker to execute arbitrary SQL commands.
Recommendations
For SAP NetWeaver J2EE Engine version 7.40, apply the fix as described in SAP Security Note 2101079 to resolve the SQL injection vulnerability. As a temporary workaround, consider restricting access to the UDDI server to minimize the risk of exploitation.
Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sap Netweaver J2Ee Engine