PT-2016-5786 · Sap · Sap Netweaver As Java

Vahagn Vardanyan

Published

2016-04-07

Updated

2021-04-20

CVE-2016-3974

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Name of the Vulnerable Software and Affected Versions SAP NetWeaver Java AS versions 7.1 through 7.5

Description The issue allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access arbitrary files via a crafted XML request to the "http:// tc~~monitoring~~webservice~web/ServerNodesWSService" API endpoint.

Recommendations For SAP NetWeaver Java AS versions 7.1 through 7.5, apply the fix provided in SAP Security Note 2235994 to resolve the issue.

Exploit

Fix

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-611

Related Identifiers

CVE-2016-3974

Affected Products

Sap Netweaver As Java

PT-2016-5786 · Sap · Sap Netweaver As Java

CVE-2016-3974

Weakness Enumeration

Related Identifiers

Affected Products

References · 7