製品・ソフトウェアに関する情報

JVN脆弱性詳細

SAP NetWeaver の Universal Worklist Configuration における重要なユーザ情報を取得される脆弱性

Title	SAP NetWeaver の Universal Worklist Configuration における重要なユーザ情報を取得される脆弱性
Summary	SAP NetWeaver の Universal Worklist Configuration には、重要なユーザ情報を取得される脆弱性が存在します。ベンダは、本脆弱性を SAP Security Note 2256846 として公開しています。補足情報 : CWE による脆弱性タイプは、CWE-284: Improper Access Control (不適切なアクセス制御) と識別されています。 http://cwe.mitre.org/data/definitions/284.html
Possible impacts	第三者により、巧妙に細工された HTTP リクエストを介して、重要なユーザ情報を取得される可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Feb. 9, 2016, midnight
Registration Date	March 1, 2016, 11:56 a.m.
Last Update	March 1, 2016, 11:56 a.m.

Affected System

SAP

SAP NetWeaver 7.4

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2016-2388	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2388
2	CVE-2016-2388	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2388
National Vulnerability Database (NVD)
3	CVE-2016-2388	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2388
4	CVE-2016-2388	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2388

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html
2	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html
3	CWE-Other	https://www.ipa.go.jp/security/vuln/CWE.html#CWEOther
4	CWE-Other	https://www.ipa.go.jp/security/vuln/CWE.html#CWEOther

ベンダー情報

No	Name	URL
SAP
1	SAP Security Notes February 2016 - Review (2256846)	http://scn.sap.com/community/security/blog/2016/02/11/sap-security-notes-february-2016--review?TB_iframe=true&width=921.6&height=921.6
2	SAP Security Notes February 2016 - Review (2256846)	http://scn.sap.com/community/security/blog/2016/02/11/sap-security-notes-february-2016--review?TB_iframe=true&width=921.6&height=921.6

その他

No	Name	URL
関連文書
1	SAP Security Notes February 2016 - Manufacturing Cyber-Security	https://erpscan.com/press-center/blog/sap-security-notes-february-2016-review/
2	SAP Security Notes February 2016 - Manufacturing Cyber-Security	https://erpscan.com/press-center/blog/sap-security-notes-february-2016-review/
3	[ERPSCAN-16-010] SAP NetWeaver 7.4 - information disclosure vulnerability	https://erpscan.com/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure/
4	[ERPSCAN-16-010] SAP NetWeaver 7.4 - information disclosure vulnerability	https://erpscan.com/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure/

Change Log

No	Changed Details	Date of change
0	[2016年03月01日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2016-2388

Summary	The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846.
Summary	El Universal Worklist Configuration en SAP NetWeaver AS JAVA 7.4 permite a los atacantes remotos obtener información sensible de los usuarios a través de una solicitud HTTP manipulada, también conocida como SAP Security Note 2256846
Publication Date	Feb. 17, 2016, 12:59 a.m.
Registration Date	Jan. 26, 2021, 2:08 p.m.
Last Update	April 22, 2026, 1:25 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:sap:netweaver_application_server_java::::::::		7.10	7.50

Related information, measures and tools

No	URL	refsource
1	http://packetstormsecurity.com/files/137128/SAP-NetWeaver-AS-JAVA-7.5-Information-Disclosure.html	cve@mitre.org
2	http://packetstormsecurity.com/files/145860/SAP-NetWeaver-J2EE-Engine-7.40-SQL-Injection.html	cve@mitre.org
3	http://seclists.org/fulldisclosure/2016/May/55	cve@mitre.org
4	https://erpscan.io/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure/	cve@mitre.org
5	https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/	cve@mitre.org
6	https://www.exploit-db.com/exploits/39841/	cve@mitre.org
7	https://www.exploit-db.com/exploits/43495/	cve@mitre.org
8	http://packetstormsecurity.com/files/137128/SAP-NetWeaver-AS-JAVA-7.5-Information-Disclosure.html	af854a3a-2127-422b-91ae-364da2661108
9	http://packetstormsecurity.com/files/145860/SAP-NetWeaver-J2EE-Engine-7.40-SQL-Injection.html	af854a3a-2127-422b-91ae-364da2661108
10	http://seclists.org/fulldisclosure/2016/May/55	af854a3a-2127-422b-91ae-364da2661108
11	https://erpscan.io/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure/	af854a3a-2127-422b-91ae-364da2661108
12	https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/	af854a3a-2127-422b-91ae-364da2661108
13	https://www.exploit-db.com/exploits/39841/	af854a3a-2127-422b-91ae-364da2661108
14	https://www.exploit-db.com/exploits/43495/	af854a3a-2127-422b-91ae-364da2661108
15	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-2388	134c704f-9b21-4f2e-91b3-4a467353bcc0

Common Vulnerabilities List