CVE-2014-3133

Severity CVSS v4.0:

Pending analysis

Type:

CWE-264 Permissions, Privileges, and Access Control

Publication date:

30/04/2014

Last modified:

12/04/2025

Description

SAP Netweaver Java Application Server does not properly restrict access, which allows remote attackers to obtain the list of SAP systems registered on an SLD via an unspecified webdynpro, related to SystemSelection.

Impact

Vector 2.0

AV:N/AC:L/Au:N/C:P/I:N/A:N CVSS v2.0 Severity and Metrics:

Base Score: 5.00 MEDIUM
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Authentication (Au): None
Confidentiality (C): Physical
Integrity (I): None
Availability (A): None

Base Score 2.0

5.00

Severity 2.0

MEDIUM

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:sap:netweaver_java_application_server:-:::::::*

To consult the complete list of CPE names with products and versions, see this page

References to Advisories, Solutions, and Tools

http://scn.sap.com/docs/DOC-8218
http://seclists.org/fulldisclosure/2014/Apr/301
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-008
http://www.securityfocus.com/bid/67104
https://service.sap.com/sap/support/notes/1922547
http://scn.sap.com/docs/DOC-8218
http://seclists.org/fulldisclosure/2014/Apr/301
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-008
http://www.securityfocus.com/bid/67104
https://service.sap.com/sap/support/notes/1922547