⚠ Actively exploited

Added to CISA KEV on 2022-06-09. Federal agencies required to patch by 2022-06-30. Required action: Apply updates per vendor instructions..

CVE-2016-2386 — SQL Injection in SAP Netweaver Application Server Java

CWE-89 — SQL Injection8 documents7 sources

Severity

9.8CRITICALNVD

EPSS

44.0%

top 2.46%

CISA KEV

KEV

Added 2022-06-09

Due 2022-06-30

Exploit

Exploited in wild

Active exploitation observed

Affected products

SAP Netweaver Application Server Java

Timeline

PublishedFeb 16

KEV addedJun 9

KEV dueJun 30

Latest updateAug 31

CISA Required Action: Apply updates per vendor instructions.

Description

SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDsap/netweaver_application7.40

🔴Vulnerability Details

GHSA

GHSA-g384-79gw-fwh4: SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7↗2022-05-13

▶

CVEList

CVE-2016-2386: SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7↗2016-02-16

▶

VulnCheck

SAP NetWeaver SQL Injection Vulnerability↗2016

▶

💥Exploits & PoCs

Exploit-DB

SAP NetWeaver J2EE Engine 7.40 - SQL Injection↗2018-01-10

▶

Exploit-DB

SAP NetWeaver AS JAVA 7.1 < 7.5 - SQL Injection↗2016-05-19

▶

🔍Detection Rules

Suricata

ET EXPLOIT Possible SAP NetWeaver SQL Injection Attempt Inbound (CVE-2016-2386)↗2022-08-31

▶

📋Vendor Advisories

CISA

SAP NetWeaver SQL Injection Vulnerability↗2022-06-09

▶