⚠ Actively exploited
Added to CISA KEV on 2022-06-09. Federal agencies required to patch by 2022-06-30. Required action: Apply updates per vendor instructions..

CVE-2016-2388

CWE-200Information Exposure8 documents7 sources
Severity
5.3MEDIUM
EPSS
62.3%
top 1.64%
CISA KEV
KEV
Added 2022-06-09
Due 2022-06-30
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
SAP Netweaver Application Server Java
Timeline
PublishedFeb 16
KEV addedJun 9
KEV dueJun 30
Latest updateAug 31
CISA Required Action: Apply updates per vendor instructions.

Description

The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

NVDsap/netweaver_application7.107.50

🔴Vulnerability Details

3
GHSA
GHSA-56qq-x77r-g35x: The Universal Worklist Configuration in SAP NetWeaver AS JAVA 72022-05-13
CVEList
CVE-2016-2388: The Universal Worklist Configuration in SAP NetWeaver AS JAVA 72016-02-16
VulnCheck
SAP NetWeaver Information Disclosure Vulnerability2016

💥Exploits & PoCs

2
Exploit-DB
SAP NetWeaver J2EE Engine 7.40 - SQL Injection2018-01-10
Exploit-DB
SAP NetWeaver AS JAVA 7.1 < 7.5 - Information Disclosure2016-05-19

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS Vulnerable SAP NetWeaver Path Observed - Information Disclosure (CVE-2016-2388)2022-08-31

📋Vendor Advisories

1
CISA
SAP NetWeaver Information Disclosure Vulnerability2022-06-09
CVE-2016-2388 (MEDIUM CVSS 5.3) | The Universal Worklist Configuratio | cvebase.io