CVE-2016-3635Improper Access Control in SAP Netweaver

CWE-284Improper Access Control3 documents3 sources
Severity
7.5HIGHNVD
EPSS
0.6%
top 30.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
SAP Netweaver
Timeline
PublishedOct 13
Latest updateMay 17

Description

SAP Netweaver 7.4 allows remote authenticated users to bypass an intended Unified Connectivity (UCON) access control list and execute arbitrary Remote Function Modules (RFM) by leveraging a connection created from earlier execution of an anonymous RFM included in a Communication Assembly, aka SAP Security Note 2139366.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages1 packages

NVDsap/netweaver7.40

🔴Vulnerability Details

2
GHSA
GHSA-hh9w-j6fc-233m: SAP Netweaver 72022-05-17
CVEList
CVE-2016-3635: SAP Netweaver 72016-10-13
CVE-2016-3635 — Improper Access Control in SAP | cvebase