CVE-2014-5171

SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

CVSS v2.0 2.9 LOW

2.9^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:A/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 5.5 / Impact : 2.9

Access Vector ADJACENT_NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://scn.sap.com/docs/DOC-8218
http://packetstormsecurity.com/files/127666/SAP-HANA-XS-Missing-Encryption.html
https://service.sap.com/sap/support/notes/1963932
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-021
http://seclists.org/fulldisclosure/2014/Jul/149
http://www.securityfocus.com/bid/68947
http://www.securityfocus.com/archive/1/532940/100/0/threaded

Configurations

Configuration 1 (hide)

cpe:2.3:a:sap:hana_extend_application_services:-:*:*:*:*:*:*:*

Information

Published : 2014-07-31 07:55

Updated : 2018-10-09 12:49

NVD link : CVE-2014-5171

Mitre link : CVE-2014-5171

JSON object : View

CWE

CWE-310

Cryptographic Issues

Products Affected

sap

hana_extend_application_services

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://scn.sap.com/docs/DOC-8218", "name": "http://scn.sap.com/docs/DOC-8218", "tags": [], "refsource": "CONFIRM"}, {"url": "http://packetstormsecurity.com/files/127666/SAP-HANA-XS-Missing-Encryption.html", "name": "http://packetstormsecurity.com/files/127666/SAP-HANA-XS-Missing-Encryption.html", "tags": [], "refsource": "MISC"}, {"url": "https://service.sap.com/sap/support/notes/1963932", "name": "https://service.sap.com/sap/support/notes/1963932", "tags": [], "refsource": "CONFIRM"}, {"url": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-021", "name": "http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-021", "tags": [], "refsource": "MISC"}, {"url": "http://seclists.org/fulldisclosure/2014/Jul/149", "name": "20140729 [Onapsis Security Advisory 2014-021] SAP HANA XS Missing encryption in form-based authentication", "tags": [], "refsource": "FULLDISC"}, {"url": "http://www.securityfocus.com/bid/68947", "name": "68947", "tags": [], "refsource": "BID"}, {"url": "http://www.securityfocus.com/archive/1/532940/100/0/threaded", "name": "20140729 [Onapsis Security Advisory 2014-021] SAP HANA XS Missing encryption in form-based authentication", "tags": [], "refsource": "BUGTRAQ"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-310"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2014-5171", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 2.9, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "LOW", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 5.5, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2014-07-31T14:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:sap:hana_extend_application_services:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2018-10-09T19:49Z"}

2.9 /10