Cyber Resilience

CVE-2016-2388

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 16 February 2016

Published
16 February 2016
Modified
21 April 2026
KEV Added
09 June 2022
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.6775 98.6th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-2388 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Sap Netweaver Application Server Java. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Deeper analysis

The vulnerability CVE-2016-2388 is an information disclosure flaw (CWE-200) in the Universal Worklist Configuration component of SAP NetWeaver AS JAVA 7.4. It carries a CVSS 3.1 score of 5.3 and permits exposure of sensitive data through network-accessible requests without requiring authentication or user interaction.

Remote attackers can exploit the weakness by submitting a specially crafted HTTP request, enabling them to retrieve sensitive user information from the affected system.

The issue is tracked under SAP Security Note 2256846, with public disclosures and exploit references appearing on sites such as Packet Storm and ERPScan in 2016.

EU & UK References

Vulnerability details

The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846.

CWE(s)
KEV Date Added
09 June 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sap
netweaver application server java
7.10 — 7.50

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access-control policy to block unauthenticated retrieval of sensitive user data via crafted HTTP requests to the Universal Worklist Configuration.

prevent

Enforces information-flow rules that would stop the unauthorized release of user information from the SAP Java component to remote, unauthenticated callers.

prevent

Requires validation of HTTP request content, which would reject the specially crafted inputs used to trigger the information disclosure in SAP Note 2256846.

References