CVE-2016-2388
Published: 16 February 2016
Summary
CVE-2016-2388 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Sap Netweaver Application Server Java. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Deeper analysis
The vulnerability CVE-2016-2388 is an information disclosure flaw (CWE-200) in the Universal Worklist Configuration component of SAP NetWeaver AS JAVA 7.4. It carries a CVSS 3.1 score of 5.3 and permits exposure of sensitive data through network-accessible requests without requiring authentication or user interaction.
Remote attackers can exploit the weakness by submitting a specially crafted HTTP request, enabling them to retrieve sensitive user information from the affected system.
The issue is tracked under SAP Security Note 2256846, with public disclosures and exploit references appearing on sites such as Packet Storm and ERPScan in 2016.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-3472
Vulnerability details
The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846.
- CWE(s)
- KEV Date Added
- 09 June 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access-control policy to block unauthenticated retrieval of sensitive user data via crafted HTTP requests to the Universal Worklist Configuration.
Enforces information-flow rules that would stop the unauthorized release of user information from the SAP Java component to remote, unauthenticated callers.
Requires validation of HTTP request content, which would reject the specially crafted inputs used to trigger the information disclosure in SAP Note 2256846.