CVE-2016-2386

KEV

🔴 Łataj teraz

Wstrzyknięcie SQL w serwerze UDDI w SAP NetWeaver umożliwia zdalne wykonanie dowolnych poleceń SQL.

CVSS

9.8

EPSS

44.5%

Exploit

weaponized

Vendor

sap

Opis źródłowy (NVD)

SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.

exploit sql-injection Brak patcha

Źródła i daty

Źródło	Wartość
NVD – CVSS	9.8
CISA KEV (aktywnie wykorzystywane)	Tak
FIRST EPSS (prawdopodobieństwo exploita)	44.5%
Opublikowano (NVD)	2016-02-16 15:59:00 UTC
Ostatnia modyfikacja (NVD)	2026-04-21 16:26:32 UTC

Referencje

http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html (cve@mitre.org) [Exploit, Third Party Advisory, VDB Entry]
http://seclists.org/fulldisclosure/2016/May/56 (cve@mitre.org) [Exploit, Mailing List, Third Party Advisory]
https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/ (cve@mitre.org) [Broken Link, Third Party Advisory]
https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/ (cve@mitre.org) [Broken Link, Third Party Advisory]
https://github.com/vah13/SAP_exploit (cve@mitre.org) [Exploit, Third Party Advisory]
https://www.exploit-db.com/exploits/39840/ (cve@mitre.org) [Exploit, Third Party Advisory, VDB Entry]
https://www.exploit-db.com/exploits/43495/ (cve@mitre.org) [Exploit, Third Party Advisory, VDB Entry]
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-2386 (134c704f-9b21-4f2e-91b3-4a467353bcc0) [US Government Resource]