CVE-2016-3640 Information

Description

The Extended Application Services (aka XS or XS Engine) in SAP HANA DB 1.00.091.00.1418659308 allows local users to obtain sensitive password information via vectors related to passwords in Web Dispatcher trace files aka SAP Security Note 2148905.

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Reference

http://www.securityfocus.com/bid/92068 https://layersevensecurity.com/wp-content/uploads/2015/10/Layer-Seven-Security_SAP-Security-Notes_August-2015.pdf https://www.onapsis.com/blog/analyzing-sap-security-notes-august-2015-edition https://www.onapsis.com/research/security-advisories/sap-hana-password-disclosure

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

5.5