CVE-2016-3640

low-risk

Published 2016-08-05

The Extended Application Services (aka XS or XS Engine) in SAP HANA DB 1.00.091.00.1418659308 allows local users to obtain sensitive password information via vectors related to passwords in Web Dispatcher trace files, aka SAP Security Note 2148905.

Do I need to act?

0.11% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.5/10 Medium

LOCAL / LOW complexity

Affected Products (1)

Hana Db

Affected Vendors

Sap

References (8)

Third Party Advisory http://www.securityfocus.com/bid/92068

Technical Description https://layersevensecurity.com/wp-content/uploads/2015/10/Layer-Seven-Security_S...

Third Party Advisory https://www.onapsis.com/blog/analyzing-sap-security-notes-august-2015-edition

Permissions Required https://www.onapsis.com/research/security-advisories/sap-hana-password-disclosur...

Third Party Advisory http://www.securityfocus.com/bid/92068

Technical Description https://layersevensecurity.com/wp-content/uploads/2015/10/Layer-Seven-Security_S...

Third Party Advisory https://www.onapsis.com/blog/analyzing-sap-security-notes-august-2015-edition

Permissions Required https://www.onapsis.com/research/security-advisories/sap-hana-password-disclosur...

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal