CVE-2016-6145

Severity Score

5.3

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The SQL interface in SAP HANA DB 1.00.091.00.1418659308 provides different error messages for failed login attempts depending on whether the username exists and is locked when the detailed_error_on_connect option is not supported or is configured as "False," which allows remote attackers to enumerate database users via a series of login attempts, aka SAP Security Note 2216869.

La interfaz SQL en SAP HANA DB 1.00.091.00.1418659308 muestra diferentes mensajes de error para intentos de inicio de sesión fallidos dependiendo de si existe el nombre de usuario y está bloqueado cuando la opción detailed_error_on_connect no está apoyada o está configurada como "falsa", lo que permite a atacantes remotos enumerar usuarios de bases de datos a través una serie de intentos de inicio de sesión, vulnerabilidad también conocida como SAP Security Note 2216869.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-07-01 CVE Reserved
2016-08-05 CVE Published
2023-03-07 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (4)

URL	Tag	Source
http://packetstormsecurity.com/files/138444/SAP-HANA-DB-1.00.091.00.1418659308-Information-Disclosure.html	X_refsource_misc
http://seclists.org/fulldisclosure/2016/Aug/92	Mailing List
http://www.securityfocus.com/bid/92346	Vdb Entry
https://www.onapsis.com/blog/onapsis-publishes-15-advisories-sap-hana-and-building-components	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sap Search vendor "Sap"		Hana Db Search vendor "Sap" for product "Hana Db"				1.00.091.00.1418659308 Search vendor "Sap" for product "Hana Db" and version "1.00.091.00.1418659308"		-		Affected