Skip to main content

Hana CVE-2015-7828

CRITICAL
Improper Input Validation (CWE-20)
2015-11-10 cve@mitre.org
10.0
CVSS 2.0 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/Au:N/C:C/I:C/A:C

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

AV:N/AC:L/Au:N/C:C/I:C/A:C
Attack Vector
Network
Attack Complexity
Low
Confidentiality
C
Integrity
C
Availability
C

Lifecycle Timeline

1
CVE Published
Nov 10, 2015 - 17:59 cve.org
CRITICAL 10.0

DescriptionCVE.org

SAP HANA Database 1.00 SPS10 and earlier do not require authentication, which allows remote attackers to execute arbitrary code or have unspecified other impact via a TrexNet packet to the (1) fcopydir, (2) fmkdir, (3) frmdir, (4) getenv, (5) dumpenv, (6) fcopy, (7) fput, (8) fdel, (9) fmove, (10) fget, (11) fappend, (12) fdir, (13) getTraces, (14) kill, (15) pexec, (16) stop, or (17) pythonexec method, aka SAP Security Note 2165583.

AnalysisAI

SAP HANA Database 1.00 SPS10 and earlier do not require authentication, which allows remote attackers to execute arbitrary code or have unspecified other impact via a TrexNet packet to the (1). Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-20. SAP HANA Database 1.00 SPS10 and earlier do not require authentication, which allows remote attackers to execute arbitrary code or have unspecified other impact via a TrexNet packet to the (1) fcopydir, (2) fmkdir, (3) frmdir, (4) getenv, (5) dumpenv, (6) fcopy, (7) fput, (8) fdel, (9) fmove, (10) fget, (11) fappend, (12) fdir, (13) getTraces, (14) kill, (15) pexec, (16) stop, or (17) pythonexec method, aka SAP Security Note 2165583. Affected products include: Sap Hana.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Hana

View all
CVE-2016-1928 CRITICAL
9.8 Jan 20

Buffer overflow in the XS engine (hdbxsengine) in SAP HANA allows remote attackers to cause a denial of service or execu

CVE-2015-7986 HIGH POC
7.5 Oct 27

The index server (hdbindexserver) in SAP HANA 1.00.095 allows remote attackers to execute arbitrary code or cause a deni

CVE-2016-6142 HIGH POC
7.5 Sep 26

SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to inject arbitrary audit trail fields into the SYS

CVE-2016-6143 CRITICAL
9.8 Apr 13

SAP HANA DB 1.00.73.00.389160 allows remote attackers to execute arbitrary code via vectors involving the audit logs, ak

CVE-2016-6150 CRITICAL
9.8 Aug 05

The multi-tenant database container feature in SAP HANA does not properly encrypt communications, which allows remote at

CVE-2021-21484 CRITICAL
9.8 Mar 09

LDAP authentication in SAP HANA Database version 2.0 can be bypassed if the attached LDAP directory server is configured

CVE-2016-1929 CRITICAL
9.3 Jan 20

The XS engine in SAP HANA allows remote attackers to spoof log entries in trace files and consequently cause a denial of

CVE-2018-2402 HIGH
8.4 Mar 14

In systems using the optional capture & replay functionality of SAP HANA, 1.00 and 2.00, (see SAP Note 2362820 for more

CVE-2015-2072 MEDIUM POC
4.3 Feb 27

Multiple cross-site scripting (XSS) vulnerabilities in SAP HANA 73 (1.00.73.00.389160) and HANA Developer Edition 80 (1.

CVE-2016-6144 HIGH
8.1 Aug 05

The SQL interface in SAP HANA before Revision 102 does not limit the number of login attempts for the SYSTEM user when t

CVE-2016-6148 HIGH
7.5 Aug 05

SAP HANA DB 1.00.73.00.389160 allows remote attackers to cause a denial of service (process termination) or execute arbi

CVE-2015-7994 HIGH
7.5 Nov 10

The SQL interface in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to execute arbitrary code via

Share

CVE-2015-7828 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy