CVE-2017-16679 - OpenCVE

URL redirection vulnerability in SAP's Startup Service, SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49 and 7.52, that allows an attacker to redirect users to a malicious site.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Sap	Sap Kernel

Configuration 1 [-]

OR	cpe:2.3:o:sap:sap_kernel:7.21:::::::*
	cpe:2.3:o:sap:sap_kernel:7.21ext:::::::*
	cpe:2.3:o:sap:sap_kernel:7.22:::::::*
	cpe:2.3:o:sap:sap_kernel:7.22ext:::::::*
	cpe:2.3:o:sap:sap_kernel:7.45:::::::*
	cpe:2.3:o:sap:sap_kernel:7.49:::::::*
	cpe:2.3:o:sap:sap_kernel:7.52:::::::*

References

Link	Resource
http://www.securityfocus.com/bid/102157	Third Party Advisory VDB Entry
https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/	Issue Tracking Vendor Advisory
https://launchpad.support.sap.com/#/notes/2520995	Permissions Required Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: sap

Published: 2017-12-12T00:00:00

Updated: 2017-12-13T10:57:01

Reserved: 2017-11-09T00:00:00

Link: CVE-2017-16679

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-12-12T14:29:00.233

Modified: 2018-01-04T19:40:33.033

Link: CVE-2017-16679

JSON object: View

Redhat Information

No data.

CWE

CWE-601

{"containers": {"cna": {"affected": [{"product": "SAP Startup Service", "vendor": "SAP", "versions": [{"status": "affected", "version": "SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49 and 7.52."}]}], "datePublic": "2017-12-12T00:00:00", "descriptions": [{"lang": "en", "value": "URL redirection vulnerability in SAP's Startup Service, SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49 and 7.52, that allows an attacker to redirect users to a malicious site."}], "problemTypes": [{"descriptions": [{"description": "URL Redirection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-12-13T10:57:01", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"}, {"name": "102157", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/102157"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://launchpad.support.sap.com/#/notes/2520995"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "DATE_PUBLIC": "2017-12-12T00:00:00", "ID": "CVE-2017-16679", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP Startup Service", "version": {"version_data": [{"version_value": "SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49 and 7.52."}]}}]}, "vendor_name": "SAP"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "URL redirection vulnerability in SAP's Startup Service, SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49 and 7.52, that allows an attacker to redirect users to a malicious site."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "URL Redirection"}]}]}, "references": {"reference_data": [{"name": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/", "refsource": "CONFIRM", "url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"}, {"name": "102157", "refsource": "BID", "url": "http://www.securityfocus.com/bid/102157"}, {"name": "https://launchpad.support.sap.com/#/notes/2520995", "refsource": "CONFIRM", "url": "https://launchpad.support.sap.com/#/notes/2520995"}]}}}}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2017-16679", "datePublished": "2017-12-12T00:00:00", "dateReserved": "2017-11-09T00:00:00", "dateUpdated": "2017-12-13T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:sap:sap_kernel:7.21:*:*:*:*:*:*:*", "matchCriteriaId": "157D157A-6B01-478F-A7B9-D0FAD0636DEF", "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:sap_kernel:7.21ext:*:*:*:*:*:*:*", "matchCriteriaId": "63A2F363-A557-429E-97B2-0DFBC93F2C22", "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:sap_kernel:7.22:*:*:*:*:*:*:*", "matchCriteriaId": "BB51CE2C-7E65-4214-B14B-19593BE9F26E", "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:sap_kernel:7.22ext:*:*:*:*:*:*:*", "matchCriteriaId": "F41CD116-6BDD-432D-A194-316AB42A6ACF", "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:sap_kernel:7.45:*:*:*:*:*:*:*", "matchCriteriaId": "F42A1C8B-C830-4DA0-BEE6-04E3FF744FC0", "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:sap_kernel:7.49:*:*:*:*:*:*:*", "matchCriteriaId": "AF72873D-9926-40CA-B33E-8AF0FAAFF45C", "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:sap_kernel:7.52:*:*:*:*:*:*:*", "matchCriteriaId": "42D5F7BF-A95A-49AE-A962-DBF53181E2E3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "URL redirection vulnerability in SAP's Startup Service, SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49 and 7.52, that allows an attacker to redirect users to a malicious site."}, {"lang": "es", "value": "Vulnerabilidad de redirecci\u00f3n de URL en SAP Startup Service; SAP KERNEL 32 NUC; SAP KERNEL 32 Unicode; SAP KERNEL 64 NUC; SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 y 7.22EXT y SAP KERNEL 7.21, 7.22, 7.45, 7.49 y 7.52, que permite que un atacante redirija usuarios a un sitio malicioso."}], "id": "CVE-2017-16679", "lastModified": "2018-01-04T19:40:33.033", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-12-12T14:29:00.233", "references": [{"source": "cna@sap.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/102157"}, {"source": "cna@sap.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"}, {"source": "cna@sap.com", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://launchpad.support.sap.com/#/notes/2520995"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "nvd@nist.gov", "type": "Primary"}]}