CVE-2010-5326

Sažetak

The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack.

Reference

http://service.sap.com/sap/support/notes/1445998
http://www.onapsis.com/research/publications/sap-security-in-depth-vol4-the-invoker-servlet-a-dangerous-detour-into-sap-java-solutions
http://www.securityfocus.com/bid/48925
http://www.securityfocus.com/bid/90533
http://www.us-cert.gov/ncas/alerts/TA16-132A
https://www.onapsis.com/threat-report-tip-iceberg-wild-exploitation-cyber-attacks-sap-business-applications
http://service.sap.com/sap/support/notes/1445998
http://www.onapsis.com/research/publications/sap-security-in-depth-vol4-the-invoker-servlet-a-dangerous-detour-into-sap-java-solutions
http://www.securityfocus.com/bid/48925
http://www.securityfocus.com/bid/90533
http://www.us-cert.gov/ncas/alerts/TA16-132A
https://www.onapsis.com/threat-report-tip-iceberg-wild-exploitation-cyber-attacks-sap-business-applications
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-5326

CVSS

Base:	10.0
Impact:	10.0
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
COMPLETE	COMPLETE	COMPLETE

CVSS vektor

AV:N/AC:L/Au:N/C:C/I:C/A:C

Zadnje važnije ažuriranje

21-04-2026 - 15:19

Objavljeno

13-05-2016 - 10:59