CVE-2017-16678 - Vulnerability Details - OpenCVE

Server Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Knowledge Management Configuration Service, EPBC and EPBC2 from 7.00 to 7.02; KMC-BC 7.30, 7.31, 7.40 and 7.50, that allows an attacker to manipulate the vulnerable application to send crafted requests on behalf of the application.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sap	Epbc Epbc2 Kmc-bc Netweaver Knowledge Management Configuration Service

Configuration 1 [-]

cpe:2.3:a:sap:netweaver_knowledge_management_configuration_service:-:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:sap:epbc::::::::
	cpe:2.3:a:sap:epbc2::::::::

Configuration 3 [-]

OR	cpe:2.3:a:sap:kmc-bc:7.30:::::::*
	cpe:2.3:a:sap:kmc-bc:7.31:::::::*
	cpe:2.3:a:sap:kmc-bc:7.40:::::::*
	cpe:2.3:a:sap:kmc-bc:7.50:::::::*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/102149
https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/
https://launchpad.support.sap.com/#/notes/2457562

History

No history.

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2017-12-12T14:00:00Z

Updated: 2024-09-17T00:11:33.677Z

Reserved: 2017-11-09T00:00:00

Link: CVE-2017-16678

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2017-12-12T14:29:00.187

Modified: 2025-04-20T01:37:25.860

Link: CVE-2017-16678

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "SAP NetWeaver Knowledge Management Configuration Service", "vendor": "SAP", "versions": [{"status": "affected", "version": "EPBC and EPBC2 from 7.00 to 7.02; KMC-BC 7.30, 7.31, 7.40 and 7.50"}]}], "datePublic": "2017-12-12T00:00:00", "descriptions": [{"lang": "en", "value": "Server Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Knowledge Management Configuration Service, EPBC and EPBC2 from 7.00 to 7.02; KMC-BC 7.30, 7.31, 7.40 and 7.50, that allows an attacker to manipulate the vulnerable application to send crafted requests on behalf of the application."}], "problemTypes": [{"descriptions": [{"description": "Server Side Request Forgery (SSRF)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-12-13T10:57:01", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://launchpad.support.sap.com/#/notes/2457562"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"}, {"name": "102149", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/102149"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "DATE_PUBLIC": "2017-12-12T00:00:00", "ID": "CVE-2017-16678", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP NetWeaver Knowledge Management Configuration Service", "version": {"version_data": [{"version_value": "EPBC and EPBC2 from 7.00 to 7.02; KMC-BC 7.30, 7.31, 7.40 and 7.50"}]}}]}, "vendor_name": "SAP"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Server Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Knowledge Management Configuration Service, EPBC and EPBC2 from 7.00 to 7.02; KMC-BC 7.30, 7.31, 7.40 and 7.50, that allows an attacker to manipulate the vulnerable application to send crafted requests on behalf of the application."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Server Side Request Forgery (SSRF)"}]}]}, "references": {"reference_data": [{"name": "https://launchpad.support.sap.com/#/notes/2457562", "refsource": "CONFIRM", "url": "https://launchpad.support.sap.com/#/notes/2457562"}, {"name": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/", "refsource": "CONFIRM", "url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"}, {"name": "102149", "refsource": "BID", "url": "http://www.securityfocus.com/bid/102149"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T20:35:19.753Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://launchpad.support.sap.com/#/notes/2457562"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"}, {"name": "102149", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/102149"}]}]}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2017-16678", "datePublished": "2017-12-12T14:00:00Z", "dateReserved": "2017-11-09T00:00:00", "dateUpdated": "2024-09-17T00:11:33.677Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_knowledge_management_configuration_service:-:*:*:*:*:*:*:*", "matchCriteriaId": "675BFE11-5E88-402C-863D-71F7A879201A", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:epbc:*:*:*:*:*:*:*:*", "matchCriteriaId": "D9D3A6EA-0E15-4F33-B281-664837B68166", "versionEndIncluding": "7.02", "versionStartIncluding": "7.00", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:epbc2:*:*:*:*:*:*:*:*", "matchCriteriaId": "C13F5F2E-3908-4D44-9947-0E66F02ACB3F", "versionEndIncluding": "7.02", "versionStartIncluding": "7.00", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:kmc-bc:7.30:*:*:*:*:*:*:*", "matchCriteriaId": "37EE16A4-4E4F-4670-A66D-C83091B622CD", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:kmc-bc:7.31:*:*:*:*:*:*:*", "matchCriteriaId": "F9ECC26B-B53B-431F-85A2-BD85A7CC6DE6", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:kmc-bc:7.40:*:*:*:*:*:*:*", "matchCriteriaId": "429F149B-7BF5-4D71-8B60-4D2AB70B5424", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:kmc-bc:7.50:*:*:*:*:*:*:*", "matchCriteriaId": "4F7AE82C-77F9-4DB8-8DA0-92FD6A1A4F0D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Server Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Knowledge Management Configuration Service, EPBC and EPBC2 from 7.00 to 7.02; KMC-BC 7.30, 7.31, 7.40 and 7.50, that allows an attacker to manipulate the vulnerable application to send crafted requests on behalf of the application."}, {"lang": "es", "value": "Vulnerabilidad de Server Side Request Forgery (SSRF) en SAP NetWeaver Knowledge Management Configuration Service, EPBC y EPBC2 desde la versi\u00f3n 7.00 hasta la 7.02 y KMC-BC 7.30, 7.31, 7.40 y 7.50, que permite que un atacante manipule la aplicaci\u00f3n vulnerable para que env\u00ede peticiones manipuladas en nombre de la aplicaci\u00f3n."}], "id": "CVE-2017-16678", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-12-12T14:29:00.187", "references": [{"source": "cna@sap.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/102149"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"}, {"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/2457562"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/102149"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/2457562"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}]}