Weak Encryption Vulnerability in SAP Download Manager by SAP
CVE-2016-3684

4.7MEDIUM

Key Information:

Vendor

SAP
Status
Download Manager
Vendor
CVE Published:
14 December 2016

What is CVE-2016-3684?

SAP Download Manager versions 2.1.142 and earlier utilize a hardcoded encryption key to secure stored data. This implementation flaw allows context-dependent attackers to exploit knowledge of the encryption key, gaining access to sensitive configuration information. This vulnerability has been documented in SAP Security Note 2282338 and poses a significant risk to the integrity and confidentiality of stored data.

References

http://www.securityfocus.com/archive/1/537746/100/0/threaded
mailing-listx_refsource_BUGTRAQ
http://www.coresecurity.com/advisories/sap-download-manag...
x_refsource_MISC
http://packetstormsecurity.com/files/136172/SAP-Download-...
x_refsource_MISC

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.