Weak Encryption in SAP Download Manager Affects Multiple Platforms
CVE-2016-3685

4.7MEDIUM

Key Information:

Vendor

SAP
Status
Download Manager
Vendor
CVE Published:
14 December 2016

What is CVE-2016-3685?

The SAP Download Manager prior to version 2.1.143 contains a vulnerability where the encryption key is generated from a limited key space on Windows and Mac systems. This flaw enables attackers, who possess knowledge of a hardcoded key embedded within the application's code along with a computer's BIOS serial number, to access sensitive configuration information. As a result, this could potentially lead to unauthorized data exposure and impact the integrity of SAP's security measures.

References

http://www.securityfocus.com/archive/1/537746/100/0/threaded
mailing-listx_refsource_BUGTRAQ
http://www.coresecurity.com/advisories/sap-download-manag...
x_refsource_MISC
http://packetstormsecurity.com/files/136172/SAP-Download-...
x_refsource_MISC

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.