SQL Interface Vulnerability in SAP HANA DB by SAP
CVE-2016-6145

5.3MEDIUM

Key Information:

Vendor
SAP
Status
Hana Db
Vendor
CVE Published:
5 August 2016

Summary

The SQL interface of SAP HANA DB has a design flaw that allows a remote attacker to differentiate between valid and invalid usernames based on specific error messages. When the detailed_error_on_connect option is not supported or set to 'False', the system provides varying responses during failed login attempts. This discrepancy creates an opportunity for attackers to enumerate valid usernames through a series of login trials, potentially leading to unauthorized access or further exploitation of the database. The vulnerability highlights the importance of secure configurations and error handling in database management systems.

References

http://www.securityfocus.com/bid/92346
vdb-entryx_refsource_BID
https://www.onapsis.com/blog/onapsis-publishes-15-advisor...
x_refsource_MISC
http://seclists.org/fulldisclosure/2016/Aug/92
mailing-listx_refsource_FULLDISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.