Details of VAR-201404-0293

ID

VAR-201404-0293

CVE

CVE-2013-7355

TITLE

SAP BI Universal Data Integration In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2013-006301

DESCRIPTION

SQL injection vulnerability in SAP BI Universal Data Integration allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to the J2EE schema. SAP BI Universal Data Integration is a universal data analysis interface for SAP BI solutions from SAP SAP. User-provided input that was not properly filtered by the program before the SQL query was used. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database

Trust: 2.61

sources: NVD: CVE-2013-7355 // JVNDB: JVNDB-2013-006301 // CNVD: CNVD-2014-02333 // BID: 67735 // IVD: 7c5a292a-1ede-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 7c5a292a-1ede-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-02333

AFFECTED PRODUCTS

vendor:	sap	model:	bi universal data integration	scope:	eq	version:	-	Trust: 1.6
vendor:	sap	model:	bi universal data integration	scope:	-	version:	-	Trust: 1.4
vendor:	sap	model:	bw universal data integration	scope:	eq	version:	??0	Trust: 0.3
vendor:	bi universal data integration	model:	-	scope:	eq	version:	-	Trust: 0.2

sources: IVD: 7c5a292a-1ede-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-02333 // BID: 67735 // JVNDB: JVNDB-2013-006301 // CNNVD: CNNVD-201404-123 // NVD: CVE-2013-7355

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-7355
value:	HIGH
Trust: 1.0
NVD:	CVE-2013-7355
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2014-02333
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201404-123
value:	HIGH
Trust: 0.6
IVD:	7c5a292a-1ede-11e6-abef-000c29c66e3d
value:	HIGH
Trust: 0.2

nvd@nist.gov:	CVE-2013-7355
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-02333
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	7c5a292a-1ede-11e6-abef-000c29c66e3d
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

sources: IVD: 7c5a292a-1ede-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-02333 // JVNDB: JVNDB-2013-006301 // CNNVD: CNNVD-201404-123 // NVD: CVE-2013-7355

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.8

sources: JVNDB: JVNDB-2013-006301 // NVD: CVE-2013-7355

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201404-123

TYPE

SQL injection

Trust: 0.8

sources: IVD: 7c5a292a-1ede-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201404-123

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-006301

PATCH

title:	Top Page	url:	http://www.sap.com/index.html	Trust: 0.8
title:	SAP BI Universal Data Integration J2EE architecture has patches for unknown SQL injection vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/44860	Trust: 0.6

sources: CNVD: CNVD-2014-02333 // JVNDB: JVNDB-2013-006301

EXTERNAL IDS

db:	NVD	id:	CVE-2013-7355	Trust: 3.5
db:	CNVD	id:	CNVD-2014-02333	Trust: 0.8
db:	CNNVD	id:	CNNVD-201404-123	Trust: 0.8
db:	JVNDB	id:	JVNDB-2013-006301	Trust: 0.8
db:	OSVDB	id:	105683	Trust: 0.6
db:	BID	id:	67735	Trust: 0.3
db:	IVD	id:	7C5A292A-1EDE-11E6-ABEF-000C29C66E3D	Trust: 0.2

sources: IVD: 7c5a292a-1ede-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-02333 // BID: 67735 // JVNDB: JVNDB-2013-006301 // CNNVD: CNNVD-201404-123 // NVD: CVE-2013-7355

REFERENCES

url:	http://www.onapsis.com/get.php?resid=adv_onapsis-2013-013	Trust: 2.7
url:	http://www.onapsis.com/research-advisories.php	Trust: 2.4
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-7355	Trust: 1.4
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-7355	Trust: 0.8
url:	http://osvdb.com/show/osvdb/105683	Trust: 0.6
url:	http://www.sap.com	Trust: 0.3

sources: CNVD: CNVD-2014-02333 // BID: 67735 // JVNDB: JVNDB-2013-006301 // CNNVD: CNNVD-201404-123 // NVD: CVE-2013-7355

CREDITS

Jordan Santarsieri

Trust: 0.3

sources: BID: 67735

SOURCES

db:	IVD	id:	7c5a292a-1ede-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2014-02333
db:	BID	id:	67735
db:	JVNDB	id:	JVNDB-2013-006301
db:	CNNVD	id:	CNNVD-201404-123
db:	NVD	id:	CVE-2013-7355

LAST UPDATE DATE

2025-04-12T23:22:25.772000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-02333	date:	2014-04-16T00:00:00
db:	BID	id:	67735	date:	2013-08-08T00:00:00
db:	JVNDB	id:	JVNDB-2013-006301	date:	2014-04-15T00:00:00
db:	CNNVD	id:	CNNVD-201404-123	date:	2014-04-14T00:00:00
db:	NVD	id:	CVE-2013-7355	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	IVD	id:	7c5a292a-1ede-11e6-abef-000c29c66e3d	date:	2014-04-16T00:00:00
db:	CNVD	id:	CNVD-2014-02333	date:	2014-04-16T00:00:00
db:	BID	id:	67735	date:	2013-08-08T00:00:00
db:	JVNDB	id:	JVNDB-2013-006301	date:	2014-04-15T00:00:00
db:	CNNVD	id:	CNNVD-201404-123	date:	2014-04-14T00:00:00
db:	NVD	id:	CVE-2013-7355	date:	2014-04-10T20:55:05.210