Sign-up

ID

VAR-201406-0214


CVE

CVE-2014-4004


TITLE

SAP Project System Vulnerabilities in which access rights are acquired

Trust: 0.8

sources: JVNDB: JVNDB-2014-002808

DESCRIPTION

The (1) Structures and (2) Project-Oriented Procurement components in SAP Project System has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors. SAP is the world's leading provider of enterprise management software solutions. SAP's multiple components have hard-coded usernames that allow attackers to exploit vulnerabilities to obtain sensitive information. These components include: SAP Project System SAP Structures SAP Project-Oriented Procurement SAP Brazil Specific Add-On SAP Oil Industry Solution Traders and Schedulers Workbench SAP Upgrade Tools SAP Web Services Tool SAP CCMS Monitoring SAP Transaction Data Pool SAP Capacity Leveling SAP Open Hub Service. Multiple SAP Components are prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain unauthorized access to the affected application

Trust: 2.61

sources: NVD: CVE-2014-4004 // JVNDB: JVNDB-2014-002808 // CNVD: CNVD-2014-03665 // BID: 67920 // IVD: f96b7b06-1ed1-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: f96b7b06-1ed1-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-03665

AFFECTED PRODUCTS

vendor:sapmodel:project systemscope:eqversion: -

Trust: 1.6

vendor:sapmodel:project systemscope: - version: -

Trust: 0.8

vendor:sapmodel:sapscope: - version: -

Trust: 0.6

vendor:sapmodel: - scope:eqversion:*

Trust: 0.4

sources: IVD: f96b7b06-1ed1-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-03665 // JVNDB: JVNDB-2014-002808 // CNNVD: CNNVD-201406-119 // NVD: CVE-2014-4004

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-4004
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-4004
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2014-03665
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201406-119
value: MEDIUM

Trust: 0.6

IVD: f96b7b06-1ed1-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2014-4004
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2014-03665
severity: MEDIUM
baseScore: 4.6
vectorString: AV:N/AC:H/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: HIGH
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: f96b7b06-1ed1-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 4.6
vectorString: AV:N/AC:H/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: HIGH
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

sources: IVD: f96b7b06-1ed1-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-03665 // JVNDB: JVNDB-2014-002808 // CNNVD: CNNVD-201406-119 // NVD: CVE-2014-4004

PROBLEMTYPE DATA

problemtype:CWE-255

Trust: 1.8

sources: JVNDB: JVNDB-2014-002808 // NVD: CVE-2014-4004

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201406-119

TYPE

Trust management

Trust: 0.8

sources: IVD: f96b7b06-1ed1-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201406-119

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-002808

PATCH
title:SAP Security Note 1791081url:http://scn.sap.com/docs/DOC-8218
Trust: 0.8
title:Patch for information disclosure vulnerabilities in multiple SAP component built-in usernamesurl:https://www.cnvd.org.cn/patchInfo/show/46415
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2014-03665 // 
            
            
            
            JVNDB: JVNDB-2014-002808

EXTERNAL IDS
db:NVDid:CVE-2014-4004
Trust: 2.9
db:BIDid:67920
Trust: 1.9
db:CNVDid:CNVD-2014-03665
Trust: 0.8
db:CNNVDid:CNNVD-201406-119
Trust: 0.8
db:JVNDBid:JVNDB-2014-002808
Trust: 0.8
db:FULLDISCid:20140606 [ONAPSIS SECURITY ADVISORIES] MULTIPLE HARD-CODED USERNAMES IN SAP COMPONENTS
Trust: 0.6
db:IVDid:F96B7B06-1ED1-11E6-ABEF-000C29C66E3D
Trust: 0.2
sources:
            
            
            IVD: f96b7b06-1ed1-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2014-03665 // 
            
            
            
            BID: 67920 // 
            
            
            
            JVNDB: JVNDB-2014-002808 // 
            
            
            
            CNNVD: CNNVD-201406-119 // 
            
            
            
            NVD: CVE-2014-4004

REFERENCES
url:http://seclists.org/fulldisclosure/2014/jun/36
Trust: 3.0
url:http://www.layersevensecurity.com/docs/layer%20seven%20security_advisory_february%202014.pdf
Trust: 2.4
url:https://service.sap.com/sap/support/notes/1791081
Trust: 1.6
url:http://scn.sap.com/docs/doc-8218
Trust: 1.6
url:http://www.securityfocus.com/bid/67920
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4004
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-4004
Trust: 0.8
url:http://www.sap.com
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2014-03665 // 
            
            
            
            BID: 67920 // 
            
            
            
            JVNDB: JVNDB-2014-002808 // 
            
            
            
            CNNVD: CNNVD-201406-119 // 
            
            
            
            NVD: CVE-2014-4004

CREDITS
Sergio Abraham
Trust: 0.3
sources:
            
            
            BID: 67920

SOURCES
db:IVDid:f96b7b06-1ed1-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2014-03665
db:BIDid:67920
db:JVNDBid:JVNDB-2014-002808
db:CNNVDid:CNNVD-201406-119
db:NVDid:CVE-2014-4004

LAST UPDATE DATE
2025-04-13T23:05:00.367000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2014-03665date:2014-06-17T00:00:00
db:BIDid:67920date:2014-06-11T00:02:00
db:JVNDBid:JVNDB-2014-002808date:2014-06-11T00:00:00
db:CNNVDid:CNNVD-201406-119date:2014-06-16T00:00:00
db:NVDid:CVE-2014-4004date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:IVDid:f96b7b06-1ed1-11e6-abef-000c29c66e3ddate:2014-06-17T00:00:00
db:CNVDid:CNVD-2014-03665date:2014-06-16T00:00:00
db:BIDid:67920date:2014-06-06T00:00:00
db:JVNDBid:JVNDB-2014-002808date:2014-06-11T00:00:00
db:CNNVDid:CNNVD-201406-119date:2014-06-16T00:00:00
db:NVDid:CVE-2014-4004date:2014-06-09T20:55:08.980