Details of VAR-201406-0219

ID

VAR-201406-0219

CVE

CVE-2014-4009

TITLE

SAP CCMS Monitoring Vulnerabilities that gain access

Trust: 0.8

sources: JVNDB: JVNDB-2014-002813

DESCRIPTION

SAP CCMS Monitoring (BC-CCM-MON) has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors. SAP is the world's leading provider of enterprise management software solutions. SAP's multiple components have hard-coded usernames that allow attackers to exploit vulnerabilities to obtain sensitive information. These components include: SAP Project System SAP Structures SAP Project-Oriented Procurement SAP Brazil Specific Add-On SAP Oil Industry Solution Traders and Schedulers Workbench SAP Upgrade Tools SAP Web Services Tool SAP CCMS Monitoring SAP Transaction Data Pool SAP Capacity Leveling SAP Open Hub Service. Multiple SAP Components are prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain unauthorized access to the affected application

Trust: 2.52

sources: NVD: CVE-2014-4009 // JVNDB: JVNDB-2014-002813 // CNVD: CNVD-2014-03665 // BID: 67920 // VULMON: CVE-2014-4009

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-03665

AFFECTED PRODUCTS

vendor:	sap	model:	computing center management system monitoring	scope:	eq	version:	-	Trust: 1.6
vendor:	sap	model:	computing center management system monitoring	scope:	-	version:	-	Trust: 0.8
vendor:	sap	model:	sap	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2014-03665 // JVNDB: JVNDB-2014-002813 // CNNVD: CNNVD-201406-124 // NVD: CVE-2014-4009

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-4009
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-4009
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2014-03665
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201406-124
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2014-4009
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-4009
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2014-03665
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:N/AC:H/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2014-03665 // VULMON: CVE-2014-4009 // JVNDB: JVNDB-2014-002813 // CNNVD: CNNVD-201406-124 // NVD: CVE-2014-4009

PROBLEMTYPE DATA

problemtype:

CWE-255

Trust: 1.8

sources: JVNDB: JVNDB-2014-002813 // NVD: CVE-2014-4009

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201406-124

TYPE

trust management

Trust: 0.6

sources: CNNVD: CNNVD-201406-124

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-002813

PATCH

title:	SAP Security Note 1911174	url:	http://scn.sap.com/docs/DOC-8218	Trust: 0.8
title:	Patch for information disclosure vulnerabilities in multiple SAP component built-in usernames	url:	https://www.cnvd.org.cn/patchInfo/show/46415	Trust: 0.6

sources: CNVD: CNVD-2014-03665 // JVNDB: JVNDB-2014-002813

EXTERNAL IDS

db:	NVD	id:	CVE-2014-4009	Trust: 2.8
db:	BID	id:	67920	Trust: 2.0
db:	JVNDB	id:	JVNDB-2014-002813	Trust: 0.8
db:	CNVD	id:	CNVD-2014-03665	Trust: 0.6
db:	FULLDISC	id:	20140606 [ONAPSIS SECURITY ADVISORIES] MULTIPLE HARD-CODED USERNAMES IN SAP COMPONENTS	Trust: 0.6
db:	CNNVD	id:	CNNVD-201406-124	Trust: 0.6
db:	VULMON	id:	CVE-2014-4009	Trust: 0.1

sources: CNVD: CNVD-2014-03665 // VULMON: CVE-2014-4009 // BID: 67920 // JVNDB: JVNDB-2014-002813 // CNNVD: CNNVD-201406-124 // NVD: CVE-2014-4009

REFERENCES

url:	http://seclists.org/fulldisclosure/2014/jun/36	Trust: 3.1
url:	http://scn.sap.com/docs/doc-8218	Trust: 1.7
url:	https://service.sap.com/sap/support/notes/1911174	Trust: 1.7
url:	http://www.securityfocus.com/bid/67920	Trust: 1.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4009	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-4009	Trust: 0.8
url:	http://www.sap.com	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/255.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2014-03665 // VULMON: CVE-2014-4009 // BID: 67920 // JVNDB: JVNDB-2014-002813 // CNNVD: CNNVD-201406-124 // NVD: CVE-2014-4009

CREDITS

Sergio Abraham

Trust: 0.3

sources: BID: 67920

SOURCES

db:	CNVD	id:	CNVD-2014-03665
db:	VULMON	id:	CVE-2014-4009
db:	BID	id:	67920
db:	JVNDB	id:	JVNDB-2014-002813
db:	CNNVD	id:	CNNVD-201406-124
db:	NVD	id:	CVE-2014-4009

LAST UPDATE DATE

2025-04-13T23:05:00.270000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-03665	date:	2014-06-17T00:00:00
db:	VULMON	id:	CVE-2014-4009	date:	2014-06-18T00:00:00
db:	BID	id:	67920	date:	2014-06-11T00:02:00
db:	JVNDB	id:	JVNDB-2014-002813	date:	2014-06-11T00:00:00
db:	CNNVD	id:	CNNVD-201406-124	date:	2014-06-10T00:00:00
db:	NVD	id:	CVE-2014-4009	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2014-03665	date:	2014-06-16T00:00:00
db:	VULMON	id:	CVE-2014-4009	date:	2014-06-09T00:00:00
db:	BID	id:	67920	date:	2014-06-06T00:00:00
db:	JVNDB	id:	JVNDB-2014-002813	date:	2014-06-11T00:00:00
db:	CNNVD	id:	CNNVD-201406-124	date:	2014-06-10T00:00:00
db:	NVD	id:	CVE-2014-4009	date:	2014-06-09T20:55:09.307