CVE-2016-6145 - Vulnerability Details - OpenCVE

The SQL interface in SAP HANA DB 1.00.091.00.1418659308 provides different error messages for failed login attempts depending on whether the username exists and is locked when the detailed_error_on_connect option is not supported or is configured as "False," which allows remote attackers to enumerate database users via a series of login attempts, aka SAP Security Note 2216869.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sap	Hana Db

Configuration 1 [-]

cpe:2.3:a:sap:hana_db:1.00.091.00.1418659308:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/138444/SAP-HANA-DB-1.00.091.00.1418659308-Information-Disclosure.html
http://seclists.org/fulldisclosure/2016/Aug/92
http://www.securityfocus.com/bid/92346
https://www.onapsis.com/blog/onapsis-publishes-15-advisories-sap-hana-and-building-components
https://www.onapsis.com/research/security-advisories/sap-hana-user-information-disclosure

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2016-08-05T14:00:00

Updated: 2024-08-06T01:22:20.571Z

Reserved: 2016-07-01T00:00:00

Link: CVE-2016-6145

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2016-08-05T14:59:17.237

Modified: 2025-04-12T10:46:40.837

Link: CVE-2016-6145

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-07-21T00:00:00", "descriptions": [{"lang": "en", "value": "The SQL interface in SAP HANA DB 1.00.091.00.1418659308 provides different error messages for failed login attempts depending on whether the username exists and is locked when the detailed_error_on_connect option is not supported or is configured as \"False,\" which allows remote attackers to enumerate database users via a series of login attempts, aka SAP Security Note 2216869."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-11-25T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "92346", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/92346"}, {"tags": ["x_refsource_MISC"], "url": "https://www.onapsis.com/blog/onapsis-publishes-15-advisories-sap-hana-and-building-components"}, {"name": "20160819 Onapsis Security Advisory ONAPSIS-2016-027: SAP HANA User information disclosure", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2016/Aug/92"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/138444/SAP-HANA-DB-1.00.091.00.1418659308-Information-Disclosure.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.onapsis.com/research/security-advisories/sap-hana-user-information-disclosure"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2016-6145", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The SQL interface in SAP HANA DB 1.00.091.00.1418659308 provides different error messages for failed login attempts depending on whether the username exists and is locked when the detailed_error_on_connect option is not supported or is configured as \"False,\" which allows remote attackers to enumerate database users via a series of login attempts, aka SAP Security Note 2216869."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "92346", "refsource": "BID", "url": "http://www.securityfocus.com/bid/92346"}, {"name": "https://www.onapsis.com/blog/onapsis-publishes-15-advisories-sap-hana-and-building-components", "refsource": "MISC", "url": "https://www.onapsis.com/blog/onapsis-publishes-15-advisories-sap-hana-and-building-components"}, {"name": "20160819 Onapsis Security Advisory ONAPSIS-2016-027: SAP HANA User information disclosure", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2016/Aug/92"}, {"name": "http://packetstormsecurity.com/files/138444/SAP-HANA-DB-1.00.091.00.1418659308-Information-Disclosure.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/138444/SAP-HANA-DB-1.00.091.00.1418659308-Information-Disclosure.html"}, {"name": "https://www.onapsis.com/research/security-advisories/sap-hana-user-information-disclosure", "refsource": "MISC", "url": "https://www.onapsis.com/research/security-advisories/sap-hana-user-information-disclosure"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T01:22:20.571Z"}, "title": "CVE Program Container", "references": [{"name": "92346", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/92346"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.onapsis.com/blog/onapsis-publishes-15-advisories-sap-hana-and-building-components"}, {"name": "20160819 Onapsis Security Advisory ONAPSIS-2016-027: SAP HANA User information disclosure", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2016/Aug/92"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/138444/SAP-HANA-DB-1.00.091.00.1418659308-Information-Disclosure.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.onapsis.com/research/security-advisories/sap-hana-user-information-disclosure"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-6145", "datePublished": "2016-08-05T14:00:00", "dateReserved": "2016-07-01T00:00:00", "dateUpdated": "2024-08-06T01:22:20.571Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:hana_db:1.00.091.00.1418659308:*:*:*:*:*:*:*", "matchCriteriaId": "E325F2E6-599B-4A19-8731-4531FCB7398E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The SQL interface in SAP HANA DB 1.00.091.00.1418659308 provides different error messages for failed login attempts depending on whether the username exists and is locked when the detailed_error_on_connect option is not supported or is configured as \"False,\" which allows remote attackers to enumerate database users via a series of login attempts, aka SAP Security Note 2216869."}, {"lang": "es", "value": "La interfaz SQL en SAP HANA DB 1.00.091.00.1418659308 muestra diferentes mensajes de error para intentos de inicio de sesi\u00f3n fallidos dependiendo de si existe el nombre de usuario y est\u00e1 bloqueado cuando la opci\u00f3n detailed_error_on_connect no est\u00e1 apoyada o est\u00e1 configurada como \"falsa\", lo que permite a atacantes remotos enumerar usuarios de bases de datos a trav\u00e9s una serie de intentos de inicio de sesi\u00f3n, vulnerabilidad tambi\u00e9n conocida como SAP Security Note 2216869."}], "id": "CVE-2016-6145", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "[email protected]", "type": "Primary"}]}, "published": "2016-08-05T14:59:17.237", "references": [{"source": "[email protected]", "url": "http://packetstormsecurity.com/files/138444/SAP-HANA-DB-1.00.091.00.1418659308-Information-Disclosure.html"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2016/Aug/92"}, {"source": "[email protected]", "url": "http://www.securityfocus.com/bid/92346"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://www.onapsis.com/blog/onapsis-publishes-15-advisories-sap-hana-and-building-components"}, {"source": "[email protected]", "tags": ["Permissions Required"], "url": "https://www.onapsis.com/research/security-advisories/sap-hana-user-information-disclosure"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://packetstormsecurity.com/files/138444/SAP-HANA-DB-1.00.091.00.1418659308-Information-Disclosure.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2016/Aug/92"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/92346"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.onapsis.com/blog/onapsis-publishes-15-advisories-sap-hana-and-building-components"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://www.onapsis.com/research/security-advisories/sap-hana-user-information-disclosure"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "[email protected]", "type": "Primary"}]}