{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-10-11T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "SAP Netweaver 7.4 allows remote authenticated users to bypass an intended Unified Connectivity (UCON) access control list and execute arbitrary Remote Function Modules (RFM) by leveraging a connection created from earlier execution of an anonymous RFM included in a Communication Assembly, aka SAP Security Note 2139366."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-11-25T19:57:01.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "93501", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/93501"}, {"tags": ["x_refsource_MISC"], "url": "https://www.onapsis.com/research/security-advisories/sap-ucon-security-protection-bypass"}, {"name": "20161011 Onapsis Security Advisory ONAPSIS-2016-002: SAP UCON Security Protection bypass", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2016/Oct/48"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-3635", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SAP Netweaver 7.4 allows remote authenticated users to bypass an intended Unified Connectivity (UCON) access control list and execute arbitrary Remote Function Modules (RFM) by leveraging a connection created from earlier execution of an anonymous RFM included in a Communication Assembly, aka SAP Security Note 2139366."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "93501", "refsource": "BID", "url": "http://www.securityfocus.com/bid/93501"}, {"name": "https://www.onapsis.com/research/security-advisories/sap-ucon-security-protection-bypass", "refsource": "MISC", "url": "https://www.onapsis.com/research/security-advisories/sap-ucon-security-protection-bypass"}, {"name": "20161011 Onapsis Security Advisory ONAPSIS-2016-002: SAP UCON Security Protection bypass", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2016/Oct/48"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T00:03:34.369Z"}, "title": "CVE Program Container", "references": [{"name": "93501", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/93501"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.onapsis.com/research/security-advisories/sap-ucon-security-protection-bypass"}, {"name": "20161011 Onapsis Security Advisory ONAPSIS-2016-002: SAP UCON Security Protection bypass", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2016/Oct/48"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-3635", "datePublished": "2016-10-13T14:00:00.000Z", "dateReserved": "2016-03-22T00:00:00.000Z", "dateUpdated": "2024-08-06T00:03:34.369Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver:7.40:*:*:*:*:*:*:*", "matchCriteriaId": "F019F7F5-7740-4BD4-850F-D7A1923C6200", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SAP Netweaver 7.4 allows remote authenticated users to bypass an intended Unified Connectivity (UCON) access control list and execute arbitrary Remote Function Modules (RFM) by leveraging a connection created from earlier execution of an anonymous RFM included in a Communication Assembly, aka SAP Security Note 2139366."}, {"lang": "es", "value": "SAP Netweaver 7.4 permite a usuarios remotos autenticados eludir una lista de control de acceso Unified Connectivity (UCON) intencionada y ejecutar Remote Function Modules (RFM) arbitrarios aprovechando una conexi\u00f3n creada por una ejecuci\u00f3n anterior de un RFM an\u00f3nimo incluido en una Communication Assembly, vulnerabilidad tambi\u00e9n conocida como SAP Security Note 2139366."}], "id": "CVE-2016-3635", "lastModified": "2026-05-06T22:30:45.220", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-10-13T14:59:00.220", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2016/Oct/48"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/93501"}, {"source": "cve@mitre.org", "tags": ["Permissions Required"], "url": "https://www.onapsis.com/research/security-advisories/sap-ucon-security-protection-bypass"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2016/Oct/48"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/93501"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://www.onapsis.com/research/security-advisories/sap-ucon-security-protection-bypass"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}