Vulnerability Description
The SQL interface in SAP HANA DB 1.00.091.00.1418659308 provides different error messages for failed login attempts depending on whether the username exists and is locked when the detailed_error_on_connect option is not supported or is configured as "False," which allows remote attackers to enumerate database users via a series of login attempts, aka SAP Security Note 2216869.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sap | Hana Db | 1.00.091.00.1418659308 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/138444/SAP-HANA-DB-1.00.091.00.1418659308-I
- http://seclists.org/fulldisclosure/2016/Aug/92Third Party Advisory
- http://www.securityfocus.com/bid/92346
- https://www.onapsis.com/blog/onapsis-publishes-15-advisories-sap-hana-and-buildiThird Party Advisory
- https://www.onapsis.com/research/security-advisories/sap-hana-user-information-dPermissions Required
- http://packetstormsecurity.com/files/138444/SAP-HANA-DB-1.00.091.00.1418659308-I
- http://seclists.org/fulldisclosure/2016/Aug/92Third Party Advisory
- http://www.securityfocus.com/bid/92346
- https://www.onapsis.com/blog/onapsis-publishes-15-advisories-sap-hana-and-buildiThird Party Advisory
- https://www.onapsis.com/research/security-advisories/sap-hana-user-information-dPermissions Required
FAQ
What is CVE-2016-6145?
CVE-2016-6145 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The SQL interface in SAP HANA DB 1.00.091.00.1418659308 provides different error messages for failed login attempts depending on whether the username exists and is locked when the detailed_error_on_co...
How severe is CVE-2016-6145?
CVE-2016-6145 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-6145?
Check the references section above for vendor advisories and patch information. Affected products include: Sap Hana Db.