The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Sybase Adaptive Server Enterprise

vulnerability announce 19572

SAP: multiples vulnerabilities of May 2016

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SAP.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity: 3/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: document.
Creation date: 10/05/2016.
Identifiers: DOC-8218, ERPSCAN-16-010, ERPSCAN-16-011, ERPSCAN-16-019, ERPSCAN-16-020, ERPSCAN-16-021, ERPSCAN-16-023, VIGILANCE-VUL-19572.

Description of the vulnerability

An attacker can use several vulnerabilities of SAP.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2016-4014 CVE-2016-4015 CVE-2016-4016

SAP: multiples vulnerabilities of April 2016

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SAP.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity: 3/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 12/04/2016.
Identifiers: CVE-2016-4014, CVE-2016-4015, CVE-2016-4016, CVE-2016-4017, CVE-2016-4018, DOC-8218, ERPSCAN-16-019, ERPSCAN-16-020, ERPSCAN-16-021, VIGILANCE-VUL-19348.

Description of the vulnerability

An attacker can use several vulnerabilities of SAP.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2015-7828 CVE-2015-7986 CVE-2015-7991

SAP: multiples vulnerabilities of October 2015

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SAP.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity: 3/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: document.
Number of vulnerabilities in this bulletin: 9.
Creation date: 13/10/2015.
Revision date: 29/01/2016.
Identifiers: CVE-2015-7828, CVE-2015-7986, CVE-2015-7991, CVE-2015-7992, CVE-2015-7993, CVE-2015-7994, CVE-2015-8028, CVE-2015-8029, CVE-2015-8030, ERPSCAN-15-017, ERPSCAN-15-024, ERPSCAN-15-025, ONAPSIS-2015-024, ONAPSIS-2015-040, ONAPSIS-2015-041, ONAPSIS-2015-042, ONAPSIS-2015-043, ONAPSIS-2015-044, VIGILANCE-VUL-18084, ZDI-15-526, ZDI-15-527, ZDI-15-528, ZDI-15-529, ZDI-15-530, ZDI-15-531, ZDI-15-532.

Description of the vulnerability

An attacker can use several vulnerabilities of SAP.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2016-1910 CVE-2016-1911 CVE-2016-1928

SAP: multiples vulnerabilities of January 2016

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SAP.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity: 3/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 12/01/2016.
Revision date: 28/01/2016.
Identifiers: CVE-2016-1910, CVE-2016-1911, CVE-2016-1928, CVE-2016-1929, CVE-2016-7437, DOC-8218, ERPSCAN-15-024, ERPSCAN-16-001, ERPSCAN-16-002, ERPSCAN-16-003, ERPSCAN-16-004, ERPSCAN-16-005, ONAPSIS-2016-051, VIGILANCE-VUL-18691.

Description of the vulnerability

An attacker can use several vulnerabilities of SAP.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2015-2278 CVE-2015-2282 CVE-2015-3994

SAP: multiple vulnerabilities of May 2015

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SAP.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity: 2/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: document.
Number of vulnerabilities in this bulletin: 12.
Creation date: 12/05/2015.
Identifiers: CVE-2015-2278, CVE-2015-2282, CVE-2015-3994, CVE-2015-3995, CVE-2015-4091, CVE-2015-4092, CVE-2015-4157, CVE-2015-4158, CVE-2015-4159, CVE-2015-4160, CVE-2015-4161, CVE-2016-3946, DOC-8218, ONAPSIS-2015-006, ONAPSIS-2015-007, ONAPSIS-2016-001, VIGILANCE-VUL-16877.

Description of the vulnerability

An attacker can use several vulnerabilities of SAP.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2015-3978 CVE-2015-3979 CVE-2015-3980

SAP: multiple vulnerabilities of April 2015

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SAP.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity: 2/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: document.
Number of vulnerabilities in this bulletin: 4.
Creation date: 14/04/2015.
Identifiers: CVE-2015-3978, CVE-2015-3979, CVE-2015-3980, CVE-2015-3981, DOC-8218, VIGILANCE-VUL-16593.

Description of the vulnerability

Several vulnerabilities were announced in SAP.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2014-8659 CVE-2014-8660 CVE-2014-8661

SAP: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SAP.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity: 2/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: document.
Number of vulnerabilities in this bulletin: 11.
Creation date: 14/10/2014.
Identifiers: CVE-2014-8659, CVE-2014-8660, CVE-2014-8661, CVE-2014-8662, CVE-2014-8663, CVE-2014-8664, CVE-2014-8665, CVE-2014-8666, CVE-2014-8667, CVE-2014-8668, CVE-2014-8669, DOC-8218, VIGILANCE-VUL-15471.

Description of the vulnerability

Several vulnerabilities were announced in SAP.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 14732

SAP: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of SAP, in order to execute JavaScript code in the context of the web site.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 13/05/2014.
Revision date: 19/05/2014.
Identifiers: 1979438, DOC-8218, VIGILANCE-VUL-14732.

Description of the vulnerability

The SAP product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of SAP, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2014-0160

OpenSSL: information disclosure via Heartbeat

Synthesis of the vulnerability

An attacker can use the Heartbeat protocol on an application compiled with OpenSSL, in order to obtain sensitive information, such as keys stored in memory.
Impacted products: Tomcat, ArubaOS, i-Suite, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, ARCserve Backup, ASA, Cisco Catalyst, IOS XE Cisco, Prime Infrastructure, Cisco PRSM, Cisco Router, Cisco CUCM, Cisco IP Phone, Cisco Unity ~ precise, XenDesktop, MIMEsweeper, Clearswift Email Gateway, Clearswift Web Gateway, Debian, ECC, PowerPath, ArcGIS ArcView, ArcGIS for Desktop, ArcGIS for Server, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FortiClient, FortiGate, FortiGate Virtual Appliance, FortiOS, FreeBSD, HP Diagnostics, LoadRunner, Performance Center, AIX, WebSphere MQ, WS_FTP Server, IVE OS, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper SA, Juniper UAC, LibreOffice, MBS, McAfee Email Gateway, ePO, GroupShield, McAfee NGFW, VirusScan, McAfee Web Gateway, Windows 8, Windows RT, MySQL Enterprise, NetBSD, OpenBSD, OpenSSL, openSUSE, Opera, Solaris, pfSense, HDX, RealPresence Collaboration Server, Polycom VBP, Puppet, RHEL, RSA Authentication Manager, SIMATIC, Slackware, Sophos AV, Splunk Enterprise, Stonesoft NGFW/VPN, stunnel, ASE, OfficeScan, Ubuntu, Unix (platform) ~ not comprehensive, ESXi, VMware Player, vCenter Server, VMware vSphere, VMware vSphere Hypervisor, VMware Workstation, Websense Email Security, Websense Web Filter, Websense Web Security.
Severity: 3/4.
Consequences: data reading.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 08/04/2014.
Identifiers: 1669839, 190438, 2076225, 2962393, c04236102, c04267775, c04286049, CA20140413-01, CERTFR-2014-ALE-003, CERTFR-2014-AVI-156, CERTFR-2014-AVI-161, CERTFR-2014-AVI-162, CERTFR-2014-AVI-167, CERTFR-2014-AVI-169, CERTFR-2014-AVI-177, CERTFR-2014-AVI-178, CERTFR-2014-AVI-179, CERTFR-2014-AVI-180, CERTFR-2014-AVI-181, CERTFR-2014-AVI-198, CERTFR-2014-AVI-199, CERTFR-2014-AVI-213, cisco-sa-20140409-heartbleed, CTX140605, CVE-2014-0160, CVE-2014-0346-REJECT, DSA-2896-1, DSA-2896-2, emr_na-c04236102-7, ESA-2014-034, ESA-2014-036, ESA-2014-075, FEDORA-2014-4879, FEDORA-2014-4910, FEDORA-2014-4982, FEDORA-2014-4999, FG-IR-14-011, FreeBSD-SA-14:06.openssl, Heartbleed, HPSBMU02995, HPSBMU03025, HPSBMU03040, ICSA-14-105-03, JSA10623, MDVSA-2014:123, MDVSA-2015:062, NetBSD-SA2014-004, openSUSE-SU-2014:0492-1, openSUSE-SU-2014:0560-1, openSUSE-SU-2014:0719-1, pfSense-SA-14_04.openssl, RHSA-2014:0376-01, RHSA-2014:0377-01, RHSA-2014:0378-01, RHSA-2014:0396-01, RHSA-2014:0416-01, SA40005, SA79, SB10071, SOL15159, SPL-82696, SSA:2014-098-01, SSA-635659, SSRT101565, USN-2165-1, VIGILANCE-VUL-14534, VMSA-2014-0004, VMSA-2014-0004.1, VMSA-2014-0004.2, VMSA-2014-0004.3, VMSA-2014-0004.6, VMSA-2014-0004.7, VU#720951.

Description of the vulnerability

The Heartbeat extension of TLS (RFC 6520) provides a keep-alive feature, without performing a renegotiation. It exchanges random data in a payload.

Version 1.0.1 of OpenSSL implements Heartbeat, which is enabled by default. The [d]tls1_process_heartbeat() function manages Heartbeat messages. However, it does not check the size of random data, and continues to read after the end of the payload, and then sends the full memory area (up to 64kb) to the peer (client or server).

An attacker can therefore use the Heartbeat protocol on an application compiled with OpenSSL, in order to obtain sensitive information, such as keys stored in memory.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 14262

SAP: multiple vulnerabilities for February 2014

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SAP.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity: 2/4.
Consequences: user access/rights, data reading, data creation/edition, data deletion.
Provenance: document.
Number of vulnerabilities in this bulletin: 10.
Creation date: 14/02/2014.
Identifiers: 1716640, 1769611, 1771706, 1777988, 1781171, 1833327, 1911319, 1913388, 1915908, 1942332, VIGILANCE-VUL-14262.

Description of the vulnerability

Several vulnerabilities were publicly announced this month by SAP.

An attacker can traverse directories in HFILTAX0_FORMS0_ALV, in order to read a file outside the root path. [severity:2/4; 1913388]

An attacker can traverse directories in HFISTWC0_FORMS, in order to read a file outside the root path. [severity:2/4; 1777988]

An attacker can traverse directories in HFIUTMS0, in order to read a file outside the root path. [severity:2/4; 1771706]

An attacker can traverse directories in HFISTBC0_SUBR, in order to read a file outside the root path. [severity:2/4; 1769611]

An attacker can trigger a Cross Site Scripting in Business Planning and Consolidation, in order to execute JavaScript code in the context of the web site. [severity:2/4; 1942332]

An attacker can bypass access restrictions of ABAP Reports, in order to read or alter data. [severity:2/4; 1911319]

An attacker can bypass access restrictions of ABAP Reports, in order to read or alter data. [severity:2/4; 1716640]

An attacker can bypass access restrictions of ABAP Reports, in order to read or alter data. [severity:2/4; 1915908]

An attacker can invite the victim to click in WebDynpro Java, in order to perform operations. [severity:1/4; 1781171]

An attacker can use a SQL injection in LSZRSF03, in order to read or alter data. [severity:2/4; 1833327]

Other vulnerabilities may have been announced this month, but they are private. SAP has to be contacted to obtain the full list.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Sybase Adaptive Server Enterprise: