CVE-2014-6283 - OpenCVE

SAP Adaptive Server Enterprise (ASE) 15.7 before SP122 or SP63, 15.5 before ESD#5.4, and 15.0.3 before ESD#4.4 does not properly restrict access, which allows remote authenticated database users to (1) overwrite the master encryption key or (2) trigger a buffer overflow via a crafted RPC message to the hacmpmsgxchg function, and possibly other vectors.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sybase	Adaptive Server Enterprise

Configuration 1 [-]

OR	cpe:2.3:a:sybase:adaptive_server_enterprise:15.0.3:::::::*
	cpe:2.3:a:sybase:adaptive_server_enterprise:15.5:::::::*
	cpe:2.3:a:sybase:adaptive_server_enterprise:15.7:::::::*

No data.

References

Link	Providers
http://blog.spiderlabs.com/2014/09/cve-2014-6283-sap-ase-missing-authorization-checks-and-arbitrary-code-execution.html
http://scn.sap.com/docs/DOC-55451
http://secunia.com/advisories/61238
https://exchange.xforce.ibmcloud.com/vulnerabilities/99935
https://service.sap.com/sap/support/notes/2044220
https://www3.trustwave.com/spiderlabs/advisories/TWSL2014-013.txt

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-10-17T23:00:00

Updated: 2024-08-06T12:10:13.270Z

Reserved: 2014-09-09T00:00:00

Link: CVE-2014-6283

Vulnrichment

No data.

NVD

Status : Modified

Published: 2014-10-17T23:55:03.933

Modified: 2017-09-08T01:29:13.793

Link: CVE-2014-6283

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-09-12T00:00:00", "descriptions": [{"lang": "en", "value": "SAP Adaptive Server Enterprise (ASE) 15.7 before SP122 or SP63, 15.5 before ESD#5.4, and 15.0.3 before ESD#4.4 does not properly restrict access, which allows remote authenticated database users to (1) overwrite the master encryption key or (2) trigger a buffer overflow via a crafted RPC message to the hacmpmsgxchg function, and possibly other vectors."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-07T15:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "sap-ase-cve20146283-priv-esc(99935)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99935"}, {"tags": ["x_refsource_MISC"], "url": "http://blog.spiderlabs.com/2014/09/cve-2014-6283-sap-ase-missing-authorization-checks-and-arbitrary-code-execution.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://scn.sap.com/docs/DOC-55451"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://service.sap.com/sap/support/notes/2044220"}, {"name": "61238", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/61238"}, {"tags": ["x_refsource_MISC"], "url": "https://www3.trustwave.com/spiderlabs/advisories/TWSL2014-013.txt"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-6283", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SAP Adaptive Server Enterprise (ASE) 15.7 before SP122 or SP63, 15.5 before ESD#5.4, and 15.0.3 before ESD#4.4 does not properly restrict access, which allows remote authenticated database users to (1) overwrite the master encryption key or (2) trigger a buffer overflow via a crafted RPC message to the hacmpmsgxchg function, and possibly other vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "sap-ase-cve20146283-priv-esc(99935)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99935"}, {"name": "http://blog.spiderlabs.com/2014/09/cve-2014-6283-sap-ase-missing-authorization-checks-and-arbitrary-code-execution.html", "refsource": "MISC", "url": "http://blog.spiderlabs.com/2014/09/cve-2014-6283-sap-ase-missing-authorization-checks-and-arbitrary-code-execution.html"}, {"name": "http://scn.sap.com/docs/DOC-55451", "refsource": "CONFIRM", "url": "http://scn.sap.com/docs/DOC-55451"}, {"name": "https://service.sap.com/sap/support/notes/2044220", "refsource": "CONFIRM", "url": "https://service.sap.com/sap/support/notes/2044220"}, {"name": "61238", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/61238"}, {"name": "https://www3.trustwave.com/spiderlabs/advisories/TWSL2014-013.txt", "refsource": "MISC", "url": "https://www3.trustwave.com/spiderlabs/advisories/TWSL2014-013.txt"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T12:10:13.270Z"}, "title": "CVE Program Container", "references": [{"name": "sap-ase-cve20146283-priv-esc(99935)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99935"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://blog.spiderlabs.com/2014/09/cve-2014-6283-sap-ase-missing-authorization-checks-and-arbitrary-code-execution.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://scn.sap.com/docs/DOC-55451"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://service.sap.com/sap/support/notes/2044220"}, {"name": "61238", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/61238"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www3.trustwave.com/spiderlabs/advisories/TWSL2014-013.txt"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-6283", "datePublished": "2014-10-17T23:00:00", "dateReserved": "2014-09-09T00:00:00", "dateUpdated": "2024-08-06T12:10:13.270Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sybase:adaptive_server_enterprise:15.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "57082473-B410-4A53-9C84-E8C68E1B4558", "vulnerable": true}, {"criteria": "cpe:2.3:a:sybase:adaptive_server_enterprise:15.5:*:*:*:*:*:*:*", "matchCriteriaId": "8EAE24F9-2904-472E-99C2-40DC465CD2D9", "vulnerable": true}, {"criteria": "cpe:2.3:a:sybase:adaptive_server_enterprise:15.7:*:*:*:*:*:*:*", "matchCriteriaId": "92352505-D953-4375-ACF0-F83DF5A418C9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SAP Adaptive Server Enterprise (ASE) 15.7 before SP122 or SP63, 15.5 before ESD#5.4, and 15.0.3 before ESD#4.4 does not properly restrict access, which allows remote authenticated database users to (1) overwrite the master encryption key or (2) trigger a buffer overflow via a crafted RPC message to the hacmpmsgxchg function, and possibly other vectors."}, {"lang": "es", "value": "SAP Adaptive Server Enterprise (ASE) 15.7 anterior a SP122 o SP63, 15.5 anterior a ESD#5.4 y 15.0.3 anterior a ESD#4.4 no restringen debidamente el acceso, lo que permite a usuarios autenticados de la base de datos (1) sobreescribir la clave maestra de cifrado o (2) provocar un desbordamiento de buffer a trav\u00e9s de un mensaje RPC manipulado a la funci\u00f3n hacmpmsgxchg y posiblemente otros vectores."}], "id": "CVE-2014-6283", "lastModified": "2017-09-08T01:29:13.793", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-10-17T23:55:03.933", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "http://blog.spiderlabs.com/2014/09/cve-2014-6283-sap-ase-missing-authorization-checks-and-arbitrary-code-execution.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://scn.sap.com/docs/DOC-55451"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/61238"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99935"}, {"source": "cve@mitre.org", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://service.sap.com/sap/support/notes/2044220"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www3.trustwave.com/spiderlabs/advisories/TWSL2014-013.txt"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}