PT-2014-09: Sensitive Information Disclosure in SAP NetWeaver Vulnerable softwareSAP NetWeaver Version: 7.20 and earlier Link: http://sap.com/Severity levelSeverity level: Low Impact: Information Disclosure Access Vector: Remote CVSS v2: Base Score: 3.5 Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)CVE: not assignedSoftware descriptionSAP NetWeaver is a service-oriented integration platform and is the technical foundation for many SAP applications since the SAP Business Suite.Vulnerability descriptionThe specialists of the Positive Research center have detected a Sensitive Information Disclosure vulnerability in SAP NetWeaver.An attacker can read any tables from SAP Central User Administration (SAP CUA) via accessing the system affiliated with SAP CUA.How to fixUpdate your software up to the latest versionAdvisory status 21.03.2014 - Vendor gets vulnerability details 13.05.2014 - Vendor releases fixed version and details 27.08.2014 - Public disclosureCreditsThe vulnerability was detected by Dmitry Gutsko, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2014-09 https://service.sap.com/sap/support/notes/1997455 Reports on the vulnerabilities previously discovered by Positive Research:http://www.ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/