Think you have a false positive on this rule?

Sid 1-39348

Message

SERVER-WEBAPP SAP servlet authentication bypass attempt

Summary

This event is generated when there is a potential bypass to authentication lock

Impact

Web Application Attack

CVE-2010-5326:

CVSS base score 10.0

CVSS impact score 6.0

CVSS exploitability score 3.9

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

CVE-2010-5326: The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack.

Affected systems

  • sap netweaver 7.30

Ease of attack

CVE-2010-5326:

Access Vector

Access Complexity

Authentication

False positives

False negatives

Corrective action

Contributors

  • Cisco's Talos Intelligence Group

Additional References