Lucene search

[email protected]CVE-2019-0271

HistoryMar 12, 2019 - 10:29 p.m.

CVE-2019-0271

2019-03-1222:29:00

CWE-20

[email protected]

web.nvd.nist.gov

abap server

xml external entity

xee vulnerability

netweaver

suite/erp

security note

cve-2019-0271

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.5 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.1%

JSON

ABAP Server (used in NetWeaver and Suite/ERP) and ABAP Platform does not sufficiently validate an XML document accepted from an untrusted source, leading to an XML External Entity (XEE) vulnerability. Fixed in Kernel 7.21 or 7.22, that is ABAP Server 7.00 to 7.31 and Kernel 7.45, 7.49 or 7.53, that is ABAP Server 7.40 to 7.52 or ABAP Platform. For more recent updates please refer to Security Note 2870067 (which supersedes the solution of Security Note 2736825) in the reference section below.

Affected configurations

NVD

Node

sapadvanced_business_application_programming_platformMatch-

sapadvanced_business_application_programming_serverRange7.00–7.31

sapadvanced_business_application_programming_serverRange7.40–7.52

Node

sapsap_kernelMatch7.21

sapsap_kernelMatch7.22

sapsap_kernelMatch7.45

sapsap_kernelMatch7.49

sapsap_kernelMatch7.53

CPENameOperatorVersion
sap:advanced_business_application_programming_platformsap advanced business application programming platformeq-
sap:advanced_business_application_programming_serversap advanced business application programming serverle7.31
sap:advanced_business_application_programming_serversap advanced business application programming serverle7.52

CPE	Name	Operator	Version
sap:advanced_business_application_programming_platform	sap advanced business application programming platform	eq	-
sap:advanced_business_application_programming_server	sap advanced business application programming server	le	7.31
sap:advanced_business_application_programming_server	sap advanced business application programming server	le	7.52

CNA Affected

[
  {
    "product": "ABAP Server",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "< from 7.00 to 7.31"
      }
    ]
  },
  {
    "product": "ABAP Server & Platform",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "< from 7.40 to 7.52"
      }
    ]
  }
]

References

www.securityfocus.com/bid/107355

launchpad.support.sap.com/#/notes/2736825

launchpad.support.sap.com/#/notes/2870067

wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=515408080

wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.5 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.1%

JSON

Related for CVE-2019-0271

nvd1 prion1 cvelist1