Lucene search

[email protected]CVE-2019-0284

HistoryApr 10, 2019 - 9:29 p.m.

CVE-2019-0284

2019-04-1021:29:00

CWE-611

[email protected]

web.nvd.nist.gov

cve-2019-0284

sap hana

sld registration

xxe vulnerability

xml external entity

nvd

security issue

6 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H

6.9 Medium

AI Score

Confidence

Low

3.6 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:N/A:P

0.0004 Low

EPSS

Percentile

12.2%

JSON

SLD Registration in SAP HANA (fixed in versions 1.0, 2.0) does not sufficiently validate an XML document accepted from an untrusted source. The attacker can call SLDREG with an XML file containing a reference to an XML External Entity (XXE). This can cause SLDREG to, for example, continuously loop, read arbitrary files and even send local files.

CPENameOperatorVersion
sap:hanasap hanaeq2.0
sap:hanasap hanaeq1.0

CPE	Name	Operator	Version
sap:hana	sap hana	eq	2.0
sap:hana	sap hana	eq	1.0

References

launchpad.support.sap.com/#/notes/2772376

wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114

6 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H

6.9 Medium

AI Score

Confidence

Low

3.6 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:N/A:P

0.0004 Low

EPSS

Percentile

12.2%

JSON

Related for CVE-2019-0284

cvelist1 prion1