Details of VAR-201801-1264

ID

VAR-201801-1264

CVE

CVE-2018-2363

TITLE

SAP NetWeaver Code injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-001368

DESCRIPTION

SAP NetWeaver, SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, contains code that allows you to execute arbitrary program code of the user's choice. A malicious user can therefore control the behaviour of the system or can potentially escalate privileges by executing malicious code without legitimate credentials. Vendors have confirmed this vulnerability SAP Security Note 2525392 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Successful exploits may allow an attacker to inject and run arbitrary code or obtain sensitive information that may aid in further attacks. Failed exploit attempts may result in a denial-of-service condition. SAP Netweaver 7.00 through 7.02, 7.50 through 7.52, 7.10, 7.11, 7.30, 7.31, and 7.40 vulnerable

Trust: 1.89

sources: NVD: CVE-2018-2363 // JVNDB: JVNDB-2018-001368 // BID: 102449

AFFECTED PRODUCTS

vendor:	sap	model:	business application software integrated solution	scope:	eq	version:	7.30	Trust: 1.6
vendor:	sap	model:	netweaver	scope:	eq	version:	-	Trust: 1.6
vendor:	sap	model:	business application software integrated solution	scope:	eq	version:	7.40	Trust: 1.6
vendor:	sap	model:	business application software integrated solution	scope:	eq	version:	7.31	Trust: 1.6
vendor:	sap	model:	business application software integrated solution	scope:	lte	version:	7.52	Trust: 1.0
vendor:	sap	model:	business application software integrated solution	scope:	gte	version:	7.10	Trust: 1.0
vendor:	sap	model:	business application software integrated solution	scope:	gte	version:	7.50	Trust: 1.0
vendor:	sap	model:	business application software integrated solution	scope:	gte	version:	7.00	Trust: 1.0
vendor:	sap	model:	business application software integrated solution	scope:	lte	version:	7.02	Trust: 1.0
vendor:	sap	model:	business application software integrated solution	scope:	lte	version:	7.11	Trust: 1.0
vendor:	sap	model:	basis	scope:	-	version:	-	Trust: 0.8
vendor:	sap	model:	netweaver	scope:	-	version:	-	Trust: 0.8
vendor:	sap	model:	netweaver	scope:	eq	version:	7.52	Trust: 0.3
vendor:	sap	model:	netweaver	scope:	eq	version:	7.50	Trust: 0.3
vendor:	sap	model:	netweaver	scope:	eq	version:	7.40	Trust: 0.3
vendor:	sap	model:	netweaver	scope:	eq	version:	7.31	Trust: 0.3
vendor:	sap	model:	netweaver	scope:	eq	version:	7.30	Trust: 0.3
vendor:	sap	model:	netweaver	scope:	eq	version:	7.11	Trust: 0.3
vendor:	sap	model:	netweaver	scope:	eq	version:	7.10	Trust: 0.3
vendor:	sap	model:	netweaver	scope:	eq	version:	7.02	Trust: 0.3
vendor:	sap	model:	netweaver	scope:	eq	version:	7.01	Trust: 0.3
vendor:	sap	model:	netweaver	scope:	eq	version:	7.0	Trust: 0.3

sources: BID: 102449 // JVNDB: JVNDB-2018-001368 // CNNVD: CNNVD-201801-344 // NVD: CVE-2018-2363

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-2363
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-2363
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201801-344
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2018-2363
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2018-2363
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: JVNDB: JVNDB-2018-001368 // CNNVD: CNNVD-201801-344 // NVD: CVE-2018-2363

PROBLEMTYPE DATA

problemtype:

CWE-94

Trust: 1.8

sources: JVNDB: JVNDB-2018-001368 // NVD: CVE-2018-2363

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201801-344

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201801-344

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-001368

PATCH

title:	January 2018 (2525392)	url:	https://blogs.sap.com/2018/01/09/sap-security-patch-day-january-2018/	Trust: 0.8
title:	SAP NetWeaver Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=77611	Trust: 0.6

sources: JVNDB: JVNDB-2018-001368 // CNNVD: CNNVD-201801-344

EXTERNAL IDS

db:	NVD	id:	CVE-2018-2363	Trust: 2.7
db:	BID	id:	102449	Trust: 2.1
db:	JVNDB	id:	JVNDB-2018-001368	Trust: 0.8
db:	CNNVD	id:	CNNVD-201801-344	Trust: 0.6

sources: BID: 102449 // JVNDB: JVNDB-2018-001368 // CNNVD: CNNVD-201801-344 // NVD: CVE-2018-2363

REFERENCES

url:	https://launchpad.support.sap.com/#/notes/2525392	Trust: 1.9
url:	https://blogs.sap.com/2018/01/09/sap-security-patch-day-january-2018/	Trust: 1.9
url:	http://www.securityfocus.com/bid/102449	Trust: 1.8
url:	https://launchpad.support.sap.com/#/notes/1906212	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-2363	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-2363	Trust: 0.8
url:	http://www.sap.com/	Trust: 0.3

sources: BID: 102449 // JVNDB: JVNDB-2018-001368 // CNNVD: CNNVD-201801-344 // NVD: CVE-2018-2363

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 102449

SOURCES

db:	BID	id:	102449
db:	JVNDB	id:	JVNDB-2018-001368
db:	CNNVD	id:	CNNVD-201801-344
db:	NVD	id:	CVE-2018-2363

LAST UPDATE DATE

2024-08-14T14:57:27.242000+00:00

SOURCES UPDATE DATE

db:	BID	id:	102449	date:	2018-01-09T00:00:00
db:	JVNDB	id:	JVNDB-2018-001368	date:	2018-02-09T00:00:00
db:	CNNVD	id:	CNNVD-201801-344	date:	2018-01-10T00:00:00
db:	NVD	id:	CVE-2018-2363	date:	2018-01-29T13:04:27.527

SOURCES RELEASE DATE

db:	BID	id:	102449	date:	2018-01-09T00:00:00
db:	JVNDB	id:	JVNDB-2018-001368	date:	2018-02-09T00:00:00
db:	CNNVD	id:	CNNVD-201801-344	date:	2018-01-10T00:00:00
db:	NVD	id:	CVE-2018-2363	date:	2018-01-09T15:29:00.370