ID

VAR-201801-1264


CVE

CVE-2018-2363


TITLE

SAP NetWeaver Code injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-001368

DESCRIPTION

SAP NetWeaver, SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, contains code that allows you to execute arbitrary program code of the user's choice. A malicious user can therefore control the behaviour of the system or can potentially escalate privileges by executing malicious code without legitimate credentials. Vendors have confirmed this vulnerability SAP Security Note 2525392 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Successful exploits may allow an attacker to inject and run arbitrary code or obtain sensitive information that may aid in further attacks. Failed exploit attempts may result in a denial-of-service condition. SAP Netweaver 7.00 through 7.02, 7.50 through 7.52, 7.10, 7.11, 7.30, 7.31, and 7.40 vulnerable

Trust: 1.89

sources: NVD: CVE-2018-2363 // JVNDB: JVNDB-2018-001368 // BID: 102449

AFFECTED PRODUCTS

vendor:sapmodel:business application software integrated solutionscope:eqversion:7.30

Trust: 1.6

vendor:sapmodel:netweaverscope:eqversion: -

Trust: 1.6

vendor:sapmodel:business application software integrated solutionscope:eqversion:7.40

Trust: 1.6

vendor:sapmodel:business application software integrated solutionscope:eqversion:7.31

Trust: 1.6

vendor:sapmodel:business application software integrated solutionscope:lteversion:7.52

Trust: 1.0

vendor:sapmodel:business application software integrated solutionscope:gteversion:7.10

Trust: 1.0

vendor:sapmodel:business application software integrated solutionscope:gteversion:7.50

Trust: 1.0

vendor:sapmodel:business application software integrated solutionscope:gteversion:7.00

Trust: 1.0

vendor:sapmodel:business application software integrated solutionscope:lteversion:7.02

Trust: 1.0

vendor:sapmodel:business application software integrated solutionscope:lteversion:7.11

Trust: 1.0

vendor:sapmodel:basisscope: - version: -

Trust: 0.8

vendor:sapmodel:netweaverscope: - version: -

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:7.52

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.50

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.40

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.31

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.30

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.11

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.10

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.02

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.01

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.0

Trust: 0.3

sources: BID: 102449 // JVNDB: JVNDB-2018-001368 // CNNVD: CNNVD-201801-344 // NVD: CVE-2018-2363

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-2363
value: HIGH

Trust: 1.0

NVD: CVE-2018-2363
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201801-344
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2018-2363
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2018-2363
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: JVNDB: JVNDB-2018-001368 // CNNVD: CNNVD-201801-344 // NVD: CVE-2018-2363

PROBLEMTYPE DATA

problemtype:CWE-94

Trust: 1.8

sources: JVNDB: JVNDB-2018-001368 // NVD: CVE-2018-2363

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201801-344

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201801-344

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-001368

PATCH

title:January 2018 (2525392)url:https://blogs.sap.com/2018/01/09/sap-security-patch-day-january-2018/

Trust: 0.8

title:SAP NetWeaver Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=77611

Trust: 0.6

sources: JVNDB: JVNDB-2018-001368 // CNNVD: CNNVD-201801-344

EXTERNAL IDS

db:NVDid:CVE-2018-2363

Trust: 2.7

db:BIDid:102449

Trust: 2.1

db:JVNDBid:JVNDB-2018-001368

Trust: 0.8

db:CNNVDid:CNNVD-201801-344

Trust: 0.6

sources: BID: 102449 // JVNDB: JVNDB-2018-001368 // CNNVD: CNNVD-201801-344 // NVD: CVE-2018-2363

REFERENCES

url:https://launchpad.support.sap.com/#/notes/2525392

Trust: 1.9

url:https://blogs.sap.com/2018/01/09/sap-security-patch-day-january-2018/

Trust: 1.9

url:http://www.securityfocus.com/bid/102449

Trust: 1.8

url:https://launchpad.support.sap.com/#/notes/1906212

Trust: 1.6

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-2363

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2018-2363

Trust: 0.8

url:http://www.sap.com/

Trust: 0.3

sources: BID: 102449 // JVNDB: JVNDB-2018-001368 // CNNVD: CNNVD-201801-344 // NVD: CVE-2018-2363

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 102449

SOURCES

db:BIDid:102449
db:JVNDBid:JVNDB-2018-001368
db:CNNVDid:CNNVD-201801-344
db:NVDid:CVE-2018-2363

LAST UPDATE DATE

2024-08-14T14:57:27.242000+00:00


SOURCES UPDATE DATE

db:BIDid:102449date:2018-01-09T00:00:00
db:JVNDBid:JVNDB-2018-001368date:2018-02-09T00:00:00
db:CNNVDid:CNNVD-201801-344date:2018-01-10T00:00:00
db:NVDid:CVE-2018-2363date:2018-01-29T13:04:27.527

SOURCES RELEASE DATE

db:BIDid:102449date:2018-01-09T00:00:00
db:JVNDBid:JVNDB-2018-001368date:2018-02-09T00:00:00
db:CNNVDid:CNNVD-201801-344date:2018-01-10T00:00:00
db:NVDid:CVE-2018-2363date:2018-01-09T15:29:00.370