Sign-up

ID

VAR-201809-0967


CVE

CVE-2018-2462


TITLE

SAP NetWeaver BI Input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-010854

DESCRIPTION

In certain cases, BEx Web Java Runtime Export Web Service in SAP NetWeaver BI 7.30, 7.31. 7.40, 7.41, 7.50, does not sufficiently validate an XML document accepted from an untrusted source. SAP NetWeaver BI Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SAP NetWeaver Business Intelligence is prone to an XML External Entity injection vulnerability. Attackers can exploit this issue to gain access to sensitive information or cause denial-of-service conditions. NetWeaver Business Intelligence 7.30, 7.31. 7.40, 7.41, and 7.50 are vulnerable

Trust: 1.89

sources: NVD: CVE-2018-2462 // JVNDB: JVNDB-2018-010854 // BID: 105326

AFFECTED PRODUCTS

vendor:sapmodel:netweaverscope:eqversion:7.30

Trust: 2.4

vendor:sapmodel:netweaverscope:eqversion:7.31

Trust: 2.4

vendor:sapmodel:netweaverscope:eqversion:7.40

Trust: 2.4

vendor:sapmodel:netweaverscope:eqversion:7.41

Trust: 2.4

vendor:sapmodel:netweaverscope:eqversion:7.50

Trust: 2.4

vendor:sapmodel:netweaver business intelligencescope:eqversion:7.50

Trust: 0.3

vendor:sapmodel:netweaver business intelligencescope:eqversion:7.41

Trust: 0.3

vendor:sapmodel:netweaver business intelligencescope:eqversion:7.40

Trust: 0.3

vendor:sapmodel:netweaver business intelligencescope:eqversion:7.31

Trust: 0.3

vendor:sapmodel:netweaver business intelligencescope:eqversion:7.30

Trust: 0.3

sources: BID: 105326 // JVNDB: JVNDB-2018-010854 // CNNVD: CNNVD-201809-555 // NVD: CVE-2018-2462

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-2462
value: HIGH

Trust: 1.0

NVD: CVE-2018-2462
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201809-555
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2018-2462
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2018-2462
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: JVNDB: JVNDB-2018-010854 // CNNVD: CNNVD-201809-555 // NVD: CVE-2018-2462

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.8

sources: JVNDB: JVNDB-2018-010854 // NVD: CVE-2018-2462

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201809-555

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201809-555

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-010854

PATCH
title:SAP Security Patch Day - September 2018url:https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499356993
Trust: 0.8
title:SAP NetWeaver BI Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=84825
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-010854 // 
            
            
            
            CNNVD: CNNVD-201809-555

EXTERNAL IDS
db:NVDid:CVE-2018-2462
Trust: 2.7
db:BIDid:105326
Trust: 1.3
db:JVNDBid:JVNDB-2018-010854
Trust: 0.8
db:CNNVDid:CNNVD-201809-555
Trust: 0.6
sources:
            
            
            BID: 105326 // 
            
            
            
            JVNDB: JVNDB-2018-010854 // 
            
            
            
            CNNVD: CNNVD-201809-555 // 
            
            
            
            NVD: CVE-2018-2462

REFERENCES
url:https://launchpad.support.sap.com/#/notes/2644279
Trust: 1.9
url:https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=499356993
Trust: 1.9
url:http://www.securityfocus.com/bid/105326
Trust: 1.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-2462
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-2462
Trust: 0.8
url:http://www.sap.com/
Trust: 0.3
sources:
            
            
            BID: 105326 // 
            
            
            
            JVNDB: JVNDB-2018-010854 // 
            
            
            
            CNNVD: CNNVD-201809-555 // 
            
            
            
            NVD: CVE-2018-2462

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 105326

SOURCES
db:BIDid:105326
db:JVNDBid:JVNDB-2018-010854
db:CNNVDid:CNNVD-201809-555
db:NVDid:CVE-2018-2462

LAST UPDATE DATE
2024-11-23T23:02:01.030000+00:00

SOURCES UPDATE DATE
db:BIDid:105326date:2018-09-11T00:00:00
db:JVNDBid:JVNDB-2018-010854date:2018-12-26T00:00:00
db:CNNVDid:CNNVD-201809-555date:2018-09-14T00:00:00
db:NVDid:CVE-2018-2462date:2024-11-21T04:03:51.467

SOURCES RELEASE DATE
db:BIDid:105326date:2018-09-11T00:00:00
db:JVNDBid:JVNDB-2018-010854date:2018-12-26T00:00:00
db:CNNVDid:CNNVD-201809-555date:2018-09-11T00:00:00
db:NVDid:CVE-2018-2462date:2018-09-11T15:29:01.750