Sign-up

ID

VAR-201811-0445


CVE

CVE-2018-2477


TITLE

SAP NetWeaver Blind in XPath Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-014196

DESCRIPTION

Knowledge Management (XMLForms) in SAP NetWeaver, versions 7.30, 7.31, 7.40 and 7.50 does not sufficiently validate an XML document accepted from an untrusted source. SAP NetWeaver The blinds XPath An injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Attackers can exploit this issue to gain access to sensitive information or cause denial-of-service conditions

Trust: 1.89

sources: NVD: CVE-2018-2477 // JVNDB: JVNDB-2018-014196 // BID: 105901

AFFECTED PRODUCTS

vendor:sapmodel:netweaverscope:eqversion:7.50

Trust: 2.1

vendor:sapmodel:netweaverscope:eqversion:7.40

Trust: 2.1

vendor:sapmodel:netweaverscope:eqversion:7.31

Trust: 2.1

vendor:sapmodel:netweaverscope:eqversion:7.30

Trust: 2.1

vendor:sapmodel:knowledge managementscope:eqversion:0

Trust: 0.3

sources: BID: 105901 // JVNDB: JVNDB-2018-014196 // NVD: CVE-2018-2477

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-2477
value: HIGH

Trust: 1.0

NVD: CVE-2018-2477
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201811-401
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2018-2477
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2018-2477
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: JVNDB: JVNDB-2018-014196 // CNNVD: CNNVD-201811-401 // NVD: CVE-2018-2477

PROBLEMTYPE DATA

problemtype:CWE-91

Trust: 1.8

sources: JVNDB: JVNDB-2018-014196 // NVD: CVE-2018-2477

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201811-401

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201811-401

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-014196

PATCH
title:SAP Security Patch Day - November 2018url:https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=503809832
Trust: 0.8
title:SAP NetWeaver Knowledge Management (XMLForms) Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86811
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-014196 // 
            
            
            
            CNNVD: CNNVD-201811-401

EXTERNAL IDS
db:NVDid:CVE-2018-2477
Trust: 2.7
db:BIDid:105901
Trust: 1.9
db:JVNDBid:JVNDB-2018-014196
Trust: 0.8
db:CNNVDid:CNNVD-201811-401
Trust: 0.6
sources:
            
            
            BID: 105901 // 
            
            
            
            JVNDB: JVNDB-2018-014196 // 
            
            
            
            CNNVD: CNNVD-201811-401 // 
            
            
            
            NVD: CVE-2018-2477

REFERENCES
url:https://launchpad.support.sap.com/#/notes/2661740
Trust: 1.9
url:https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=503809832
Trust: 1.9
url:http://www.securityfocus.com/bid/105901
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-2477
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-2477
Trust: 0.8
url:http://www.sap.com/
Trust: 0.3
sources:
            
            
            BID: 105901 // 
            
            
            
            JVNDB: JVNDB-2018-014196 // 
            
            
            
            CNNVD: CNNVD-201811-401 // 
            
            
            
            NVD: CVE-2018-2477

CREDITS
SAP
Trust: 0.9
sources:
            
            
            BID: 105901 // 
            
            
            
            CNNVD: CNNVD-201811-401

SOURCES
db:BIDid:105901
db:JVNDBid:JVNDB-2018-014196
db:CNNVDid:CNNVD-201811-401
db:NVDid:CVE-2018-2477

LAST UPDATE DATE
2024-11-23T23:11:58.356000+00:00

SOURCES UPDATE DATE
db:BIDid:105901date:2018-11-13T00:00:00
db:JVNDBid:JVNDB-2018-014196date:2019-03-14T00:00:00
db:CNNVDid:CNNVD-201811-401date:2019-02-11T00:00:00
db:NVDid:CVE-2018-2477date:2024-11-21T04:03:53.270

SOURCES RELEASE DATE
db:BIDid:105901date:2018-11-13T00:00:00
db:JVNDBid:JVNDB-2018-014196date:2019-03-14T00:00:00
db:CNNVDid:CNNVD-201811-401date:2018-11-14T00:00:00
db:NVDid:CVE-2018-2477date:2018-11-13T20:29:00.420