Sign-up

ID

VAR-201812-0566


CVE

CVE-2018-2503


TITLE

SAP NetWeaver AS Java keystore Authorization vulnerabilities in services

Trust: 0.8

sources: JVNDB: JVNDB-2018-013045

DESCRIPTION

By default, the SAP NetWeaver AS Java keystore service does not sufficiently restrict the access to resources that should be protected. This has been fixed in SAP NetWeaver AS Java (ServerCore versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50). SAP NetWeaver is prone to an information disclosure vulnerability. An attacker can exploit this issue to gain sensitive information, that may aid in further attacks. NetWeaver 7.11, 7.20, 7.30, 7.31, 7.40, and 7.50 are vulnerable

Trust: 1.89

sources: NVD: CVE-2018-2503 // JVNDB: JVNDB-2018-013045 // BID: 106156

AFFECTED PRODUCTS

vendor:sapmodel:netweaverscope:eqversion:7.50

Trust: 1.7

vendor:sapmodel:netweaverscope:eqversion:7.40

Trust: 1.7

vendor:sapmodel:netweaverscope:eqversion:7.31

Trust: 1.7

vendor:sapmodel:netweaverscope:eqversion:7.30

Trust: 1.7

vendor:sapmodel:netweaverscope:eqversion:7.20

Trust: 1.7

vendor:sapmodel:netweaverscope:eqversion:7.11

Trust: 1.7

vendor:sapmodel:netweaver application server javascope:eqversion:7.31

Trust: 1.0

vendor:sapmodel:netweaver application server javascope:eqversion:7.30

Trust: 1.0

vendor:sapmodel:netweaver application server javascope:eqversion:7.40

Trust: 1.0

vendor:sapmodel:netweaver application server javascope:eqversion:7.11

Trust: 1.0

vendor:sapmodel:netweaver application server javascope:eqversion:7.50

Trust: 1.0

vendor:sapmodel:netweaver application server javascope:eqversion:7.20

Trust: 1.0

sources: BID: 106156 // JVNDB: JVNDB-2018-013045 // CNNVD: CNNVD-201812-480 // NVD: CVE-2018-2503

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-2503
value: HIGH

Trust: 1.0

NVD: CVE-2018-2503
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201812-480
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2018-2503
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2018-2503
baseSeverity: HIGH
baseScore: 7.4
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 4.0
version: 3.1

Trust: 1.0

NVD: CVE-2018-2503
baseSeverity: HIGH
baseScore: 7.4
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2018-013045 // CNNVD: CNNVD-201812-480 // NVD: CVE-2018-2503

PROBLEMTYPE DATA

problemtype:CWE-862

Trust: 1.0

problemtype:CWE-285

Trust: 0.8

sources: JVNDB: JVNDB-2018-013045 // NVD: CVE-2018-2503

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201812-480

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201812-480

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-013045

PATCH
title:SAP Security Patch Day - December 2018url:https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699
Trust: 0.8
title:SAP NetWeaver AS Java Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=87728
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-013045 // 
            
            
            
            CNNVD: CNNVD-201812-480

EXTERNAL IDS
db:NVDid:CVE-2018-2503
Trust: 2.7
db:BIDid:106156
Trust: 1.9
db:JVNDBid:JVNDB-2018-013045
Trust: 0.8
db:CNNVDid:CNNVD-201812-480
Trust: 0.6
sources:
            
            
            BID: 106156 // 
            
            
            
            JVNDB: JVNDB-2018-013045 // 
            
            
            
            CNNVD: CNNVD-201812-480 // 
            
            
            
            NVD: CVE-2018-2503

REFERENCES
url:https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=508559699
Trust: 1.9
url:http://www.securityfocus.com/bid/106156
Trust: 1.6
url:https://launchpad.support.sap.com/#/notes/2658279
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-2503
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-2503
Trust: 0.8
url:http://www.sap.com
Trust: 0.3
url:https://service.sap.com/sap/support/notes/2658279
Trust: 0.3
sources:
            
            
            BID: 106156 // 
            
            
            
            JVNDB: JVNDB-2018-013045 // 
            
            
            
            CNNVD: CNNVD-201812-480 // 
            
            
            
            NVD: CVE-2018-2503

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 106156

SOURCES
db:BIDid:106156
db:JVNDBid:JVNDB-2018-013045
db:CNNVDid:CNNVD-201812-480
db:NVDid:CVE-2018-2503

LAST UPDATE DATE
2024-11-23T21:37:55.619000+00:00

SOURCES UPDATE DATE
db:BIDid:106156date:2018-12-11T00:00:00
db:JVNDBid:JVNDB-2018-013045date:2019-02-13T00:00:00
db:CNNVDid:CNNVD-201812-480date:2019-10-23T00:00:00
db:NVDid:CVE-2018-2503date:2024-11-21T04:03:55.670

SOURCES RELEASE DATE
db:BIDid:106156date:2018-12-11T00:00:00
db:JVNDBid:JVNDB-2018-013045date:2019-02-13T00:00:00
db:CNNVDid:CNNVD-201812-480date:2018-12-12T00:00:00
db:NVDid:CVE-2018-2503date:2018-12-11T22:29:00.593