Sign-up

ID

VAR-201812-0571


CVE

CVE-2018-2492


TITLE

SAP NetWeaver AS Java Input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-013092

DESCRIPTION

SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. This is fixed in versions 7.2, 7.30, 7.31, 7.40 and 7.50. SAP NetWeaver AS Java Contains an input validation vulnerability.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. SAP NetWeaver AS Java is prone to an XML External Entity injection vulnerability. Attackers can exploit this issue to gain access to sensitive information or cause denial-of-service conditions

Trust: 1.89

sources: NVD: CVE-2018-2492 // JVNDB: JVNDB-2018-013092 // BID: 106153

AFFECTED PRODUCTS

vendor:sapmodel:netweaver application server javascope:eqversion:7.31

Trust: 1.0

vendor:sapmodel:netweaver application server javascope:eqversion:7.30

Trust: 1.0

vendor:sapmodel:netweaver application server javascope:eqversion:7.40

Trust: 1.0

vendor:sapmodel:netweaver application server javascope:eqversion:7.50

Trust: 1.0

vendor:sapmodel:netweaver application server javascope:eqversion:7.20

Trust: 1.0

vendor:sapmodel:netweaverscope: - version: -

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:7.50

Trust: 0.6

vendor:sapmodel:netweaverscope:eqversion:7.20

Trust: 0.6

vendor:sapmodel:netweaverscope:eqversion:7.31

Trust: 0.6

vendor:sapmodel:netweaverscope:eqversion:7.30

Trust: 0.6

vendor:sapmodel:netweaverscope:eqversion:7.40

Trust: 0.6

vendor:sapmodel:netweaver as javascope:eqversion:7.50

Trust: 0.3

vendor:sapmodel:netweaver as javascope:eqversion:7.31

Trust: 0.3

vendor:sapmodel:netweaver as javascope:eqversion:7.30

Trust: 0.3

vendor:sapmodel:netweaver as javascope:eqversion:7.20

Trust: 0.3

sources: BID: 106153 // JVNDB: JVNDB-2018-013092 // CNNVD: CNNVD-201812-485 // NVD: CVE-2018-2492

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-2492
value: HIGH

Trust: 1.0

NVD: CVE-2018-2492
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201812-485
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2018-2492
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2018-2492
baseSeverity: HIGH
baseScore: 7.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 4.2
version: 3.1

Trust: 1.0

NVD: CVE-2018-2492
baseSeverity: HIGH
baseScore: 7.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2018-013092 // CNNVD: CNNVD-201812-485 // NVD: CVE-2018-2492

PROBLEMTYPE DATA

problemtype:CWE-611

Trust: 1.0

problemtype:CWE-20

Trust: 0.8

sources: JVNDB: JVNDB-2018-013092 // NVD: CVE-2018-2492

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201812-485

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201812-485

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-013092

PATCH
title:SAP Security Patch Day - December 2018url:https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699
Trust: 0.8
title:SAP NetWeaver AS Java Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=87733
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-013092 // 
            
            
            
            CNNVD: CNNVD-201812-485

EXTERNAL IDS
db:NVDid:CVE-2018-2492
Trust: 2.7
db:BIDid:106153
Trust: 1.9
db:JVNDBid:JVNDB-2018-013092
Trust: 0.8
db:CNNVDid:CNNVD-201812-485
Trust: 0.6
sources:
            
            
            BID: 106153 // 
            
            
            
            JVNDB: JVNDB-2018-013092 // 
            
            
            
            CNNVD: CNNVD-201812-485 // 
            
            
            
            NVD: CVE-2018-2492

REFERENCES
url:https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=508559699
Trust: 1.9
url:http://www.securityfocus.com/bid/106153
Trust: 1.6
url:https://launchpad.support.sap.com/#/notes/2642680
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-2492
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-2492
Trust: 0.8
url:https://wiki.scn.sap.com/wiki/display/asjava/as+java+home
Trust: 0.3
url:http://www.sap.com/
Trust: 0.3
sources:
            
            
            BID: 106153 // 
            
            
            
            JVNDB: JVNDB-2018-013092 // 
            
            
            
            CNNVD: CNNVD-201812-485 // 
            
            
            
            NVD: CVE-2018-2492

CREDITS
SAP
Trust: 0.3
sources:
            
            
            BID: 106153

SOURCES
db:BIDid:106153
db:JVNDBid:JVNDB-2018-013092
db:CNNVDid:CNNVD-201812-485
db:NVDid:CVE-2018-2492

LAST UPDATE DATE
2024-11-23T23:04:55.644000+00:00

SOURCES UPDATE DATE
db:BIDid:106153date:2018-12-11T00:00:00
db:JVNDBid:JVNDB-2018-013092date:2019-02-14T00:00:00
db:CNNVDid:CNNVD-201812-485date:2021-04-22T00:00:00
db:NVDid:CVE-2018-2492date:2024-11-21T04:03:54.950

SOURCES RELEASE DATE
db:BIDid:106153date:2018-12-11T00:00:00
db:JVNDBid:JVNDB-2018-013092date:2019-02-14T00:00:00
db:CNNVDid:CNNVD-201812-485date:2018-12-12T00:00:00
db:NVDid:CVE-2018-2492date:2018-12-11T22:29:00.297