Details of VAR-201904-1086

ID

VAR-201904-1086

CVE

CVE-2019-0283

TITLE

SAP NetWeaver Process Integration Access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-003333

DESCRIPTION

SAP NetWeaver Process Integration (Adapter Engine), fixed in versions 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; is vulnerable to Digital Signature Spoofing. It is possible to spoof XML signatures and send arbitrary requests to the server via PI Axis adapter. These requests will be accepted by the PI Axis adapter even if the payload has been altered, especially when the signed element is the body of the xml document. An attacker can exploit this issue to conduct spoofing attacks, disclose sensitive information and perform unauthorized actions. This may aid in further attacks

Trust: 1.98

sources: NVD: CVE-2019-0283 // JVNDB: JVNDB-2019-003333 // BID: 107808 // VULMON: CVE-2019-0283

AFFECTED PRODUCTS

vendor:	sap	model:	netweaver process integration	scope:	eq	version:	7.30	Trust: 1.8
vendor:	sap	model:	netweaver process integration	scope:	eq	version:	7.31	Trust: 1.8
vendor:	sap	model:	netweaver process integration	scope:	eq	version:	7.40	Trust: 1.8
vendor:	sap	model:	netweaver process integration	scope:	eq	version:	7.50	Trust: 1.8
vendor:	sap	model:	netweaver process integration	scope:	eq	version:	7.11	Trust: 1.0
vendor:	sap	model:	netweaver process integration	scope:	eq	version:	7.10	Trust: 1.0
vendor:	sap	model:	netweaver process integration	scope:	eq	version:	7.10 to 7.11	Trust: 0.8
vendor:	sap	model:	netweaver process integration	scope:	eq	version:	750	Trust: 0.3
vendor:	sap	model:	netweaver process integration	scope:	eq	version:	740	Trust: 0.3
vendor:	sap	model:	netweaver process integration	scope:	eq	version:	731	Trust: 0.3
vendor:	sap	model:	netweaver process integration	scope:	eq	version:	730	Trust: 0.3
vendor:	sap	model:	netweaver process integration	scope:	eq	version:	711	Trust: 0.3
vendor:	sap	model:	netweaver process integration	scope:	eq	version:	710	Trust: 0.3

sources: BID: 107808 // JVNDB: JVNDB-2019-003333 // NVD: CVE-2019-0283

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-0283
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-0283
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201904-421
value:	HIGH
Trust: 0.6
VULMON:	CVE-2019-0283
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-0283
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

nvd@nist.gov:	CVE-2019-0283
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	4.2
version:	3.0
Trust: 1.8

sources: VULMON: CVE-2019-0283 // JVNDB: JVNDB-2019-003333 // CNNVD: CNNVD-201904-421 // NVD: CVE-2019-0283

PROBLEMTYPE DATA

problemtype:	CWE-290	Trust: 1.0
problemtype:	CWE-284	Trust: 0.8

sources: JVNDB: JVNDB-2019-003333 // NVD: CVE-2019-0283

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-421

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201904-421

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-003333

PATCH

title:	SAP Security Patch Day - April 2019	url:	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114	Trust: 0.8
title:	SAP NetWeaver Process Integration Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91250	Trust: 0.6

sources: JVNDB: JVNDB-2019-003333 // CNNVD: CNNVD-201904-421

EXTERNAL IDS

db:	NVD	id:	CVE-2019-0283	Trust: 2.8
db:	BID	id:	107808	Trust: 1.0
db:	JVNDB	id:	JVNDB-2019-003333	Trust: 0.8
db:	CNNVD	id:	CNNVD-201904-421	Trust: 0.6
db:	VULMON	id:	CVE-2019-0283	Trust: 0.1

sources: VULMON: CVE-2019-0283 // BID: 107808 // JVNDB: JVNDB-2019-003333 // CNNVD: CNNVD-201904-421 // NVD: CVE-2019-0283

REFERENCES

url:	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=517899114	Trust: 2.0
url:	https://launchpad.support.sap.com/#/notes/2747683	Trust: 2.0
url:	https://nvd.nist.gov/vuln/detail/cve-2019-0283	Trust: 1.4
url:	http://www.securityfocus.com/bid/107808	Trust: 1.3
url:	http://www.sap.com/	Trust: 0.9
url:	https://help.sap.com/nw_platform	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-0283	Trust: 0.8
url:	https://vigilance.fr/vulnerability/sap-multiples-vulnerabilities-of-april-2019-28982	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/290.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2019-0283 // BID: 107808 // JVNDB: JVNDB-2019-003333 // CNNVD: CNNVD-201904-421 // NVD: CVE-2019-0283

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 107808

SOURCES

db:	VULMON	id:	CVE-2019-0283
db:	BID	id:	107808
db:	JVNDB	id:	JVNDB-2019-003333
db:	CNNVD	id:	CNNVD-201904-421
db:	NVD	id:	CVE-2019-0283

LAST UPDATE DATE

2024-08-14T14:38:57.164000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2019-0283	date:	2020-08-24T00:00:00
db:	BID	id:	107808	date:	2019-04-09T00:00:00
db:	JVNDB	id:	JVNDB-2019-003333	date:	2019-05-15T00:00:00
db:	CNNVD	id:	CNNVD-201904-421	date:	2020-08-25T00:00:00
db:	NVD	id:	CVE-2019-0283	date:	2020-08-24T17:37:01.140

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2019-0283	date:	2019-04-10T00:00:00
db:	BID	id:	107808	date:	2019-04-09T00:00:00
db:	JVNDB	id:	JVNDB-2019-003333	date:	2019-05-15T00:00:00
db:	CNNVD	id:	CNNVD-201904-421	date:	2019-04-09T00:00:00
db:	NVD	id:	CVE-2019-0283	date:	2019-04-10T21:29:01.277