Sign-up

ID

VAR-201906-1077


CVE

CVE-2019-0305


TITLE

SAP NetWeaver Process Integration Vulnerable to unreliable data deserialization

Trust: 0.8

sources: JVNDB: JVNDB-2019-005488

DESCRIPTION

Java Server Pages (JSPs) provided by the SAP NetWeaver Process Integration (SAP_XIESR and SAP_XITOOL: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not restrict or incorrectly restrict frame objects or UI layers that belong to another application or domain, resulting in Clickjacking vulnerability. Successful exploitation of this vulnerability leads to unwanted modification of user's data. NetWeaver Process Integration (SAP_XIESR and SAP_XITOOL) Contains a vulnerability in the deserialization of unreliable data.Information may be tampered with. Successful exploits will allow an attacker to compromise the affected application. Other attacks are also possible. SAP NetWeaver Process Integration versions 7.10,7.11, 7.20, 7.30, 7.31, 7.40, 7.50 are vulnerable

Trust: 1.89

sources: NVD: CVE-2019-0305 // JVNDB: JVNDB-2019-005488 // BID: 108702

AFFECTED PRODUCTS

vendor:sapmodel:netweaver process integrationscope:eqversion:7.50

Trust: 2.1

vendor:sapmodel:netweaver process integrationscope:eqversion:7.40

Trust: 2.1

vendor:sapmodel:netweaver process integrationscope:eqversion:7.31

Trust: 2.1

vendor:sapmodel:netweaver process integrationscope:eqversion:7.30

Trust: 2.1

vendor:sapmodel:netweaver process integrationscope:eqversion:7.20

Trust: 2.1

vendor:sapmodel:netweaver process integrationscope:eqversion:7.11

Trust: 1.3

vendor:sapmodel:netweaver process integrationscope:eqversion:7.10

Trust: 1.3

vendor:sapmodel:netweaver process integrationscope:eqversion:7.10 to 7.11

Trust: 0.8

sources: BID: 108702 // JVNDB: JVNDB-2019-005488 // NVD: CVE-2019-0305

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-0305
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-0305
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201906-500
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2019-0305
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2019-0305
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 1.4
version: 3.0

Trust: 1.8

sources: JVNDB: JVNDB-2019-005488 // CNNVD: CNNVD-201906-500 // NVD: CVE-2019-0305

PROBLEMTYPE DATA

problemtype:CWE-1021

Trust: 1.0

problemtype:CWE-502

Trust: 0.8

sources: JVNDB: JVNDB-2019-005488 // NVD: CVE-2019-0305

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201906-500

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201906-500

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-005488

PATCH
title:SAP Security Patch Day - June 2019url:https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242
Trust: 0.8
title:SAP NetWeaver Process Integration Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93735
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-005488 // 
            
            
            
            CNNVD: CNNVD-201906-500

EXTERNAL IDS
db:NVDid:CVE-2019-0305
Trust: 2.7
db:BIDid:108702
Trust: 0.9
db:JVNDBid:JVNDB-2019-005488
Trust: 0.8
db:CNNVDid:CNNVD-201906-500
Trust: 0.6
sources:
            
            
            BID: 108702 // 
            
            
            
            JVNDB: JVNDB-2019-005488 // 
            
            
            
            CNNVD: CNNVD-201906-500 // 
            
            
            
            NVD: CVE-2019-0305

REFERENCES
url:https://launchpad.support.sap.com/#/notes/2755502
Trust: 1.9
url:https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=521864242
Trust: 1.9
url:http://www.sap.com
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-0305
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-0305
Trust: 0.8
url:https://www.securityfocus.com/bid/108702
Trust: 0.6
sources:
            
            
            BID: 108702 // 
            
            
            
            JVNDB: JVNDB-2019-005488 // 
            
            
            
            CNNVD: CNNVD-201906-500 // 
            
            
            
            NVD: CVE-2019-0305

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 108702

SOURCES
db:BIDid:108702
db:JVNDBid:JVNDB-2019-005488
db:CNNVDid:CNNVD-201906-500
db:NVDid:CVE-2019-0305

LAST UPDATE DATE
2024-08-14T15:23:04.944000+00:00

SOURCES UPDATE DATE
db:BIDid:108702date:2019-06-11T00:00:00
db:JVNDBid:JVNDB-2019-005488date:2019-06-20T00:00:00
db:CNNVDid:CNNVD-201906-500date:2019-06-17T00:00:00
db:NVDid:CVE-2019-0305date:2021-07-21T11:39:23.747

SOURCES RELEASE DATE
db:BIDid:108702date:2019-06-11T00:00:00
db:JVNDBid:JVNDB-2019-005488date:2019-06-20T00:00:00
db:CNNVDid:CNNVD-201906-500date:2019-06-11T00:00:00
db:NVDid:CVE-2019-0305date:2019-06-12T15:29:00.270