CVE-2019-0271

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

ABAP Server (used in NetWeaver and Suite/ERP) and ABAP Platform does not sufficiently validate an XML document accepted from an untrusted source, leading to an XML External Entity (XEE) vulnerability. Fixed in Kernel 7.21 or 7.22, that is ABAP Server 7.00 to 7.31 and Kernel 7.45, 7.49 or 7.53, that is ABAP Server 7.40 to 7.52 or ABAP Platform. For more recent updates please refer to Security Note 2870067 (which supersedes the solution of Security Note 2736825) in the reference section below.

El servidor ABAP (utilizado en NetWeaver y Suite / ERP) y la plataforma ABAP no validan suficientemente un documento XML aceptado de una fuente no segura, lo que genera una vulnerabilidad de entidad externa XML (XEE). Se corrigió en Kernel 7.21 o 7.22, que es el Servidor ABAP 7.00 a 7.31 y Kernel 7.45, 7.49 o 7.53, que es el Servidor ABAP 7.40 a 7.52 o la Plataforma ABAP. Para actualizaciones más recientes, consulte la Nota de seguridad 2870067 (que reemplaza la solución de la Nota de seguridad 2736825) en la sección de referencia a continuación.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-11-26 CVE Reserved
2019-03-12 CVE Published
2024-03-05 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (3)

URL	Tag	Source
http://www.securityfocus.com/bid/107355	Broken Link

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=515408080	2022-04-18
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812	2022-04-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sap Search vendor "Sap"		Advanced Business Application Programming Platform Search vendor "Sap" for product "Advanced Business Application Programming Platform"				-		-		Affected
Sap Search vendor "Sap"		Advanced Business Application Programming Server Search vendor "Sap" for product "Advanced Business Application Programming Server"				>= 7.00 <= 7.31 Search vendor "Sap" for product "Advanced Business Application Programming Server" and version " >= 7.00 <= 7.31"		-		Affected
Sap Search vendor "Sap"		Advanced Business Application Programming Server Search vendor "Sap" for product "Advanced Business Application Programming Server"				>= 7.40 <= 7.52 Search vendor "Sap" for product "Advanced Business Application Programming Server" and version " >= 7.40 <= 7.52"		-		Affected
Sap Search vendor "Sap"		Sap Kernel Search vendor "Sap" for product "Sap Kernel"				7.21 Search vendor "Sap" for product "Sap Kernel" and version "7.21"		-		Affected
Sap Search vendor "Sap"		Sap Kernel Search vendor "Sap" for product "Sap Kernel"				7.22 Search vendor "Sap" for product "Sap Kernel" and version "7.22"		-		Affected
Sap Search vendor "Sap"		Sap Kernel Search vendor "Sap" for product "Sap Kernel"				7.45 Search vendor "Sap" for product "Sap Kernel" and version "7.45"		-		Affected
Sap Search vendor "Sap"		Sap Kernel Search vendor "Sap" for product "Sap Kernel"				7.49 Search vendor "Sap" for product "Sap Kernel" and version "7.49"		-		Affected
Sap Search vendor "Sap"		Sap Kernel Search vendor "Sap" for product "Sap Kernel"				7.53 Search vendor "Sap" for product "Sap Kernel" and version "7.53"		-		Affected