CVE-2019-0283

Severity Score

7.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

SAP NetWeaver Process Integration (Adapter Engine), fixed in versions 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; is vulnerable to Digital Signature Spoofing. It is possible to spoof XML signatures and send arbitrary requests to the server via PI Axis adapter. These requests will be accepted by the PI Axis adapter even if the payload has been altered, especially when the signed element is the body of the xml document.

SAP NetWeaver Process Integration (Adapter Engine), ejecutado en las versiones 7.10 hasta 7.11, 7.30, 7.31, 7.40, 7.50; Es vulnerable a la Falsificación de Firma Digital. Es posible falsificar firmas XML y enviar peticiones arbitrarias al servidor por medio del adaptador PI Axis. Estas peticiones serán aceptadas por el adaptador PI Axis incluso si la carga ha sido alterada, especialmente cuando el elemento firmado es el cuerpo del documento xml.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-11-26 CVE Reserved
2019-04-10 CVE Published
2023-03-08 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-290: Authentication Bypass by Spoofing

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114	2020-08-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sap Search vendor "Sap"		Netweaver Process Integration Search vendor "Sap" for product "Netweaver Process Integration"				7.10 Search vendor "Sap" for product "Netweaver Process Integration" and version "7.10"		-		Affected
Sap Search vendor "Sap"		Netweaver Process Integration Search vendor "Sap" for product "Netweaver Process Integration"				7.11 Search vendor "Sap" for product "Netweaver Process Integration" and version "7.11"		-		Affected
Sap Search vendor "Sap"		Netweaver Process Integration Search vendor "Sap" for product "Netweaver Process Integration"				7.30 Search vendor "Sap" for product "Netweaver Process Integration" and version "7.30"		-		Affected
Sap Search vendor "Sap"		Netweaver Process Integration Search vendor "Sap" for product "Netweaver Process Integration"				7.31 Search vendor "Sap" for product "Netweaver Process Integration" and version "7.31"		-		Affected
Sap Search vendor "Sap"		Netweaver Process Integration Search vendor "Sap" for product "Netweaver Process Integration"				7.40 Search vendor "Sap" for product "Netweaver Process Integration" and version "7.40"		-		Affected
Sap Search vendor "Sap"		Netweaver Process Integration Search vendor "Sap" for product "Netweaver Process Integration"				7.50 Search vendor "Sap" for product "Netweaver Process Integration" and version "7.50"		-		Affected