CVE-2019-0305 - OpenCVE

Java Server Pages (JSPs) provided by the SAP NetWeaver Process Integration (SAP_XIESR and SAP_XITOOL: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not restrict or incorrectly restrict frame objects or UI layers that belong to another application or domain, resulting in Clickjacking vulnerability. Successful exploitation of this vulnerability leads to unwanted modification of user's data.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Sap	Netweaver Process Integration

Configuration 1 [-]

OR	cpe:2.3:a:sap:netweaver_process_integration:7.10:::::::*
	cpe:2.3:a:sap:netweaver_process_integration:7.11:::::::*
	cpe:2.3:a:sap:netweaver_process_integration:7.20:::::::*
	cpe:2.3:a:sap:netweaver_process_integration:7.30:::::::*
	cpe:2.3:a:sap:netweaver_process_integration:7.31:::::::*
	cpe:2.3:a:sap:netweaver_process_integration:7.40:::::::*
	cpe:2.3:a:sap:netweaver_process_integration:7.50:::::::*

References

Link	Resource
https://launchpad.support.sap.com/#/notes/2755502	Permissions Required Vendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: sap

Published: 2019-06-12T14:21:39

Updated: 2019-06-12T16:11:08

Reserved: 2018-11-26T00:00:00

Link: CVE-2019-0305

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-06-12T15:29:00.270

Modified: 2021-07-21T11:39:23.747

Link: CVE-2019-0305

JSON object: View

Redhat Information

No data.

CWE

CWE-1021

{"containers": {"cna": {"affected": [{"product": "SAP NetWeaver Process Integration(SAP_XIESR and SAP_XITOOL)", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 7.10 to 7.11"}, {"status": "affected", "version": "< 7.2"}, {"status": "affected", "version": "< 7.3"}, {"status": "affected", "version": "< 7.31"}, {"status": "affected", "version": "< 7.4"}, {"status": "affected", "version": "< 7.5"}]}], "descriptions": [{"lang": "en", "value": "Java Server Pages (JSPs) provided by the SAP NetWeaver Process Integration (SAP_XIESR and SAP_XITOOL: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not restrict or incorrectly restrict frame objects or UI layers that belong to another application or domain, resulting in Clickjacking vulnerability. Successful exploitation of this vulnerability leads to unwanted modification of user's data."}], "problemTypes": [{"descriptions": [{"description": "Clickjacking", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-12T16:11:08", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/2755502"}, {"tags": ["x_refsource_MISC"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2019-0305", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP NetWeaver Process Integration(SAP_XIESR and SAP_XITOOL)", "version": {"version_data": [{"version_name": "<", "version_value": "7.10 to 7.11"}, {"version_name": "<", "version_value": "7.2"}, {"version_name": "<", "version_value": "7.3"}, {"version_name": "<", "version_value": "7.31"}, {"version_name": "<", "version_value": "7.4"}, {"version_name": "<", "version_value": "7.5"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Java Server Pages (JSPs) provided by the SAP NetWeaver Process Integration (SAP_XIESR and SAP_XITOOL: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not restrict or incorrectly restrict frame objects or UI layers that belong to another application or domain, resulting in Clickjacking vulnerability. Successful exploitation of this vulnerability leads to unwanted modification of user's data."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Clickjacking"}]}]}, "references": {"reference_data": [{"name": "https://launchpad.support.sap.com/#/notes/2755502", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/2755502"}, {"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242", "refsource": "MISC", "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242"}]}}}}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2019-0305", "datePublished": "2019-06-12T14:21:39", "dateReserved": "2018-11-26T00:00:00", "dateUpdated": "2019-06-12T16:11:08", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.10:*:*:*:*:*:*:*", "matchCriteriaId": "75E83C25-D30B-4459-A1F1-DE7EC9FD46BE", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.11:*:*:*:*:*:*:*", "matchCriteriaId": "900D10B0-B47B-46B0-A0A9-8E41660429DD", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.20:*:*:*:*:*:*:*", "matchCriteriaId": "D57CEB9D-5C06-4B3E-A36E-5B8689CA5657", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.30:*:*:*:*:*:*:*", "matchCriteriaId": "3062CE84-B6E2-40DE-B7B1-0752FC21BFAD", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.31:*:*:*:*:*:*:*", "matchCriteriaId": "587D81FB-B2ED-4184-9258-A38A18B36DC5", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.40:*:*:*:*:*:*:*", "matchCriteriaId": "A325699D-6AB0-4BBC-A21C-A974FA1612DE", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.50:*:*:*:*:*:*:*", "matchCriteriaId": "2A3A3226-28D1-4B43-942B-F41BD340E746", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Java Server Pages (JSPs) provided by the SAP NetWeaver Process Integration (SAP_XIESR and SAP_XITOOL: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not restrict or incorrectly restrict frame objects or UI layers that belong to another application or domain, resulting in Clickjacking vulnerability. Successful exploitation of this vulnerability leads to unwanted modification of user's data."}, {"lang": "es", "value": "Las p\u00e1ginas de servidor Java (JSP) proporcionadas por la integraci\u00f3n de procesos de SAP NetWeaver (SAP_XIESR y SAP_XITOOL: versi\u00f3n 7.10 hasta 7.11, y versiones 7.20, 7.30, 7.31, 7.40, 7.50) no restringen o restringen incorrectamente los objetos frame o las capas IU que pertenecen a otra aplicaci\u00f3n o dominio , resultando en una vulnerabilidad de tipo clickjacking. La explotaci\u00f3n con \u00e9xito de esta vulnerabilidad conlleva a una modificaci\u00f3n no deseada de los datos del usuario."}], "id": "CVE-2019-0305", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-12T15:29:00.270", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://launchpad.support.sap.com/#/notes/2755502"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1021"}], "source": "nvd@nist.gov", "type": "Primary"}]}