CVE-2019-0315 - OpenCVE

Under certain conditions the PI Integration Builder Web UI of SAP NetWeaver Process Integration (versions: SAP_XIESR: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50 and SAP_XIPCK 7.10 to 7.11, 7.20, 7.30) allows an attacker to access passwords used in FTP channels leading to information disclosure.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Sap	Netweaver Process Integration

Configuration 1 [-]

OR	cpe:2.3:a:sap:netweaver_process_integration:7.10:::::::*
	cpe:2.3:a:sap:netweaver_process_integration:7.11:::::::*
	cpe:2.3:a:sap:netweaver_process_integration:7.20:::::::*
	cpe:2.3:a:sap:netweaver_process_integration:7.30:::::::*
	cpe:2.3:a:sap:netweaver_process_integration:7.31:::::::*
	cpe:2.3:a:sap:netweaver_process_integration:7.40:::::::*
	cpe:2.3:a:sap:netweaver_process_integration:7.50:::::::*

References

Link	Resource
https://launchpad.support.sap.com/#/notes/2755438	Permissions Required Vendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: sap

Published: 2019-06-12T16:11:08

Updated: 2019-06-12T16:11:08

Reserved: 2018-11-26T00:00:00

Link: CVE-2019-0315

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-06-12T17:29:03.747

Modified: 2020-08-24T17:37:01.140

Link: CVE-2019-0315

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "SAP NetWeaver Process Integration(SAP_XIESR)", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 7.10 to 7.11"}, {"status": "affected", "version": "< 7.20"}, {"status": "affected", "version": "< 7.30"}, {"status": "affected", "version": "< 7.31"}, {"status": "affected", "version": "< 7.40"}, {"status": "affected", "version": "< 7.50"}]}, {"product": "SAP NetWeaver Process Integration(SAP_XITOOL)", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 7.10 to 7.11"}, {"status": "affected", "version": "< 7.30"}, {"status": "affected", "version": "< 7.31"}, {"status": "affected", "version": "< 7.40"}, {"status": "affected", "version": "< 7.50"}]}, {"product": "SAP NetWeaver Process Integration(SAP_XIPCK)", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 7.10 to 7.11"}, {"status": "affected", "version": "< 7.20"}, {"status": "affected", "version": "< 7.30"}]}], "descriptions": [{"lang": "en", "value": "Under certain conditions the PI Integration Builder Web UI of SAP NetWeaver Process Integration (versions: SAP_XIESR: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50 and SAP_XIPCK 7.10 to 7.11, 7.20, 7.30) allows an attacker to access passwords used in FTP channels leading to information disclosure."}], "problemTypes": [{"descriptions": [{"description": "Information Disclosure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-12T16:11:08", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/2755438"}, {"tags": ["x_refsource_MISC"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2019-0315", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP NetWeaver Process Integration(SAP_XIESR)", "version": {"version_data": [{"version_name": "<", "version_value": "7.10 to 7.11"}, {"version_name": "<", "version_value": "7.20"}, {"version_name": "<", "version_value": "7.30"}, {"version_name": "<", "version_value": "7.31"}, {"version_name": "<", "version_value": "7.40"}, {"version_name": "<", "version_value": "7.50"}]}}, {"product_name": "SAP NetWeaver Process Integration(SAP_XITOOL)", "version": {"version_data": [{"version_name": "<", "version_value": "7.10 to 7.11"}, {"version_name": "<", "version_value": "7.30"}, {"version_name": "<", "version_value": "7.31"}, {"version_name": "<", "version_value": "7.40"}, {"version_name": "<", "version_value": "7.50"}]}}, {"product_name": "SAP NetWeaver Process Integration(SAP_XIPCK)", "version": {"version_data": [{"version_name": "<", "version_value": "7.10 to 7.11"}, {"version_name": "<", "version_value": "7.20"}, {"version_name": "<", "version_value": "7.30"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Under certain conditions the PI Integration Builder Web UI of SAP NetWeaver Process Integration (versions: SAP_XIESR: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50 and SAP_XIPCK 7.10 to 7.11, 7.20, 7.30) allows an attacker to access passwords used in FTP channels leading to information disclosure."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information Disclosure"}]}]}, "references": {"reference_data": [{"name": "https://launchpad.support.sap.com/#/notes/2755438", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/2755438"}, {"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242", "refsource": "MISC", "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242"}]}}}}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2019-0315", "datePublished": "2019-06-12T16:11:08", "dateReserved": "2018-11-26T00:00:00", "dateUpdated": "2019-06-12T16:11:08", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.10:*:*:*:*:*:*:*", "matchCriteriaId": "75E83C25-D30B-4459-A1F1-DE7EC9FD46BE", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.11:*:*:*:*:*:*:*", "matchCriteriaId": "900D10B0-B47B-46B0-A0A9-8E41660429DD", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.20:*:*:*:*:*:*:*", "matchCriteriaId": "D57CEB9D-5C06-4B3E-A36E-5B8689CA5657", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.30:*:*:*:*:*:*:*", "matchCriteriaId": "3062CE84-B6E2-40DE-B7B1-0752FC21BFAD", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.31:*:*:*:*:*:*:*", "matchCriteriaId": "587D81FB-B2ED-4184-9258-A38A18B36DC5", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.40:*:*:*:*:*:*:*", "matchCriteriaId": "A325699D-6AB0-4BBC-A21C-A974FA1612DE", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.50:*:*:*:*:*:*:*", "matchCriteriaId": "2A3A3226-28D1-4B43-942B-F41BD340E746", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Under certain conditions the PI Integration Builder Web UI of SAP NetWeaver Process Integration (versions: SAP_XIESR: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50 and SAP_XIPCK 7.10 to 7.11, 7.20, 7.30) allows an attacker to access passwords used in FTP channels leading to information disclosure."}, {"lang": "es", "value": "Bajo ciertas condiciones, la interfaz de usuario web de PI Integration Builder de SAP NetWeaver Process Integration (versiones: SAP_XIESR: 7.10 a 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, SAP_XITOOL: 7.10 a 7.11, 7.30, 7.31, 7.40, 7.50 y SAP_XIPCK 7.10 a 7.11, 7.20, 7.30) permite a un atacante acceder a las contrase\u00f1as utilizadas en los canales FTP que conducen a la divulgaci\u00f3n de informaci\u00f3n."}], "id": "CVE-2019-0315", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-12T17:29:03.747", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://launchpad.support.sap.com/#/notes/2755438"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}