CVE-2019-0355 - OpenCVE

SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Sap	Netweaver Application Server Java

Configuration 1 [-]

OR	cpe:2.3:a:sap:netweaver_application_server_java:7.10:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:7.20:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:7.30:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:7.31:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:7.40:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:7.50:::::::*

References

Link	Resource
https://launchpad.support.sap.com/#/notes/2798336	Permissions Required Third Party Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: sap

Published: 2019-09-10T16:07:10

Updated: 2019-09-10T16:07:10

Reserved: 2018-11-26T00:00:00

Link: CVE-2019-0355

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-09-10T17:15:10.923

Modified: 2019-09-11T14:16:44.730

Link: CVE-2019-0355

JSON object: View

Redhat Information

No data.

CWE

CWE-94

{"containers": {"cna": {"affected": [{"product": "SAP NetWeaver AS for Java (Web Container)-ENGINEAPI", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 7.10"}, {"status": "affected", "version": "< 7.20"}, {"status": "affected", "version": "< 7.30"}, {"status": "affected", "version": "< 7.31"}, {"status": "affected", "version": "< 7.40"}, {"status": "affected", "version": "< 7.50"}]}, {"product": "SAP NetWeaver AS for Java (Web Container)-SAP-JEECOR", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 6.40"}, {"status": "affected", "version": "< 7.0"}, {"status": "affected", "version": "< 7.01"}]}], "descriptions": [{"lang": "en", "value": "SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application."}], "problemTypes": [{"descriptions": [{"description": "Code Injection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-09-10T16:07:10", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506"}, {"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/2798336"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2019-0355", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP NetWeaver AS for Java (Web Container)-ENGINEAPI", "version": {"version_data": [{"version_name": "<", "version_value": "7.10"}, {"version_name": "<", "version_value": "7.20"}, {"version_name": "<", "version_value": "7.30"}, {"version_name": "<", "version_value": "7.31"}, {"version_name": "<", "version_value": "7.40"}, {"version_name": "<", "version_value": "7.50"}]}}, {"product_name": "SAP NetWeaver AS for Java (Web Container)-SAP-JEECOR", "version": {"version_data": [{"version_name": "<", "version_value": "6.40"}, {"version_name": "<", "version_value": "7.0"}, {"version_name": "<", "version_value": "7.01"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Code Injection"}]}]}, "references": {"reference_data": [{"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506", "refsource": "CONFIRM", "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506"}, {"name": "https://launchpad.support.sap.com/#/notes/2798336", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/2798336"}]}}}}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2019-0355", "datePublished": "2019-09-10T16:07:10", "dateReserved": "2018-11-26T00:00:00", "dateUpdated": "2019-09-10T16:07:10", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_application_server_java:7.10:*:*:*:*:*:*:*", "matchCriteriaId": "D60371A7-F8F4-46F8-9659-DD4EE84B81EA", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_java:7.20:*:*:*:*:*:*:*", "matchCriteriaId": "43A28C48-4325-4694-88B1-FEE46EBFB0A6", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_java:7.30:*:*:*:*:*:*:*", "matchCriteriaId": "24A1E0B9-8C28-41BC-B050-237B5F929C9C", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_java:7.31:*:*:*:*:*:*:*", "matchCriteriaId": "EEAE6C2A-821F-4123-BD56-0FDADF9D63C8", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_java:7.40:*:*:*:*:*:*:*", "matchCriteriaId": "F5308FCE-8B2C-4B4D-BEE7-3CF544570B68", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_java:7.50:*:*:*:*:*:*:*", "matchCriteriaId": "9C506445-3787-4BFF-A98B-7502A0F7CF80", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application."}, {"lang": "es", "value": "SAP NetWeaver Application Server Java Web Container, ENGINEAPI (versiones anteriores a 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) y SAP-JEECOR (versiones anteriores a 6.40, 7.0, 7.01), permiten a un atacante inyectar c\u00f3digo que puede ser ejecutado por la aplicaci\u00f3n. Un atacante podr\u00eda de este modo controlar el comportamiento de la aplicaci\u00f3n."}], "id": "CVE-2019-0355", "lastModified": "2019-09-11T14:16:44.730", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-09-10T17:15:10.923", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://launchpad.support.sap.com/#/notes/2798336"}, {"source": "cna@sap.com", "tags": ["Third Party Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}