CVE-2019-0340
Vulnerability from cvelistv5
Published
2019-08-14 13:51
Modified
2024-08-04 17:44
Severity ?
EPSS score ?
Summary
The XML parser, which is being used by SAP Enable Now, before version 1902, has not been hardened correctly, leading to Missing XML Validation vulnerability. This issue affects the file upload at multiple locations. An attacker can read local XXE files.
References
▼ | URL | Tags | |
---|---|---|---|
cna@sap.com | https://launchpad.support.sap.com/#/notes/2794742 | Permissions Required, Vendor Advisory | |
cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017 | Vendor Advisory |
Impacted products
▼ | Vendor | Product |
---|---|---|
SAP SE | SAP Enable Now |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T17:44:16.515Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://launchpad.support.sap.com/#/notes/2794742" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "SAP Enable Now", "vendor": "SAP SE", "versions": [ { "status": "affected", "version": "\u003c 1902" } ] } ], "descriptions": [ { "lang": "en", "value": "The XML parser, which is being used by SAP Enable Now, before version 1902, has not been hardened correctly, leading to Missing XML Validation vulnerability. This issue affects the file upload at multiple locations. An attacker can read local XXE files." } ], "problemTypes": [ { "descriptions": [ { "description": "Missing XML Validation", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-08-14T13:51:45", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017" }, { "tags": [ "x_refsource_MISC" ], "url": "https://launchpad.support.sap.com/#/notes/2794742" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cna@sap.com", "ID": "CVE-2019-0340", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "SAP Enable Now", "version": { "version_data": [ { "version_name": "\u003c", "version_value": "1902" } ] } } ] }, "vendor_name": "SAP SE" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The XML parser, which is being used by SAP Enable Now, before version 1902, has not been hardened correctly, leading to Missing XML Validation vulnerability. This issue affects the file upload at multiple locations. An attacker can read local XXE files." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Missing XML Validation" } ] } ] }, "references": { "reference_data": [ { "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017", "refsource": "MISC", "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017" }, { "name": "https://launchpad.support.sap.com/#/notes/2794742", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/2794742" } ] } } } }, "cveMetadata": { "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2019-0340", "datePublished": "2019-08-14T13:51:45", "dateReserved": "2018-11-26T00:00:00", "dateUpdated": "2024-08-04T17:44:16.515Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2019-0340\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2019-08-14T14:15:16.260\",\"lastModified\":\"2020-08-24T17:37:01.140\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"The XML parser, which is being used by SAP Enable Now, before version 1902, has not been hardened correctly, leading to Missing XML Validation vulnerability. This issue affects the file upload at multiple locations. An attacker can read local XXE files.\"},{\"lang\":\"es\",\"value\":\"El analizador XML, que est\u00e1 siendo usado por SAP Enable Now, versiones anteriores a 1902, no ha sido fortalecido correctamente, conllevando a una vulnerabilidad de Falta de Comprobaci\u00f3n de XML. Este problema afecta a la carga de archivos en varias ubicaciones. Un atacante puede leer archivos XXE locales.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.5},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:enable_now:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1902\",\"matchCriteriaId\":\"3F27FD84-DDBA-4F65-B27A-AB7A029220D2\"}]}]}],\"references\":[{\"url\":\"https://launchpad.support.sap.com/#/notes/2794742\",\"source\":\"cna@sap.com\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017\",\"source\":\"cna@sap.com\",\"tags\":[\"Vendor Advisory\"]}]}}" } }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.