CVE-2019-0344 (GCVE-0-2019-0344)
Vulnerability from cvelistv5 – Published: 2019-08-14 13:53 – Updated: 2025-10-21 23:45
VLAI?
CISA
Summary
Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection.
Severity ?
9.8 (Critical)
CWE
- Code Injection
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP Commerce Cloud (virtualjdbc extension) |
Affected:
< 6.4
Affected: < 6.5 Affected: < 6.6 Affected: < 6.7 Affected: < 1808 Affected: < 1811 Affected: < 1905 |
CISA Known Exploited Vulnerability
Data from the CISA Known Exploited Vulnerabilities Catalog
Date added: 2024-09-30
Due date: 2024-10-21
Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Used in ransomware: Unknown
Notes: https://web.archive.org/web/20191214053020/https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017 ; https://nvd.nist.gov/vuln/detail/CVE-2019-0344
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:16.517Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2786035"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sap:commerce_cloud:1808:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:1811:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:1905:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.4:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.5:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.6:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.7:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "commerce_cloud",
"vendor": "sap",
"versions": [
{
"status": "affected",
"version": "1808"
},
{
"status": "affected",
"version": "1811"
},
{
"status": "affected",
"version": "1905"
},
{
"status": "affected",
"version": "6.4"
},
{
"status": "affected",
"version": "6.5"
},
{
"status": "affected",
"version": "6.6"
},
{
"status": "affected",
"version": "6.7"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap:commerce_cloud:1808:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:1811:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:1905:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.4:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.5:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.6:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.7:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "commerce_cloud",
"vendor": "sap",
"versions": [
{
"status": "affected",
"version": "1808"
},
{
"status": "affected",
"version": "1811"
},
{
"status": "affected",
"version": "1905"
},
{
"status": "affected",
"version": "6.4"
},
{
"status": "affected",
"version": "6.5"
},
{
"status": "affected",
"version": "6.6"
},
{
"status": "affected",
"version": "6.7"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap:commerce_cloud:1808:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:1811:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:1905:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.4:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.5:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.6:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.7:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "commerce_cloud",
"vendor": "sap",
"versions": [
{
"status": "affected",
"version": "1808"
},
{
"status": "affected",
"version": "1811"
},
{
"status": "affected",
"version": "1905"
},
{
"status": "affected",
"version": "6.4"
},
{
"status": "affected",
"version": "6.5"
},
{
"status": "affected",
"version": "6.6"
},
{
"status": "affected",
"version": "6.7"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap:commerce_cloud:1808:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:1811:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:1905:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.4:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.5:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.6:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.7:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "commerce_cloud",
"vendor": "sap",
"versions": [
{
"status": "affected",
"version": "1808"
},
{
"status": "affected",
"version": "1811"
},
{
"status": "affected",
"version": "1905"
},
{
"status": "affected",
"version": "6.4"
},
{
"status": "affected",
"version": "6.5"
},
{
"status": "affected",
"version": "6.6"
},
{
"status": "affected",
"version": "6.7"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap:commerce_cloud:1808:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:1811:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:1905:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.4:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.5:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.6:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.7:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "commerce_cloud",
"vendor": "sap",
"versions": [
{
"status": "affected",
"version": "1808"
},
{
"status": "affected",
"version": "1811"
},
{
"status": "affected",
"version": "1905"
},
{
"status": "affected",
"version": "6.4"
},
{
"status": "affected",
"version": "6.5"
},
{
"status": "affected",
"version": "6.6"
},
{
"status": "affected",
"version": "6.7"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap:commerce_cloud:1808:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:1811:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:1905:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.4:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.5:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.6:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.7:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "commerce_cloud",
"vendor": "sap",
"versions": [
{
"status": "affected",
"version": "1808"
},
{
"status": "affected",
"version": "1811"
},
{
"status": "affected",
"version": "1905"
},
{
"status": "affected",
"version": "6.4"
},
{
"status": "affected",
"version": "6.5"
},
{
"status": "affected",
"version": "6.6"
},
{
"status": "affected",
"version": "6.7"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap:commerce_cloud:1808:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:1811:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:1905:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.4:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.5:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.6:*:*:*:*:*:*:*",
"cpe:2.3:a:sap:commerce_cloud:6.7:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "commerce_cloud",
"vendor": "sap",
"versions": [
{
"status": "affected",
"version": "1808"
},
{
"status": "affected",
"version": "1811"
},
{
"status": "affected",
"version": "1905"
},
{
"status": "affected",
"version": "6.4"
},
{
"status": "affected",
"version": "6.5"
},
{
"status": "affected",
"version": "6.6"
},
{
"status": "affected",
"version": "6.7"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"dateAdded": "2024-09-30",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-0344"
},
"type": "kev"
}
},
{
"other": {
"content": {
"id": "CVE-2019-0344",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-04T13:32:40.662258Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:45:32.174Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-0344"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-30T00:00:00+00:00",
"value": "CVE-2019-0344 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SAP Commerce Cloud (virtualjdbc extension)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 6.4"
},
{
"status": "affected",
"version": "\u003c 6.5"
},
{
"status": "affected",
"version": "\u003c 6.6"
},
{
"status": "affected",
"version": "\u003c 6.7"
},
{
"status": "affected",
"version": "\u003c 1808"
},
{
"status": "affected",
"version": "\u003c 1811"
},
{
"status": "affected",
"version": "\u003c 1905"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with \u0027Hybris\u0027 user rights, resulting in Code Injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Code Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-14T13:53:21.000Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2786035"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2019-0344",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Commerce Cloud (virtualjdbc extension)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "6.4"
},
{
"version_name": "\u003c",
"version_value": "6.5"
},
{
"version_name": "\u003c",
"version_value": "6.6"
},
{
"version_name": "\u003c",
"version_value": "6.7"
},
{
"version_name": "\u003c",
"version_value": "1808"
},
{
"version_name": "\u003c",
"version_value": "1811"
},
{
"version_name": "\u003c",
"version_value": "1905"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with \u0027Hybris\u0027 user rights, resulting in Code Injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Code Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017",
"refsource": "MISC",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2786035",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2786035"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2019-0344",
"datePublished": "2019-08-14T13:53:21.000Z",
"dateReserved": "2018-11-26T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:45:32.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"cisa_known_exploited": {
"cveID": "CVE-2019-0344",
"cwes": "[\"CWE-502\"]",
"dateAdded": "2024-09-30",
"dueDate": "2024-10-21",
"knownRansomwareCampaignUse": "Unknown",
"notes": "https://web.archive.org/web/20191214053020/https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017 ; https://nvd.nist.gov/vuln/detail/CVE-2019-0344",
"product": "Commerce Cloud",
"requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
"shortDescription": "SAP Commerce Cloud (formerly known as Hybris) contains a deserialization of untrusted data vulnerability within the mediaconversion and virtualjdbc extension that allows for code injection.",
"vendorProject": "SAP",
"vulnerabilityName": "SAP Commerce Cloud Deserialization of Untrusted Data Vulnerability"
},
"fkie_nvd": {
"cisaActionDue": "2024-10-21",
"cisaExploitAdd": "2024-09-30",
"cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "SAP Commerce Cloud Deserialization of Untrusted Data Vulnerability",
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:commerce_cloud:6.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6E1C7951-7EDB-4BFC-ABF2-906778CD058F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:commerce_cloud:6.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B9D2F233-16BB-4E4F-8FA3-FB03A0C198E5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:commerce_cloud:6.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CB45CC6E-1837-4B0A-9F78-730161506D6D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:commerce_cloud:6.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F32D694A-18E7-40E3-8EE0-9A240DED7A34\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:commerce_cloud:1808:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5649AB0A-1D84-4716-A178-F196A1DA9C1A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:commerce_cloud:1811:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A9DE60D1-95FF-4220-AE63-2C351781FDA1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:commerce_cloud:1905:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"19E11B22-F514-48D6-B78F-8A64CE1BA364\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with \u0027Hybris\u0027 user rights, resulting in Code Injection.\"}, {\"lang\": \"es\", \"value\": \"Debido a una deserializaci\\u00f3n no confiable usada en SAP Commerce Cloud (virtualjdbc extension), versiones 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, es posible ejecutar c\\u00f3digo arbitrario en una m\\u00e1quina de destino con derechos de usuario \u0027Hybris\u0027, resultando en Inyecci\\u00f3n de C\\u00f3digo.\"}]",
"id": "CVE-2019-0344",
"lastModified": "2024-11-21T04:16:42.990",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}, {\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2019-08-14T14:15:16.463",
"references": "[{\"url\": \"https://launchpad.support.sap.com/#/notes/2786035\", \"source\": \"cna@sap.com\", \"tags\": [\"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017\", \"source\": \"cna@sap.com\", \"tags\": [\"Broken Link\"]}, {\"url\": \"https://launchpad.support.sap.com/#/notes/2786035\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}]",
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}, {\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2019-0344\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2019-08-14T14:15:16.463\",\"lastModified\":\"2025-10-31T22:05:32.463\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with \u0027Hybris\u0027 user rights, resulting in Code Injection.\"},{\"lang\":\"es\",\"value\":\"Debido a una deserializaci\u00f3n no confiable usada en SAP Commerce Cloud (virtualjdbc extension), versiones 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, es posible ejecutar c\u00f3digo arbitrario en una m\u00e1quina de destino con derechos de usuario \u0027Hybris\u0027, resultando en Inyecci\u00f3n de C\u00f3digo.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"cisaExploitAdd\":\"2024-09-30\",\"cisaActionDue\":\"2024-10-21\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"SAP Commerce Cloud Deserialization of Untrusted Data Vulnerability\",\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:commerce_cloud:6.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6E1C7951-7EDB-4BFC-ABF2-906778CD058F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:commerce_cloud:6.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B9D2F233-16BB-4E4F-8FA3-FB03A0C198E5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:commerce_cloud:6.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CB45CC6E-1837-4B0A-9F78-730161506D6D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:commerce_cloud:6.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F32D694A-18E7-40E3-8EE0-9A240DED7A34\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:commerce_cloud:1808:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5649AB0A-1D84-4716-A178-F196A1DA9C1A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:commerce_cloud:1811:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A9DE60D1-95FF-4220-AE63-2C351781FDA1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:commerce_cloud:1905:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"19E11B22-F514-48D6-B78F-8A64CE1BA364\"}]}]}],\"references\":[{\"url\":\"https://launchpad.support.sap.com/#/notes/2786035\",\"source\":\"cna@sap.com\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017\",\"source\":\"cna@sap.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://launchpad.support.sap.com/#/notes/2786035\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-0344\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://launchpad.support.sap.com/#/notes/2786035\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T17:44:16.517Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2024-09-30\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-0344\"}}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2019-0344\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-04T13:32:40.662258Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:sap:commerce_cloud:1808:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:1811:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:1905:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.4:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.5:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.6:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.7:*:*:*:*:*:*:*\"], \"vendor\": \"sap\", \"product\": \"commerce_cloud\", \"versions\": [{\"status\": \"affected\", \"version\": \"1808\"}, {\"status\": \"affected\", \"version\": \"1811\"}, {\"status\": \"affected\", \"version\": \"1905\"}, {\"status\": \"affected\", \"version\": \"6.4\"}, {\"status\": \"affected\", \"version\": \"6.5\"}, {\"status\": \"affected\", \"version\": \"6.6\"}, {\"status\": \"affected\", \"version\": \"6.7\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:sap:commerce_cloud:1808:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:1811:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:1905:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.4:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.5:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.6:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.7:*:*:*:*:*:*:*\"], \"vendor\": \"sap\", \"product\": \"commerce_cloud\", \"versions\": [{\"status\": \"affected\", \"version\": \"1808\"}, {\"status\": \"affected\", \"version\": \"1811\"}, {\"status\": \"affected\", \"version\": \"1905\"}, {\"status\": \"affected\", \"version\": \"6.4\"}, {\"status\": \"affected\", \"version\": \"6.5\"}, {\"status\": \"affected\", \"version\": \"6.6\"}, {\"status\": \"affected\", \"version\": \"6.7\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:sap:commerce_cloud:1808:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:1811:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:1905:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.4:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.5:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.6:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.7:*:*:*:*:*:*:*\"], \"vendor\": \"sap\", \"product\": \"commerce_cloud\", \"versions\": [{\"status\": \"affected\", \"version\": \"1808\"}, {\"status\": \"affected\", \"version\": \"1811\"}, {\"status\": \"affected\", \"version\": \"1905\"}, {\"status\": \"affected\", \"version\": \"6.4\"}, {\"status\": \"affected\", \"version\": \"6.5\"}, {\"status\": \"affected\", \"version\": \"6.6\"}, {\"status\": \"affected\", \"version\": \"6.7\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:sap:commerce_cloud:1808:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:1811:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:1905:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.4:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.5:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.6:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.7:*:*:*:*:*:*:*\"], \"vendor\": \"sap\", \"product\": \"commerce_cloud\", \"versions\": [{\"status\": \"affected\", \"version\": \"1808\"}, {\"status\": \"affected\", \"version\": \"1811\"}, {\"status\": \"affected\", \"version\": \"1905\"}, {\"status\": \"affected\", \"version\": \"6.4\"}, {\"status\": \"affected\", \"version\": \"6.5\"}, {\"status\": \"affected\", \"version\": \"6.6\"}, {\"status\": \"affected\", \"version\": \"6.7\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:sap:commerce_cloud:1808:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:1811:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:1905:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.4:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.5:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.6:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.7:*:*:*:*:*:*:*\"], \"vendor\": \"sap\", \"product\": \"commerce_cloud\", \"versions\": [{\"status\": \"affected\", \"version\": \"1808\"}, {\"status\": \"affected\", \"version\": \"1811\"}, {\"status\": \"affected\", \"version\": \"1905\"}, {\"status\": \"affected\", \"version\": \"6.4\"}, {\"status\": \"affected\", \"version\": \"6.5\"}, {\"status\": \"affected\", \"version\": \"6.6\"}, {\"status\": \"affected\", \"version\": \"6.7\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:sap:commerce_cloud:1808:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:1811:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:1905:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.4:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.5:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.6:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.7:*:*:*:*:*:*:*\"], \"vendor\": \"sap\", \"product\": \"commerce_cloud\", \"versions\": [{\"status\": \"affected\", \"version\": \"1808\"}, {\"status\": \"affected\", \"version\": \"1811\"}, {\"status\": \"affected\", \"version\": \"1905\"}, {\"status\": \"affected\", \"version\": \"6.4\"}, {\"status\": \"affected\", \"version\": \"6.5\"}, {\"status\": \"affected\", \"version\": \"6.6\"}, {\"status\": \"affected\", \"version\": \"6.7\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:sap:commerce_cloud:1808:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:1811:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:1905:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.4:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.5:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.6:*:*:*:*:*:*:*\", \"cpe:2.3:a:sap:commerce_cloud:6.7:*:*:*:*:*:*:*\"], \"vendor\": \"sap\", \"product\": \"commerce_cloud\", \"versions\": [{\"status\": \"affected\", \"version\": \"1808\"}, {\"status\": \"affected\", \"version\": \"1811\"}, {\"status\": \"affected\", \"version\": \"1905\"}, {\"status\": \"affected\", \"version\": \"6.4\"}, {\"status\": \"affected\", \"version\": \"6.5\"}, {\"status\": \"affected\", \"version\": \"6.6\"}, {\"status\": \"affected\", \"version\": \"6.7\"}], \"defaultStatus\": \"unknown\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2024-09-30T00:00:00+00:00\", \"value\": \"CVE-2019-0344 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-0344\", \"tags\": [\"government-resource\"]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502 Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-04T13:35:19.686Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"SAP SE\", \"product\": \"SAP Commerce Cloud (virtualjdbc extension)\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 6.4\"}, {\"status\": \"affected\", \"version\": \"\u003c 6.5\"}, {\"status\": \"affected\", \"version\": \"\u003c 6.6\"}, {\"status\": \"affected\", \"version\": \"\u003c 6.7\"}, {\"status\": \"affected\", \"version\": \"\u003c 1808\"}, {\"status\": \"affected\", \"version\": \"\u003c 1811\"}, {\"status\": \"affected\", \"version\": \"\u003c 1905\"}]}], \"references\": [{\"url\": \"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://launchpad.support.sap.com/#/notes/2786035\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with \u0027Hybris\u0027 user rights, resulting in Code Injection.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"Code Injection\"}]}], \"providerMetadata\": {\"orgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"shortName\": \"sap\", \"dateUpdated\": \"2019-08-14T13:53:21.000Z\"}, \"x_legacyV4Record\": {\"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_name\": \"\u003c\", \"version_value\": \"6.4\"}, {\"version_name\": \"\u003c\", \"version_value\": \"6.5\"}, {\"version_name\": \"\u003c\", \"version_value\": \"6.6\"}, {\"version_name\": \"\u003c\", \"version_value\": \"6.7\"}, {\"version_name\": \"\u003c\", \"version_value\": \"1808\"}, {\"version_name\": \"\u003c\", \"version_value\": \"1811\"}, {\"version_name\": \"\u003c\", \"version_value\": \"1905\"}]}, \"product_name\": \"SAP Commerce Cloud (virtualjdbc extension)\"}]}, \"vendor_name\": \"SAP SE\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017\", \"name\": \"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017\", \"refsource\": \"MISC\"}, {\"url\": \"https://launchpad.support.sap.com/#/notes/2786035\", \"name\": \"https://launchpad.support.sap.com/#/notes/2786035\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with \u0027Hybris\u0027 user rights, resulting in Code Injection.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"Code Injection\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2019-0344\", \"STATE\": \"PUBLIC\", \"ASSIGNER\": \"cna@sap.com\"}}}}",
"cveMetadata": "{\"cveId\": \"CVE-2019-0344\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T23:45:32.174Z\", \"dateReserved\": \"2018-11-26T00:00:00.000Z\", \"assignerOrgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"datePublished\": \"2019-08-14T13:53:21.000Z\", \"assignerShortName\": \"sap\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…