Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-0283

SAP NetWeaver Process Integration (Adapter Engine), fixed in versions 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; is vulnerable to Digital Signature Spoofing. It is possible to spoof XML signatures and send arbitrary requests to the server via PI Axis adapter. These requests will be accepted by the PI Axis adapter even if the payload has been altered, especially when the signed element is the body of the xml document.

Published

2019-04-10T21:29:01.277

Last Modified

2024-11-21T04:16:38.147

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 7.1 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

4.9

Weaknesses

Type: Primary
CWE-290

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	sap	netweaver_process_integration	7.10	Yes
Application	sap	netweaver_process_integration	7.11	Yes
Application	sap	netweaver_process_integration	7.30	Yes
Application	sap	netweaver_process_integration	7.31	Yes
Application	sap	netweaver_process_integration	7.40	Yes
Application	sap	netweaver_process_integration	7.50	Yes

References

https://launchpad.support.sap.com/#/notes/2747683 Permissions Required, Vendor Advisory ([email protected])
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114 Vendor Advisory ([email protected])
https://launchpad.support.sap.com/#/notes/2747683 Permissions Required, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)