CVE-2018-2363 - Vulnerability Details - OpenCVE

SAP NetWeaver, SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, contains code that allows you to execute arbitrary program code of the user's choice. A malicious user can therefore control the behaviour of the system or can potentially escalate privileges by executing malicious code without legitimate credentials.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sap	Business Application Software Integrated Solution Netweaver

Configuration 1 [-]

cpe:2.3:a:sap:netweaver:-:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:sap:business_application_software_integrated_solution::::::::
	cpe:2.3:a:sap:business_application_software_integrated_solution::::::::
	cpe:2.3:a:sap:business_application_software_integrated_solution::::::::
	cpe:2.3:a:sap:business_application_software_integrated_solution:7.30:::::::*
	cpe:2.3:a:sap:business_application_software_integrated_solution:7.31:::::::*
	cpe:2.3:a:sap:business_application_software_integrated_solution:7.40:::::::*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/102449
https://blogs.sap.com/2018/01/09/sap-security-patch-day-january-2018/
https://launchpad.support.sap.com/#/notes/1906212
https://launchpad.support.sap.com/#/notes/2525392

History

No history.

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2018-01-09T15:00:00

Updated: 2024-08-05T04:14:39.709Z

Reserved: 2017-12-15T00:00:00

Link: CVE-2018-2363

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-01-09T15:29:00.370

Modified: 2024-11-21T04:03:40.973

Link: CVE-2018-2363

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "SAP NetWeaver", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "7.00"}, {"status": "affected", "version": "7.02"}, {"status": "affected", "version": "7.10"}, {"status": "affected", "version": "7.11"}, {"status": "affected", "version": "7.30"}, {"status": "affected", "version": "7.31"}, {"status": "affected", "version": "7.40"}, {"status": "affected", "version": "7.50"}, {"status": "affected", "version": "7.52"}]}], "datePublic": "2018-01-09T00:00:00", "descriptions": [{"lang": "en", "value": "SAP NetWeaver, SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, contains code that allows you to execute arbitrary program code of the user's choice. A malicious user can therefore control the behaviour of the system or can potentially escalate privileges by executing malicious code without legitimate credentials."}], "problemTypes": [{"descriptions": [{"description": "Code Injection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-11T10:57:01", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://blogs.sap.com/2018/01/09/sap-security-patch-day-january-2018/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://launchpad.support.sap.com/#/notes/1906212"}, {"name": "102449", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/102449"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://launchpad.support.sap.com/#/notes/2525392"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2018-2363", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP NetWeaver", "version": {"version_data": [{"version_affected": "=", "version_value": "7.00"}, {"version_affected": "=", "version_value": "7.02"}, {"version_affected": "=", "version_value": "7.10"}, {"version_affected": "=", "version_value": "7.11"}, {"version_affected": "=", "version_value": "7.30"}, {"version_affected": "=", "version_value": "7.31"}, {"version_affected": "=", "version_value": "7.40"}, {"version_affected": "=", "version_value": "7.50"}, {"version_affected": "=", "version_value": "7.52"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SAP NetWeaver, SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, contains code that allows you to execute arbitrary program code of the user's choice. A malicious user can therefore control the behaviour of the system or can potentially escalate privileges by executing malicious code without legitimate credentials."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Code Injection"}]}]}, "references": {"reference_data": [{"name": "https://blogs.sap.com/2018/01/09/sap-security-patch-day-january-2018/", "refsource": "CONFIRM", "url": "https://blogs.sap.com/2018/01/09/sap-security-patch-day-january-2018/"}, {"name": "https://launchpad.support.sap.com/#/notes/1906212", "refsource": "CONFIRM", "url": "https://launchpad.support.sap.com/#/notes/1906212"}, {"name": "102449", "refsource": "BID", "url": "http://www.securityfocus.com/bid/102449"}, {"name": "https://launchpad.support.sap.com/#/notes/2525392", "refsource": "CONFIRM", "url": "https://launchpad.support.sap.com/#/notes/2525392"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T04:14:39.709Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://blogs.sap.com/2018/01/09/sap-security-patch-day-january-2018/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://launchpad.support.sap.com/#/notes/1906212"}, {"name": "102449", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/102449"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://launchpad.support.sap.com/#/notes/2525392"}]}]}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2018-2363", "datePublished": "2018-01-09T15:00:00", "dateReserved": "2017-12-15T00:00:00", "dateUpdated": "2024-08-05T04:14:39.709Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver:-:*:*:*:*:*:*:*", "matchCriteriaId": "CB7AAA9B-5209-4419-87DA-8130843AD2AF", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:business_application_software_integrated_solution:*:*:*:*:*:*:*:*", "matchCriteriaId": "CF38D1E1-E07F-4E51-AE76-E27E7CE4F55C", "versionEndIncluding": "7.02", "versionStartIncluding": "7.00", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:business_application_software_integrated_solution:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CB61EF9-414F-4563-B091-3E9B708CAB1E", "versionEndIncluding": "7.11", "versionStartIncluding": "7.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:business_application_software_integrated_solution:*:*:*:*:*:*:*:*", "matchCriteriaId": "D90BE6E0-559E-4509-95EA-CB820611E16D", "versionEndIncluding": "7.52", "versionStartIncluding": "7.50", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:business_application_software_integrated_solution:7.30:*:*:*:*:*:*:*", "matchCriteriaId": "990D5985-7828-4D8C-9463-CA077AB3881E", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:business_application_software_integrated_solution:7.31:*:*:*:*:*:*:*", "matchCriteriaId": "341C07C1-2B4A-475D-B200-1021EB6B1F79", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:business_application_software_integrated_solution:7.40:*:*:*:*:*:*:*", "matchCriteriaId": "4D80CC30-EE05-439F-BF2C-1267837137DE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SAP NetWeaver, SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, contains code that allows you to execute arbitrary program code of the user's choice. A malicious user can therefore control the behaviour of the system or can potentially escalate privileges by executing malicious code without legitimate credentials."}, {"lang": "es", "value": "SAP NetWeaver y SAP BASIS, desde la versi\u00f3n 7.00 hasta la 7.02, desde la 7.10 a la 7.11, 7.30, 7.31, 7.40 y desde la versi\u00f3n 7.50 a la 7.52, contiene c\u00f3digo que permite ejecutar c\u00f3digo arbitrario del programa a elecci\u00f3n del usuario. Un usuario malicioso puede, por lo tanto, controlar el comportamiento del sistema o escalar privilegios mediante la ejecuci\u00f3n de c\u00f3digo malicioso sin credenciales leg\u00edtimas."}], "id": "CVE-2018-2363", "lastModified": "2024-11-21T04:03:40.973", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-01-09T15:29:00.370", "references": [{"source": "cna@sap.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/102449"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://blogs.sap.com/2018/01/09/sap-security-patch-day-january-2018/"}, {"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/1906212"}, {"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/2525392"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/102449"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://blogs.sap.com/2018/01/09/sap-security-patch-day-january-2018/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/1906212"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/2525392"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}