Vulnerabilities > CVE-2018-2492 - XXE vulnerability in SAP Netweaver Application Server Java

CVSS 7.1 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

LOW

Availability impact

HIGH

network

low complexity

sap

CWE-611

NVD

Published: 2018-12-11

Updated: 2021-04-20

Summary

SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. This is fixed in versions 7.2, 7.30, 7.31, 7.40 and 7.50.

Vulnerable Configurations

Part	Description	Count
Application	Sap SAP Netweaver Application Server Java 7.20 SAP Netweaver Application Server Java 7.30 SAP Netweaver Application Server Java 7.31 SAP Netweaver Application Server Java 7.40 SAP Netweaver Application Server Java 7.50	5

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699
https://launchpad.support.sap.com/#/notes/2642680
http://www.securityfocus.com/bid/106153