Vulnerabilities > CVE-2019-0344 - Deserialization of Untrusted Data vulnerability in SAP Commerce Cloud

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

sap

CWE-502

critical

NVD

Published: 2019-08-14

Updated: 2024-10-07

Summary

Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection.

Vulnerable Configurations

Part	Description	Count
Application	Sap SAP Commerce Cloud 6.4 SAP Commerce Cloud 6.5 SAP Commerce Cloud 6.6 SAP Commerce Cloud 6.7 SAP Commerce Cloud 1808 SAP Commerce Cloud 1811 SAP Commerce Cloud 1905	7

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

https://launchpad.support.sap.com/#/notes/2786035
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017