CVE-2019-0265 — XML External Entity (XXE) Injection in SE Abap Platform

CWE-611 — XML External Entity (XXE) Injection3 documents3 sources

Severity

4.9MEDIUMNVD

EPSS

0.9%

top 24.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE Abap Platform SAP Advanced Business Application Programming Platform Kernel SAP Advanced Business Application Programming Platform Krnl32nuc +3 more

Timeline

PublishedFeb 15

Latest updateMay 14

Description

SLD Registration of ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. Fixed in versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT,KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49,KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49. 7.73 KERNEL from 7.21 to 7.22, 7.45, 7.49, 7.53, 7.73, 7.75.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:HExploitability: 1.2 | Impact: 3.6

Affected Packages6 packages

▶CVEListV5sap_se/abap_platform< 7.21+9

▶NVDsap/advanced_business_application_programming_platform_kernel7.21 — 7.22+5

▶NVDsap/advanced_business_application_programming_platform_krnl32uc4 versions+3

▶NVDsap/advanced_business_application_programming_platform_krnl64uc6 versions+5

▶NVDsap/advanced_business_application_programming_platform_krnl32nuc4 versions+3

🔴Vulnerability Details

GHSA

GHSA-5g9g-w9x5-3rfc: SLD Registration of ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service↗2022-05-14

▶

CVEList

CVE-2019-0265: SLD Registration of ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service↗2019-02-15

▶