CVE-2019-0270 — Missing Authorization in SE Abap Platform Server

CWE-862 — Missing Authorization3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.4%

top 37.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE Abap Platform Server SAP Advanced Business Application Programming Platform Kernel SAP Advanced Business Application Programming Platform Krnl32nuc +3 more

Timeline

PublishedMar 12

Latest updateMay 13

Description

ABAP Server of SAP NetWeaver and ABAP Platform fail to perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has been corrected in the following versions: KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.74, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, 7.74, 8.04, KERNEL 7.21, 7.45, 7.49, 7.53, 7.73, 7.74, 7.75, 8.04.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

▶CVEListV5sap_se/abap_platform_server< 7.21+10

▶NVDsap/advanced_business_application_programming_platform_kernel9 versions+8

▶NVDsap/advanced_business_application_programming_platform_krnl32uc4 versions+3

▶NVDsap/advanced_business_application_programming_platform_krnl64uc8 versions+7

▶NVDsap/advanced_business_application_programming_platform_krnl32nuc4 versions+3

🔴Vulnerability Details

GHSA

GHSA-p5w4-x3m3-939j: ABAP Server of SAP NetWeaver and ABAP Platform fail to perform necessary authorization checks for an authenticated user, resulting in escalation of pr↗2022-05-13

▶

CVEList

CVE-2019-0270: ABAP Server of SAP NetWeaver and ABAP Platform fail to perform necessary authorization checks for an authenticated user, resulting in escalation of pr↗2019-03-12

▶