CVE-2019-0271

CWE-20 — Improper Input Validation3 documents3 sources

Severity

6.5MEDIUM

EPSS

0.6%

top 31.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE Abap Server SAP SE Abap Server & Platform SAP Advanced Business Application Programming Server +1 more

Timeline

PublishedMar 12

Latest updateMay 13

Description

ABAP Server (used in NetWeaver and Suite/ERP) and ABAP Platform does not sufficiently validate an XML document accepted from an untrusted source, leading to an XML External Entity (XEE) vulnerability. Fixed in Kernel 7.21 or 7.22, that is ABAP Server 7.00 to 7.31 and Kernel 7.45, 7.49 or 7.53, that is ABAP Server 7.40 to 7.52 or ABAP Platform. For more recent updates please refer to Security Note 2870067 (which supersedes the solution of Security Note 2736825) in the reference section below.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5sap_se/abap_server_&_platform< from 7.40 to 7.52

▶CVEListV5sap_se/abap_server< from 7.00 to 7.31

▶NVDsap/advanced_business_application_programming_server7.00 — 7.31+1

▶NVDsap/sap_kernel5 versions+4

🔴Vulnerability Details

GHSA

GHSA-gxw2-45rm-hpm8: ABAP Server (used in NetWeaver and Suite/ERP) and ABAP Platform does not sufficiently validate an XML document accepted from an untrusted source, lead↗2022-05-13

▶

CVEList

CVE-2019-0271: ABAP Server (used in NetWeaver and Suite/ERP) and ABAP Platform does not sufficiently validate an XML document accepted from an untrusted source, lead↗2019-03-12

▶