CVE-2019-0283

CWE-2903 documents3 sources

Severity

7.1HIGH

EPSS

0.1%

top 68.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver Process Integration (adapter Engine)SAP Netweaver Process Integration

Timeline

PublishedApr 10

Latest updateMay 13

Description

SAP NetWeaver Process Integration (Adapter Engine), fixed in versions 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; is vulnerable to Digital Signature Spoofing. It is possible to spoof XML signatures and send arbitrary requests to the server via PI Axis adapter. These requests will be accepted by the PI Axis adapter even if the payload has been altered, especially when the signed element is the body of the xml document.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:NExploitability: 2.8 | Impact: 4.2

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_process_integration_(adapter_engine)< from 7.10 to 7.11+4

▶NVDsap/netweaver_process_integration6 versions+5

🔴Vulnerability Details

GHSA

GHSA-498x-38mj-f75g: SAP NetWeaver Process Integration (Adapter Engine), fixed in versions 7↗2022-05-13

▶

CVEList

CVE-2019-0283: SAP NetWeaver Process Integration (Adapter Engine), fixed in versions 7↗2019-04-10

▶