CVE-2019-0284

CWE-611 — XML External Entity (XXE)3 documents3 sources

Severity

6.0MEDIUM

EPSS

0.0%

top 86.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Hana SAP Hana

Timeline

PublishedApr 10

Latest updateMay 14

Description

SLD Registration in SAP HANA (fixed in versions 1.0, 2.0) does not sufficiently validate an XML document accepted from an untrusted source. The attacker can call SLDREG with an XML file containing a reference to an XML External Entity (XXE). This can cause SLDREG to, for example, continuously loop, read arbitrary files and even send local files.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:HExploitability: 0.8 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5sap_se/sap_hana< 1.0+1

▶NVDsap/hana1.0, 2.0+1

🔴Vulnerability Details

GHSA

GHSA-8mqv-2m94-pj5q: SLD Registration in SAP HANA (fixed in versions 1↗2022-05-14

▶

CVEList

CVE-2019-0284: SLD Registration in SAP HANA (fixed in versions 1↗2019-04-10

▶