⚠ Actively exploited

Added to CISA KEV on 2024-09-30. Federal agencies required to patch by 2024-10-21. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2019-0344

CWE-502 — Deserialization of Untrusted Data5 documents5 sources

Severity

9.8CRITICAL

EPSS

40.6%

top 2.64%

CISA KEV

KEV

Added 2024-09-30

Due 2024-10-21

Exploit

Exploited in wild

Active exploitation observed

Affected products

SAP SE SAP Commerce Cloud (virtualjdbc Extension)SAP Commerce Cloud

Timeline

PublishedAug 14

KEV addedSep 30

KEV dueOct 21

CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5sap_se/sap_commerce_cloud_(virtualjdbc_extension)< 6.4+6

▶NVDsap/commerce_cloud7 versions+6

🔴Vulnerability Details

GHSA

GHSA-75jg-chc9-wv8p: Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6↗2022-05-24

▶

CVEList

CVE-2019-0344: Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6↗2019-08-14

▶

VulnCheck

SAP Commerce Cloud Deserialization of Untrusted Data Vulnerability↗2019

▶

📋Vendor Advisories

CISA

SAP Commerce Cloud Deserialization of Untrusted Data Vulnerability↗2024-09-30

▶