Vulnerability Name:

CVE-2018-2415

Assigned:2017-12-15
Published:2018-05-08
Updated:2018-06-14
Summary:SAP NetWeaver Application Server Java Web Container and HTTP Service (Engine API, from 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; J2EE Engine Server Core 7.11, 7.30, 7.31, 7.40, 7.50) do not sufficiently encode user controlled inputs, resulting in a content spoofing vulnerability when error pages are displayed.
CVSS v3 Severity:4.7 Medium (CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)
4.1 Medium (Temporal CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
4.7 Medium (CCN CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)
4.1 Medium (CCN Temporal CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-172
References:Source: BID
Type: VENDOR_ADVISORY
104130

Source: CONFIRM
Type: VENDOR_ADVISORY
https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/

Source: XF
Type: UNKNOWN
sap-cve20182415-spoofing(143141)

Source: MISC
Type: UNKNOWN
https://launchpad.support.sap.com/#/notes/2550202

Vulnerable Configuration:Configuration 1:
  • cpe:/a:sap:netweaver_java_web_container_and_http_service_engine:7.10:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_java_web_container_and_http_service_engine:7.11:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_java_web_container_and_http_service_engine:7.30:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_java_web_container_and_http_service_engine:7.31:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_java_web_container_and_http_service_engine:7.40:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_java_web_container_and_http_service_engine:7.50:*:*:*:*:*:*:*

  • Configuration 2:
  • cpe:/a:sap:j2ee_engine_server_core:7.11:*:*:*:*:*:*:*
  • OR cpe:/a:sap:j2ee_engine_server_core:7.30:*:*:*:*:*:*:*
  • OR cpe:/a:sap:j2ee_engine_server_core:7.31:*:*:*:*:*:*:*
  • OR cpe:/a:sap:j2ee_engine_server_core:7.40:*:*:*:*:*:*:*
  • OR cpe:/a:sap:j2ee_engine_server_core:7.50:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    BACK
    sap netweaver java web container and http service engine 7.10
    sap netweaver java web container and http service engine 7.11
    sap netweaver java web container and http service engine 7.30
    sap netweaver java web container and http service engine 7.31
    sap netweaver java web container and http service engine 7.40
    sap netweaver java web container and http service engine 7.50
    sap j2ee engine server core 7.11
    sap j2ee engine server core 7.30
    sap j2ee engine server core 7.31
    sap j2ee engine server core 7.40
    sap j2ee engine server core 7.50