Vulnerability Name:

CVE-2018-2419

Assigned:2017-12-15
Published:2018-05-08
Updated:2018-06-14
Summary:SAP Enterprise Financial Services (SAPSCORE 1.11, 1.12; S4CORE 1.01, 1.02; EA-FINSERV 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
CVSS v3 Severity:4.6 Medium (CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
4.0 Medium (Temporal CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
3.7 Low (CCN CVSS v3 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)
3.2 Low (CCN Temporal CVSS v3 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:5.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
3.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-264
References:Source: BID
Type: VENDOR_ADVISORY
104116

Source: CONFIRM
Type: VENDOR_ADVISORY
https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/

Source: XF
Type: UNKNOWN
sap-cve20182419-priv-esc(143145)

Source: MISC
Type: UNKNOWN
https://launchpad.support.sap.com/#/notes/2596627

Vulnerable Configuration:Configuration 1:
  • cpe:/a:sap:sapscore:1.11:*:*:*:*:*:*:*
  • OR cpe:/a:sap:sapscore:1.12:*:*:*:*:*:*:*

  • Configuration 2:
  • cpe:/a:sap:s4core:1.01:*:*:*:*:*:*:*
  • OR cpe:/a:sap:s4core:1.02:*:*:*:*:*:*:*

  • Configuration 3:
  • cpe:/a:sap:ea-finserv:6.04:*:*:*:*:*:*:*
  • OR cpe:/a:sap:ea-finserv:6.05:*:*:*:*:*:*:*
  • OR cpe:/a:sap:ea-finserv:6.06:*:*:*:*:*:*:*
  • OR cpe:/a:sap:ea-finserv:6.16:*:*:*:*:*:*:*
  • OR cpe:/a:sap:ea-finserv:6.17:*:*:*:*:*:*:*
  • OR cpe:/a:sap:ea-finserv:6.18:*:*:*:*:*:*:*
  • OR cpe:/a:sap:ea-finserv:8.0:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    BACK
    sap sapscore 1.11
    sap sapscore 1.12
    sap s4core 1.01
    sap s4core 1.02
    sap ea-finserv 6.04
    sap ea-finserv 6.05
    sap ea-finserv 6.06
    sap ea-finserv 6.16
    sap ea-finserv 6.17
    sap ea-finserv 6.18
    sap ea-finserv 8.0