Vulnerability Name: | CVE-2018-2494 (CCN-154238) |
Assigned: | 2017-12-15 |
Published: | 2018-12-11 |
Updated: | 2019-10-03 |
Summary: | Necessary authorization checks for an authenticated user, resulting in escalation of privileges, have been fixed in SAP Basis AS ABAP of SAP NetWeaver 700 to 750, from 750 onwards delivered as ABAP Platform.
|
CVSS v3 Severity: | 8.0 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) 7.0 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)Exploitability Metrics: | Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): Required | Scope: | Scope (S): Unchanged
| Impact Metrics: | Confidentiality (C): High Integrity (I): High Availibility (A): High | 8.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H) 7.2 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:U/RL:O/RC:C)Exploitability Metrics: | Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None | Scope: | Scope (S): Unchanged
| Impact Metrics: | Confidentiality (C): Low Integrity (I): High Availibility (A): High |
|
CVSS v2 Severity: | 6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)Exploitability Metrics: | Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance | Impact Metrics: | Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial | 8.7 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:C/A:C)Exploitability Metrics: | Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
| Impact Metrics: | Confidentiality (C): Partial Integrity (I): Complete Availibility (A): Complete |
|
Vulnerability Type: | CWE-863
|
Vulnerability Consequences: | Gain Privileges |
References: | Source: MITRE Type: CNA CVE-2018-2494
Source: XF Type: UNKNOWN sap-cve20182494-priv-esc(154238)
Source: CCN Type: SAP Web site SAP Support Note 2698996
Source: MISC Type: Permissions Required, Vendor Advisory https://launchpad.support.sap.com/#/notes/2698996
Source: CCN Type: SAP Security Patch Day December 2018 SAP Security Patch Day December 2018
Source: MISC Type: Vendor Advisory https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699
|
Vulnerable Configuration: | Configuration 1: cpe:/a:sap:business_application_software_integrated_solution:*:*:*:*:*:*:*:* (Version >= 7.00 and <= 7.02)OR cpe:/a:sap:business_application_software_integrated_solution:*:*:*:*:*:*:*:* (Version >= 7.10 and <= 7.30)OR cpe:/a:sap:business_application_software_integrated_solution:7.31:*:*:*:*:*:*:*OR cpe:/a:sap:business_application_software_integrated_solution:7.40:*:*:*:*:*:*:*OR cpe:/a:sap:business_application_software_integrated_solution:*:*:*:*:*:*:*:* (Version >= 7.50 and <= 7.53) Denotes that component is vulnerable |
BACK |