CVE-2019-0271 — MEDIUM (6.5)

Q: How severe is CVE-2019-0271?

CVE-2019-0271 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-0271?

Check the references section above for vendor advisories and patch information. Affected products include: Sap Advanced Business Application Programming Platform, Sap Advanced Business Application Programming Server, Sap Sap Kernel.

Vulnerability Description

ABAP Server (used in NetWeaver and Suite/ERP) and ABAP Platform does not sufficiently validate an XML document accepted from an untrusted source, leading to an XML External Entity (XEE) vulnerability. Fixed in Kernel 7.21 or 7.22, that is ABAP Server 7.00 to 7.31 and Kernel 7.45, 7.49 or 7.53, that is ABAP Server 7.40 to 7.52 or ABAP Platform. For more recent updates please refer to Security Note 2870067 (which supersedes the solution of Security Note 2736825) in the reference section below.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Sap	Advanced Business Application Programming Platform	-
Sap	Advanced Business Application Programming Server	>= 7.00, <= 7.31
Sap	Sap Kernel	7.21

Related Weaknesses (CWE)

CWE-20

References

http://www.securityfocus.com/bid/107355Broken Link
https://launchpad.support.sap.com/#/notes/2736825Permissions RequiredVendor Advisory
https://launchpad.support.sap.com/#/notes/2870067Permissions RequiredVendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=515408080Vendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812Vendor Advisory
http://www.securityfocus.com/bid/107355Broken Link
https://launchpad.support.sap.com/#/notes/2736825Permissions RequiredVendor Advisory
https://launchpad.support.sap.com/#/notes/2870067Permissions RequiredVendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=515408080Vendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812Vendor Advisory

FAQ

What is CVE-2019-0271?

CVE-2019-0271 is a vulnerability with a CVSS score of 6.5 (MEDIUM). ABAP Server (used in NetWeaver and Suite/ERP) and ABAP Platform does not sufficiently validate an XML document accepted from an untrusted source, leading to an XML External Entity (XEE) vulnerability....

How severe is CVE-2019-0271?

CVE-2019-0271 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-0271?

Check the references section above for vendor advisories and patch information. Affected products include: Sap Advanced Business Application Programming Platform, Sap Advanced Business Application Programming Server, Sap Sap Kernel.