CVE-2019-0283 — HIGH (7.1) — White Hats Nepal

Vulnerability Description

SAP NetWeaver Process Integration (Adapter Engine), fixed in versions 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; is vulnerable to Digital Signature Spoofing. It is possible to spoof XML signatures and send arbitrary requests to the server via PI Axis adapter. These requests will be accepted by the PI Axis adapter even if the payload has been altered, especially when the signed element is the body of the xml document.

CVSS Score

7.1

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Sap	Netweaver Process Integration	7.10

Related Weaknesses (CWE)

CWE-290

References

https://launchpad.support.sap.com/#/notes/2747683Permissions RequiredVendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114Vendor Advisory
https://launchpad.support.sap.com/#/notes/2747683Permissions RequiredVendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114Vendor Advisory

FAQ

What is CVE-2019-0283?

CVE-2019-0283 is a vulnerability with a CVSS score of 7.1 (HIGH). SAP NetWeaver Process Integration (Adapter Engine), fixed in versions 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; is vulnerable to Digital Signature Spoofing. It is possible to spoof XML signatures and send...

How severe is CVE-2019-0283?

CVE-2019-0283 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-0283?

Check the references section above for vendor advisories and patch information. Affected products include: Sap Netweaver Process Integration.