XML External Entity Vulnerability in SAP Internet Graphics Server
CVE-2018-2392

7.5HIGH

Key Information:

Vendor: SAP
Status: SAP Internet Graphics Server
Vendor: CVE Published:; 14 February 2018

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 86%

Summary

The vulnerability in SAP Internet Graphics Server (IGS) arises when the software fails to properly validate XML External Entities. This lack of validation can lead to conditions where the server may become unavailable, impacting service delivery and operational efficiency. It’s essential for organizations using affected versions to review and implement necessary security patches to mitigate potential risks associated with this vulnerability.

Affected Version(s)

SAP Internet Graphics Server 7.20

SAP Internet Graphics Server 7.20EXT

SAP Internet Graphics Server 7.45

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

sap_igs_xxe
Created by Vladimir-Ivanov-Git

References

https://launchpad.support.sap.com/#/notes/2525222

x_refsource_CONFIRM

https://blogs.sap.com/2018/02/13/sap-security-patch-day-f...

x_refsource_CONFIRM

EPSS Score

86% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Oct 2, 2020
👾
Exploit known to exist
Oct 2, 2020
Vulnerability published
Feb 14, 2018
Vulnerability Reserved
Dec 15, 2017