Content Spoofing Vulnerability in SAP NetWeaver Application Server Java
CVE-2018-2415

4.7MEDIUM

Key Information:

Vendor
SAP
Status
SAP Netweaver Application Server (engine Api)
SAP Netweaver Application Server (j2ee Engine Server Core)
Vendor
CVE Published:
9 May 2018

Summary

A content spoofing vulnerability exists in the SAP NetWeaver Application Server Java Web Container and HTTP Service. This issue arises due to inadequate encoding of user-controlled inputs, leading to the potential display of deceptive error pages. Attackers may exploit this vulnerability to mislead users, compromising their trust and impacting the overall security of web applications powered by these SAP products. It is crucial for organizations using these affected versions to implement proper security measures and updates to mitigate the risks associated with this vulnerability.

Affected Version(s)

SAP NetWeaver Application Server (Engine API) from 7.10 to 7.11

SAP NetWeaver Application Server (Engine API) 7.30

SAP NetWeaver Application Server (Engine API) 7.31

References

https://blogs.sap.com/2018/05/08/sap-security-patch-day-m...
x_refsource_CONFIRM
https://launchpad.support.sap.com/#/notes/2550202
x_refsource_MISC
http://www.securityfocus.com/bid/104130
vdb-entryx_refsource_BID

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.