CVE-2018-2415

4.7MEDIUM

Key Information:

Vendor: SAP
Status: SAP Netweaver Application Server (engine Api); SAP Netweaver Application Server (j2ee Engine Server Core)
Vendor: CVE Published:; 9 May 2018

Summary

SAP NetWeaver Application Server Java Web Container and HTTP Service (Engine API, from 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; J2EE Engine Server Core 7.11, 7.30, 7.31, 7.40, 7.50) do not sufficiently encode user controlled inputs, resulting in a content spoofing vulnerability when error pages are displayed.

Affected Version(s)

SAP NetWeaver Application Server (Engine API) from 7.10 to 7.11

SAP NetWeaver Application Server (Engine API) 7.30

SAP NetWeaver Application Server (Engine API) 7.31

References

https://blogs.sap.com/2018/05/08/sap-security-patch-day-m...

x_refsource_CONFIRM

https://launchpad.support.sap.com/#/notes/2550202

x_refsource_MISC

http://www.securityfocus.com/bid/104130

vdb-entryx_refsource_BID

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
May 9, 2018
Vulnerability Reserved
Dec 15, 2017

.