Session Management Vulnerability in SAP HANA Extended Application Services
CVE-2018-2451

6.6MEDIUM

Key Information:

Vendor

SAP
Status
SAP Hana Extended Application Services
Vendor
CVE Published:
14 August 2018

What is CVE-2018-2451?

The SAP HANA Extended Application Services (XS) has a session management flaw in its Command-Line Interface (CLI), which can lead to prolonged session validity. This issue allows previously authorized platform users to maintain access to controller resources even after their permissions have been revoked by administrators. Furthermore, it poses a risk of session hijacking, as an attacker can exploit the session token of a user who has already closed their session, gaining unauthorized access to sensitive resources.

Affected Version(s)

SAP HANA Extended Application Services 1.0

References

http://www.securityfocus.com/bid/105091
vdb-entryx_refsource_BID
https://launchpad.support.sap.com/#/notes/2590705
x_refsource_MISC
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...
x_refsource_CONFIRM

CVSS V3.1

Score:
6.6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.