HTTP Host Header Manipulation Vulnerability in SAP NetWeaver AS Java Web Container
CVE-2018-2504

6.1MEDIUM

Key Information:

Vendor

SAP
Status
SAP Netweaver As Java (servercore)
Vendor
CVE Published:
11 December 2018

What is CVE-2018-2504?

The SAP NetWeaver AS Java Web Container is susceptible to HTTP Host Header Manipulation due to improper validation of the HTTP host header against a whitelist. This vulnerability can potentially lead to malicious Cross-Site Scripting (XSS) attacks. Users are recommended to upgrade to the patched versions (7.10, 7.11, 7.20, 7.30, 7.31, 7.40, and 7.50) to mitigate potential exploitation.

Affected Version(s)

SAP NetWeaver AS Java (ServerCore) = 7.10 = 7.10

SAP NetWeaver AS Java (ServerCore) = 7.11 = 7.11

SAP NetWeaver AS Java (ServerCore) = 7.20 = 7.20

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...
x_refsource_MISC
https://launchpad.support.sap.com/#/notes/2718993
x_refsource_MISC
http://www.securityfocus.com/bid/106150
vdb-entryx_refsource_BID

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.