Digital Signature Spoofing Vulnerability in SAP NetWeaver Process Integration
CVE-2019-0283

7.1HIGH

Key Information:

Vendor: SAP
Status: SAP Netweaver Process Integration (adapter Engine)
Vendor: CVE Published:; 10 April 2019

Summary

SAP NetWeaver Process Integration (Adapter Engine) is susceptible to a Digital Signature Spoofing vulnerability, allowing attackers to spoof XML signatures and send unauthorized requests to the server through the PI Axis adapter. This flaw enables the acceptance of tampered XML payloads, thus posing security risks, particularly when the signed content includes the body of the XML document. Users must upgrade to fixed versions 7.10 to 7.11, 7.30, 7.31, 7.40, or 7.50 to mitigate potential threats.

Affected Version(s)

SAP NetWeaver Process Integration (Adapter Engine) < from 7.10 to 7.11 < from 7.10 to 7.11

SAP NetWeaver Process Integration (Adapter Engine) < 7.30 < 7.30

SAP NetWeaver Process Integration (Adapter Engine) < 7.31 < 7.31

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...

x_refsource_CONFIRM

https://launchpad.support.sap.com/#/notes/2747683

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 10, 2019
Vulnerability Reserved
Nov 26, 2018