Vulnerability Details : CVE-2018-2402
In systems using the optional capture & replay functionality of SAP HANA, 1.00 and 2.00, (see SAP Note 2362820 for more information about capture & replay), user credentials may be stored in clear text in the indexserver trace files of the control system. An attacker with the required authorizations on the control system may be able to access the user credentials and gain unauthorized access to data in the captured or target system.
Vulnerability category: BypassInformation leak
Products affected by CVE-2018-2402
- cpe:2.3:a:sap:hana:1.00:*:*:*:*:*:*:*
- cpe:2.3:a:sap:hana:2.00:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-2402
0.34%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 54 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-2402
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
3.5
|
LOW | AV:N/AC:M/Au:S/C:P/I:N/A:N |
6.8
|
2.9
|
NIST | |
|
7.6
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H |
1.0
|
6.0
|
SAP SE | |
|
8.4
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H |
1.7
|
6.0
|
NIST |
CWE ids for CVE-2018-2402
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-2402
-
http://www.securityfocus.com/bid/103369
SAP HANA CVE-2018-2402 Information Disclosure VulnerabilityThird Party Advisory;VDB Entry
-
https://launchpad.support.sap.com/#/notes/2587369
SAP ONE Support Launchpad: Log OnPermissions Required;Vendor Advisory
-
https://blogs.sap.com/2018/03/13/sap-security-patch-day-march-2018/
SAP Security Patch Day – March 2018 | SAP BlogsVendor Advisory
Jump to