Vulnerability Details : CVE-2018-2409
Improper session management when using SAP Cloud Platform 2.0 (Connectivity Service and Cloud Connector). Under certain conditions, data of some other user may be shown or modified when using an application built on top of SAP Cloud Platform.
Products affected by CVE-2018-2409
- cpe:2.3:a:sap:cloud_platform:2.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-2409
0.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 45 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-2409
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
|
6.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
2.8
|
3.4
|
SAP SE | |
|
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2018-2409
-
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-2409
-
https://launchpad.support.sap.com/#/notes/2614141
SAP ONE Support Launchpad: Log OnPermissions Required
-
https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/
SAP Security Patch Day – April 2018 | SAP BlogsVendor Advisory
-
http://www.securityfocus.com/bid/103702
SAP Cloud Platform Connector CVE-2018-2409 Unspecified Session Fixation VulnerabilityThird Party Advisory;VDB Entry
Jump to