CVE-2019-0271 : ABAP Server (used in NetWeaver and Suite/ERP) and ABAP Platform does not suffici

ABAP Server (used in NetWeaver and Suite/ERP) and ABAP Platform does not sufficiently validate an XML document accepted from an untrusted source, leading to an XML External Entity (XEE) vulnerability. Fixed in Kernel 7.21 or 7.22, that is ABAP Server 7.00 to 7.31 and Kernel 7.45, 7.49 or 7.53, that is ABAP Server 7.40 to 7.52 or ABAP Platform. For more recent updates please refer to Security Note 2870067 (which supersedes the solution of Security Note 2736825) in the reference section below.

Published 2019-03-12 22:29:00

Updated 2022-04-18 14:25:28

Source SAP SE

View at NVD, CVE.org

Vulnerability category: XML external entity (XXE) injectionInput validation

Products affected by CVE-2019-0271

SAP » Sap Kernel » Version: 7.22
cpe:2.3:a:sap:sap_kernel:7.22:*:*:*:*:*:*:*
Matching versions
SAP » Sap Kernel » Version: 7.49
cpe:2.3:a:sap:sap_kernel:7.49:*:*:*:*:*:*:*
Matching versions
SAP » Sap Kernel » Version: 7.21
cpe:2.3:a:sap:sap_kernel:7.21:*:*:*:*:*:*:*
Matching versions
SAP » Sap Kernel » Version: 7.45
cpe:2.3:a:sap:sap_kernel:7.45:*:*:*:*:*:*:*
Matching versions
SAP » Sap Kernel » Version: 7.53
cpe:2.3:a:sap:sap_kernel:7.53:*:*:*:*:*:*:*
Matching versions
SAP » Advanced Business Application Programming Server
Versions from including (>=) 7.40 and up to, including, (<=) 7.52
cpe:2.3:a:sap:advanced_business_application_programming_server:*:*:*:*:*:*:*:*
Matching versions
SAP » Advanced Business Application Programming Server
Versions from including (>=) 7.00 and up to, including, (<=) 7.31
cpe:2.3:a:sap:advanced_business_application_programming_server:*:*:*:*:*:*:*:*
Matching versions
SAP » Advanced Business Application Programming Platform » Version: N/A
cpe:2.3:a:sap:advanced_business_application_programming_platform:-:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-0271

EPSS FAQ

0.65%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 70 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-0271

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.0	MEDIUM	AV:N/AC:L/Au:S/C:N/I:N/A:P	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2019-0271

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-0271

https://launchpad.support.sap.com/#/notes/2870067

SAP ONE Support Launchpad: Log On
Permissions Required;Vendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=515408080

SAP Security Patch Day – March 2019 - Product Security Response at SAP - SCN Wiki
Vendor Advisory

CVEs referencing this url
https://launchpad.support.sap.com/#/notes/2736825

SAP ONE Support Launchpad: Log On
Permissions Required;Vendor Advisory
http://www.securityfocus.com/bid/107355

SAP Netweaver ABAP Server CVE-2019-0271 XML External Entity Injection Vulnerability
Broken Link
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812

SAP Security Patch Day – February 2020 - Product Security Response at SAP - Community Wiki
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2019-0271

Products affected by CVE-2019-0271

Exploit prediction scoring system (EPSS) score for CVE-2019-0271

CVSS scores for CVE-2019-0271

CWE ids for CVE-2019-0271

References for CVE-2019-0271