Vulnerability Details : CVE-2019-0344
Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection.
Vulnerability category: Execute code
Products affected by CVE-2019-0344
- cpe:2.3:a:sap:commerce_cloud:6.6:*:*:*:*:*:*:*
- cpe:2.3:a:sap:commerce_cloud:1808:*:*:*:*:*:*:*
- cpe:2.3:a:sap:commerce_cloud:6.4:*:*:*:*:*:*:*
- cpe:2.3:a:sap:commerce_cloud:6.5:*:*:*:*:*:*:*
- cpe:2.3:a:sap:commerce_cloud:6.7:*:*:*:*:*:*:*
- cpe:2.3:a:sap:commerce_cloud:1811:*:*:*:*:*:*:*
- cpe:2.3:a:sap:commerce_cloud:1905:*:*:*:*:*:*:*
CVE-2019-0344 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
SAP Commerce Cloud Deserialization of Untrusted Data Vulnerability
CISA required action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CISA description:
SAP Commerce Cloud (formerly known as Hybris) contains a deserialization of untrusted data vulnerability within the mediaconversion and virtualjdbc extension that allows for code injection.
Notes:
https://web.archive.org/web/20191214053020/https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017 ; https://nvd.nist.gov/vuln/detail/CVE-2019-0344
Added on
2024-09-30
Action due date
2024-10-21
Exploit prediction scoring system (EPSS) score for CVE-2019-0344
28.35%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-0344
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2024-10-04 |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | 2024-10-07 |
CWE ids for CVE-2019-0344
-
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2019-0344
-
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017
SAP Security Patch Day – August 2019 - Product Security Response at SAP - SCN WikiBroken Link
-
https://launchpad.support.sap.com/#/notes/2786035
SAP ONE Support Launchpad: Log OnPermissions Required;Vendor Advisory
Jump to