admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-06-10 02:04:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

- Added submission from SAP for December 2018 Patch Day from 2018-12-11.

Browse Source
This commit is contained in:
CVE Team 2018-12-11 17:02:47 -05:00
parent 3976a9e25c
commit d6522a570a
No known key found for this signature in database
GPG Key ID: 0DA1F9F56BC892E8
9 changed files with 616 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
2018/2xxx/CVE-2018-2486.json
View File

@ -1,8 +1,55 @@
{
"CVE_data_meta" : {
"ASSIGNER" : "cve@mitre.org",
"ASSIGNER" : "cna@sap.com",
"ID" : "CVE-2018-2486",
"STATE" : "RESERVED"
"STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "SAP Marketing (UICUAN)",
"version" : {
"version_data" : [
{
"version_name" : "=",
"version_value" : "1.20"
},
{
"version_name" : "=",
"version_value" : "1.30"
},
{
"version_name" : "=",
"version_value" : "1.40"
}
]
}
},
{
"product_name" : "SAP Marketing (SAPSCORE)",
"version" : {
"version_data" : [
{
"version_name" : "=",
"version_value" : "1.13"
},
{
"version_name" : "=",
"version_value" : "1.14"
}
]
}
}
]
},
"vendor_name" : "SAP"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
@ -11,8 +58,35 @@
"description_data" : [
{
"lang" : "eng",
"value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value" : "SAP Marketing (UICUAN (1.20, 1.30, 1.40), SAPSCORE (1.13, 1.14)) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "Cross-Site Scripting"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"refsource" : "CONFIRM",
"url" : "https://launchpad.support.sap.com/#/notes/2705204"
},
{
"refsource" : "CONFIRM",
"url" : "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699"
}
]
},
"source" : {
"discovery" : "UNKNOWN"
}
}

69
2018/2xxx/CVE-2018-2492.json
View File

@ -1,8 +1,44 @@
{
"CVE_data_meta" : {
"ASSIGNER" : "cve@mitre.org",
"ASSIGNER" : "cna@sap.com",
"ID" : "CVE-2018-2492",
"STATE" : "RESERVED"
"STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "SAP NetWeaver Application Server (Java Library)",
"version" : {
"version_data" : [
{
"version_name" : "=",
"version_value" : "7.20"
},
{
"version_name" : "=",
"version_value" : "7.30"
},
{
"version_name" : "=",
"version_value" : "7.31"
},
{
"version_name" : "=",
"version_value" : "7.50"
}
]
}
}
]
},
"vendor_name" : "SAP"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
@ -11,8 +47,35 @@
"description_data" : [
{
"lang" : "eng",
"value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value" : "SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. This is fixed in versions 7.2, 7.30, 7.31, 7.40 and 7.50."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "Missing XML Validation"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"refsource" : "CONFIRM",
"url" : "https://launchpad.support.sap.com/#/notes/2642680"
},
{
"refsource" : "CONFIRM",
"url" : "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699"
}
]
},
"source" : {
"discovery" : "UNKNOWN"
}
}

80
2018/2xxx/CVE-2018-2494.json
View File

@ -1,8 +1,55 @@
{
"CVE_data_meta" : {
"ASSIGNER" : "cve@mitre.org",
"ASSIGNER" : "cna@sap.com",
"ID" : "CVE-2018-2494",
"STATE" : "RESERVED"
"STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "SAP Basis (AS ABAP of SAP NetWeaver)",
"version" : {
"version_data" : [
{
"version_name" : "=",
"version_value" : "7.00 to 7.02"
},
{
"version_name" : "=",
"version_value" : "7.10 to 7.30"
},
{
"version_name" : "=",
"version_value" : "7.31"
},
{
"version_name" : "=",
"version_value" : "7.40"
}
]
}
},
{
"product_name" : "SAP Basis (ABAP Platform)",
"version" : {
"version_data" : [
{
"version_name" : "=",
"version_value" : "7.50 to 7.53"
}
]
}
}
]
},
"vendor_name" : "SAP"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
@ -11,8 +58,35 @@
"description_data" : [
{
"lang" : "eng",
"value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value" : "Necessary authorization checks for an authenticated user, resulting in escalation of privileges, have been fixed in SAP Basis AS ABAP of SAP NetWeaver 700 to 750, from 750 onwards delivered as ABAP Platform."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "Missing Authorization Check"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"refsource" : "CONFIRM",
"url" : "https://launchpad.support.sap.com/#/notes/2698996"
},
{
"refsource" : "CONFIRM",
"url" : "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699"
}
]
},
"source" : {
"discovery" : "UNKNOWN"
}
}

61
2018/2xxx/CVE-2018-2497.json
View File

@ -1,8 +1,36 @@
{
"CVE_data_meta" : {
"ASSIGNER" : "cve@mitre.org",
"ASSIGNER" : "cna@sap.com",
"ID" : "CVE-2018-2497",
"STATE" : "RESERVED"
"STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "SAP HANA",
"version" : {
"version_data" : [
{
"version_name" : "=",
"version_value" : "1.0"
},
{
"version_name" : "=",
"version_value" : "2.0"
}
]
}
}
]
},
"vendor_name" : "SAP"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
@ -11,8 +39,35 @@
"description_data" : [
{
"lang" : "eng",
"value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value" : "The security audit log of SAP HANA, versions 1.0 and 2.0, does not log SELECT events if these events are part of a statement with the syntax CREATE TABLE <table_name> AS SELECT."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "Other"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"refsource" : "CONFIRM",
"url" : "https://launchpad.support.sap.com/#/notes/2704878"
},
{
"refsource" : "CONFIRM",
"url" : "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699"
}
]
},
"source" : {
"discovery" : "UNKNOWN"
}
}

57
2018/2xxx/CVE-2018-2500.json
View File

@ -1,8 +1,32 @@
{
"CVE_data_meta" : {
"ASSIGNER" : "cve@mitre.org",
"ASSIGNER" : "cna@sap.com",
"ID" : "CVE-2018-2500",
"STATE" : "RESERVED"
"STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "SAP Mobile Secure for Android",
"version" : {
"version_data" : [
{
"version_name" : "<",
"version_value" : "6.60.19942.0 SP28 1711"
}
]
}
}
]
},
"vendor_name" : "SAP"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
@ -11,8 +35,35 @@
"description_data" : [
{
"lang" : "eng",
"value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value" : "Under certain conditions SAP Mobile Secure Android client (before version 6.60.19942.0 SP28 1711) allows an attacker to access information which would otherwise be restricted."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "Information Disclosure"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"refsource" : "CONFIRM",
"url" : "https://launchpad.support.sap.com/#/notes/2707024"
},
{
"refsource" : "CONFIRM",
"url" : "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699"
}
]
},
"source" : {
"discovery" : "UNKNOWN"
}
}

61
2018/2xxx/CVE-2018-2502.json
View File

@ -1,8 +1,36 @@
{
"CVE_data_meta" : {
"ASSIGNER" : "cve@mitre.org",
"ASSIGNER" : "cna@sap.com",
"ID" : "CVE-2018-2502",
"STATE" : "RESERVED"
"STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "SAP Business One Service Layer (B1_ON_HANA)",
"version" : {
"version_data" : [
{
"version_name" : "=",
"version_value" : "9.2"
},
{
"version_name" : "=",
"version_value" : "9.3"
}
]
}
}
]
},
"vendor_name" : "SAP"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
@ -11,8 +39,35 @@
"description_data" : [
{
"lang" : "eng",
"value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value" : "TRACE method is enabled in SAP Business One Service Layer . Attacker can use XST (Cross Site Tracing) attack if frontend applications that are using Service Layer has a XSS vulnerability. This has been fixed in SAP Business One Service Layer (B1_ON_HANA, versions 9.2, 9.3)."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "Other"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"refsource" : "CONFIRM",
"url" : "https://launchpad.support.sap.com/#/notes/2680492"
},
{
"refsource" : "CONFIRM",
"url" : "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699"
}
]
},
"source" : {
"discovery" : "UNKNOWN"
}
}

77
2018/2xxx/CVE-2018-2503.json
View File

@ -1,8 +1,52 @@
{
"CVE_data_meta" : {
"ASSIGNER" : "cve@mitre.org",
"ASSIGNER" : "cna@sap.com",
"ID" : "CVE-2018-2503",
"STATE" : "RESERVED"
"STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "SAP NetWeaver AS Java (ServerCore)",
"version" : {
"version_data" : [
{
"version_name" : "=",
"version_value" : "7.11"
},
{
"version_name" : "=",
"version_value" : "7.20"
},
{
"version_name" : "=",
"version_value" : "7.30"
},
{
"version_name" : "=",
"version_value" : "7.31"
},
{
"version_name" : "=",
"version_value" : "7.40"
},
{
"version_name" : "=",
"version_value" : "7.50"
}
]
}
}
]
},
"vendor_name" : "SAP"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
@ -11,8 +55,35 @@
"description_data" : [
{
"lang" : "eng",
"value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value" : "By default, the SAP NetWeaver AS Java keystore service does not sufficiently restrict the access to resources that should be protected. This has been fixed in SAP NetWeaver AS Java (ServerCore versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50)."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "Missing Authentication"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"refsource" : "CONFIRM",
"url" : "https://launchpad.support.sap.com/#/notes/2658279"
},
{
"refsource" : "CONFIRM",
"url" : "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699"
}
]
},
"source" : {
"discovery" : "UNKNOWN"
}
}

81
2018/2xxx/CVE-2018-2504.json
View File

@ -1,8 +1,56 @@
{
"CVE_data_meta" : {
"ASSIGNER" : "cve@mitre.org",
"ASSIGNER" : "cna@sap.com",
"ID" : "CVE-2018-2504",
"STATE" : "RESERVED"
"STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "SAP NetWeaver AS Java (ServerCore)",
"version" : {
"version_data" : [
{
"version_name" : "=",
"version_value" : "7.10"
},
{
"version_name" : "=",
"version_value" : "7.11"
},
{
"version_name" : "=",
"version_value" : "7.20"
},
{
"version_name" : "=",
"version_value" : "7.30"
},
{
"version_name" : "=",
"version_value" : "7.31"
},
{
"version_name" : "=",
"version_value" : "7.40"
},
{
"version_name" : "=",
"version_value" : "7.50"
}
]
}
}
]
},
"vendor_name" : "SAP"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
@ -11,8 +59,35 @@
"description_data" : [
{
"lang" : "eng",
"value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value" : "SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation or Cross-Site Scripting (XSS) vulnerability. This is fixed in versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "Cross-Site Scripting"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"refsource" : "CONFIRM",
"url" : "https://launchpad.support.sap.com/#/notes/2718993"
},
{
"refsource" : "CONFIRM",
"url" : "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699"
}
]
},
"source" : {
"discovery" : "UNKNOWN"
}
}

77
2018/2xxx/CVE-2018-2505.json
View File

@ -1,8 +1,52 @@
{
"CVE_data_meta" : {
"ASSIGNER" : "cve@mitre.org",
"ASSIGNER" : "cna@sap.com",
"ID" : "CVE-2018-2505",
"STATE" : "RESERVED"
"STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "SAP Commerce (SAP Hybris Commerce)",
"version" : {
"version_data" : [
{
"version_affected" : "=",
"version_value" : "6.2"
},
{
"version_affected" : "=",
"version_value" : "6.3"
},
{
"version_affected" : "=",
"version_value" : "6.4"
},
{
"version_affected" : "=",
"version_value" : "6.5"
},
{
"version_affected" : "=",
"version_value" : "6.6"
},
{
"version_affected" : "=",
"version_value" : "6.7"
}
]
}
}
]
},
"vendor_name" : "SAP"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
@ -11,8 +55,35 @@
"description_data" : [
{
"lang" : "eng",
"value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value" : "SAP Commerce does not sufficiently validate user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability in storefronts that are based on the product. Fixed in versions (SAP Hybris Commerce, versions 6.2, 6.3, 6.4, 6.5, 6.6, 6.7)."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "Code Injection"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"refsource" : "CONFIRM",
"url" : "https://launchpad.support.sap.com/#/notes/2711425"
},
{
"refsource" : "CONFIRM",
"url" : "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699"
}
]
},
"source" : {
"discovery" : "UNKNOWN"
}
}