CVE-2018-2415

SAP NetWeaver Application Server Java Web Container and HTTP Service (Engine API, from 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; J2EE Engine Server Core 7.11, 7.30, 7.31, 7.40, 7.50) do not sufficiently encode user controlled inputs, resulting in a content spoofing vulnerability when error pages are displayed.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.7 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
sapCNA
4.7 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
VendorProductVersion
sapnetweaver_java_web_container_and_http_service_engine
7.10
sapnetweaver_java_web_container_and_http_service_engine
7.11
sapnetweaver_java_web_container_and_http_service_engine
7.30
sapnetweaver_java_web_container_and_http_service_engine
7.31
sapnetweaver_java_web_container_and_http_service_engine
7.40
sapnetweaver_java_web_container_and_http_service_engine
7.50
sapj2ee_engine_server_core
7.11
sapj2ee_engine_server_core
7.30
sapj2ee_engine_server_core
7.31
sapj2ee_engine_server_core
7.40
sapj2ee_engine_server_core
7.50
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/104130
https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/
https://launchpad.support.sap.com/#/notes/2550202
http://www.securityfocus.com/bid/104130
https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/
https://launchpad.support.sap.com/#/notes/2550202