#VU17659 XXE attack in ABAP Platform - CVE-2019-0265

Cybersecurity Help s.r.o.

Published: 2019-02-13

Vulnerability identifier: #VU17659

Vulnerability risk: Medium

CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:H/SC:L/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-0265

CWE-ID: CWE-611

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ABAP Platform
Server applications / Application servers

Vendor: SAP

Description
The vulnerability allows a remote high-privileged attacker to conduct XXE-attack.

The vulnerability exists due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can submit a specially crafted input and obtain potentially sensitive information or cause the service to crash.

Mitigation
Install update from vendor's website.

Vulnerable software versions

ABAP Platform: KRNL32NUC 7.21EXT - 7.21EXT

External links
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922950

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in SAP products