CVE-2018-2403 - OpenCVE

Under certain conditions, SAP Disclosure Management 10.1 allows an attacker to access information which would otherwise be restricted. It is possible for an authorized user to get SAP Disclosure Management to point a specific chapter type to a chapter the user has not been given access to.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sap	Disclosure Management

Configuration 1 [-]

cpe:2.3:a:sap:disclosure_management:10.1:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/103727
https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/
https://launchpad.support.sap.com/#/notes/2595800

History

No history.

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2018-04-10T15:00:00

Updated: 2024-08-05T04:21:33.236Z

Reserved: 2017-12-15T00:00:00

Link: CVE-2018-2403

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-04-10T15:29:01.190

Modified: 2020-08-24T17:37:01.140

Link: CVE-2018-2403

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "SAP Disclosure Management", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "10.1"}]}], "datePublic": "2018-04-10T00:00:00", "descriptions": [{"lang": "en", "value": "Under certain conditions, SAP Disclosure Management 10.1 allows an attacker to access information which would otherwise be restricted. It is possible for an authorized user to get SAP Disclosure Management to point a specific chapter type to a chapter the user has not been given access to."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Information Disclosure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-04-12T09:57:02", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/2595800"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/"}, {"name": "103727", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/103727"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2018-2403", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP Disclosure Management", "version": {"version_data": [{"version_affected": "=", "version_value": "10.1"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Under certain conditions, SAP Disclosure Management 10.1 allows an attacker to access information which would otherwise be restricted. It is possible for an authorized user to get SAP Disclosure Management to point a specific chapter type to a chapter the user has not been given access to."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information Disclosure"}]}]}, "references": {"reference_data": [{"name": "https://launchpad.support.sap.com/#/notes/2595800", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/2595800"}, {"name": "https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/", "refsource": "CONFIRM", "url": "https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/"}, {"name": "103727", "refsource": "BID", "url": "http://www.securityfocus.com/bid/103727"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T04:21:33.236Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://launchpad.support.sap.com/#/notes/2595800"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/"}, {"name": "103727", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/103727"}]}]}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2018-2403", "datePublished": "2018-04-10T15:00:00", "dateReserved": "2017-12-15T00:00:00", "dateUpdated": "2024-08-05T04:21:33.236Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:disclosure_management:10.1:*:*:*:*:*:*:*", "matchCriteriaId": "53067DD8-3718-46AE-AA69-2065C07F5EEF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Under certain conditions, SAP Disclosure Management 10.1 allows an attacker to access information which would otherwise be restricted. It is possible for an authorized user to get SAP Disclosure Management to point a specific chapter type to a chapter the user has not been given access to."}, {"lang": "es", "value": "En ciertas condiciones, SAP Disclosure Management 10.1 permite que un atacante acceda a informaci\u00f3n que normalmente estar\u00eda restringida. Es posible para un usuario autorizado hacer que SAP Disclosure Management se\u00f1ale un tipo de cap\u00edtulo en concreto en un cap\u00edtulo al cual el usuario no tiene permiso de acceso."}], "id": "CVE-2018-2403", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "cna@sap.com", "type": "Secondary"}]}, "published": "2018-04-10T15:29:01.190", "references": [{"source": "cna@sap.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/103727"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/"}, {"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/2595800"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}