CVE-2018-2481 - OpenCVE

In some SAP standard roles, in SAP_ABA versions, 7.00 to 7.02, 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, 75C to 75D, a transaction code reserved for customer is used. By implementing such transaction code a malicious user may execute unauthorized transaction functionality.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sap	Advanced Business Application Programming

Configuration 1 [-]

OR	cpe:2.3:a:sap:advanced_business_application_programming::::::::
	cpe:2.3:a:sap:advanced_business_application_programming::::::::
	cpe:2.3:a:sap:advanced_business_application_programming:7.30:::::::*
	cpe:2.3:a:sap:advanced_business_application_programming:7.31:::::::*
	cpe:2.3:a:sap:advanced_business_application_programming:7.40:::::::*
	cpe:2.3:a:sap:advanced_business_application_programming:7.50:::::::*
	cpe:2.3:a:sap:advanced_business_application_programming:75c:::::::*
	cpe:2.3:a:sap:advanced_business_application_programming:75d:::::::*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/105906
https://launchpad.support.sap.com/#/notes/2693083
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=503809832

History

No history.

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2018-11-13T20:00:00

Updated: 2024-08-05T04:21:34.036Z

Reserved: 2017-12-15T00:00:00

Link: CVE-2018-2481

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-11-13T20:29:00.560

Modified: 2019-10-03T00:03:26.223

Link: CVE-2018-2481

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "SAP_ABA", "vendor": "SAP", "versions": [{"status": "affected", "version": "= 7.00 to 7.02"}, {"status": "affected", "version": "= 7.10 to 7.11"}, {"status": "affected", "version": "= 7.30"}, {"status": "affected", "version": "= 7.31"}, {"status": "affected", "version": "= 7.40"}, {"status": "affected", "version": "= 7.50"}, {"status": "affected", "version": "= 7.5C"}, {"status": "affected", "version": "= 7.5D"}]}], "datePublic": "2018-11-13T00:00:00", "descriptions": [{"lang": "en", "value": "In some SAP standard roles, in SAP_ABA versions, 7.00 to 7.02, 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, 75C to 75D, a transaction code reserved for customer is used. By implementing such transaction code a malicious user may execute unauthorized transaction functionality."}], "problemTypes": [{"descriptions": [{"description": "Other", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-11-14T10:57:02", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"name": "105906", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/105906"}, {"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/2693083"}, {"tags": ["x_refsource_MISC"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=503809832"}], "source": {"discovery": "UNKNOWN"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2018-2481", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP_ABA", "version": {"version_data": [{"version_name": "=", "version_value": "7.00 to 7.02"}, {"version_name": "=", "version_value": "7.10 to 7.11"}, {"version_name": "=", "version_value": "7.30"}, {"version_name": "=", "version_value": "7.31"}, {"version_name": "=", "version_value": "7.40"}, {"version_name": "=", "version_value": "7.50"}, {"version_name": "=", "version_value": "7.5C"}, {"version_name": "=", "version_value": "7.5D"}]}}]}, "vendor_name": "SAP"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In some SAP standard roles, in SAP_ABA versions, 7.00 to 7.02, 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, 75C to 75D, a transaction code reserved for customer is used. By implementing such transaction code a malicious user may execute unauthorized transaction functionality."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Other"}]}]}, "references": {"reference_data": [{"name": "105906", "refsource": "BID", "url": "http://www.securityfocus.com/bid/105906"}, {"name": "https://launchpad.support.sap.com/#/notes/2693083", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/2693083"}, {"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=503809832", "refsource": "MISC", "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=503809832"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T04:21:34.036Z"}, "title": "CVE Program Container", "references": [{"name": "105906", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/105906"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://launchpad.support.sap.com/#/notes/2693083"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=503809832"}]}]}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2018-2481", "datePublished": "2018-11-13T20:00:00", "dateReserved": "2017-12-15T00:00:00", "dateUpdated": "2024-08-05T04:21:34.036Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:advanced_business_application_programming:*:*:*:*:*:*:*:*", "matchCriteriaId": "BEB5BAB7-2788-478F-A10F-A7B5FA93DD00", "versionEndIncluding": "7.02", "versionStartIncluding": "7.00", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:advanced_business_application_programming:*:*:*:*:*:*:*:*", "matchCriteriaId": "266D9F05-6C88-4CB7-8E24-1BB1F4B769CC", "versionEndIncluding": "7.11", "versionStartIncluding": "7.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:advanced_business_application_programming:7.30:*:*:*:*:*:*:*", "matchCriteriaId": "54ACFFC2-8814-413C-8346-AC33B5F35B72", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:advanced_business_application_programming:7.31:*:*:*:*:*:*:*", "matchCriteriaId": "DBB7C0BC-891C-43AA-BDC5-098C794DEEE2", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:advanced_business_application_programming:7.40:*:*:*:*:*:*:*", "matchCriteriaId": "CABA91BB-9FAD-484B-A85B-D5E89F95F7B6", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:advanced_business_application_programming:7.50:*:*:*:*:*:*:*", "matchCriteriaId": "4E0A7DA7-A47F-4CBC-BBA4-542CF79FA065", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:advanced_business_application_programming:75c:*:*:*:*:*:*:*", "matchCriteriaId": "A28AE259-EAC2-4291-9A78-1506783C7129", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:advanced_business_application_programming:75d:*:*:*:*:*:*:*", "matchCriteriaId": "7B547900-441D-4DE1-95AA-889C4FE99F37", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In some SAP standard roles, in SAP_ABA versions, 7.00 to 7.02, 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, 75C to 75D, a transaction code reserved for customer is used. By implementing such transaction code a malicious user may execute unauthorized transaction functionality."}, {"lang": "es", "value": "En algunos roles est\u00e1ndar de SAP, en SAP_ABA de la versi\u00f3n 7.00 a la 7.02, de la versi\u00f3n 7.10 a la 7.11, 7.30, 7.31, 7.40, 7.50 y de la versi\u00f3n 75C a la 75D, se emplea un c\u00f3digo de transacci\u00f3n reservado para los clientes. Al implementar este c\u00f3digo de transacci\u00f3n, un usuario malicioso podr\u00eda ejecutar funcionalidades de transacci\u00f3n no autorizadas."}], "id": "CVE-2018-2481", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-11-13T20:29:00.560", "references": [{"source": "cna@sap.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/105906"}, {"source": "cna@sap.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://launchpad.support.sap.com/#/notes/2693083"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=503809832"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Primary"}]}