CVE-2018-2497 - OpenCVE

The security audit log of SAP HANA, versions 1.0 and 2.0, does not log SELECT events if these events are part of a statement with the syntax CREATE TABLE <table_name> AS SELECT.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sap	Hana

Configuration 1 [-]

OR	cpe:2.3:a:sap:hana:1.0:::::::*
	cpe:2.3:a:sap:hana:2.0:::::::*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/106152
https://launchpad.support.sap.com/#/notes/2704878
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699

History

No history.

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2018-12-11T23:00:00

Updated: 2024-08-05T04:21:34.166Z

Reserved: 2017-12-15T00:00:00

Link: CVE-2018-2497

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-12-11T22:29:00.423

Modified: 2020-08-24T17:37:01.140

Link: CVE-2018-2497

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "SAP HANA", "vendor": "SAP", "versions": [{"status": "affected", "version": "= 1.0"}, {"status": "affected", "version": "= 2.0"}]}], "datePublic": "2018-12-11T00:00:00", "descriptions": [{"lang": "en", "value": "The security audit log of SAP HANA, versions 1.0 and 2.0, does not log SELECT events if these events are part of a statement with the syntax CREATE TABLE <table_name> AS SELECT."}], "problemTypes": [{"descriptions": [{"description": "Other", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-12-12T10:57:01", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699"}, {"name": "106152", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/106152"}, {"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/2704878"}], "source": {"discovery": "UNKNOWN"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2018-2497", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP HANA", "version": {"version_data": [{"version_name": "=", "version_value": "1.0"}, {"version_name": "=", "version_value": "2.0"}]}}]}, "vendor_name": "SAP"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The security audit log of SAP HANA, versions 1.0 and 2.0, does not log SELECT events if these events are part of a statement with the syntax CREATE TABLE <table_name> AS SELECT."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Other"}]}]}, "references": {"reference_data": [{"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699", "refsource": "MISC", "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699"}, {"name": "106152", "refsource": "BID", "url": "http://www.securityfocus.com/bid/106152"}, {"name": "https://launchpad.support.sap.com/#/notes/2704878", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/2704878"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T04:21:34.166Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699"}, {"name": "106152", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/106152"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://launchpad.support.sap.com/#/notes/2704878"}]}]}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2018-2497", "datePublished": "2018-12-11T23:00:00", "dateReserved": "2017-12-15T00:00:00", "dateUpdated": "2024-08-05T04:21:34.166Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:hana:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "7238BE98-063B-40E1-83D2-7F1424BB4C30", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:hana:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "745FBCAF-940A-49F4-9DC9-26470F14DED7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The security audit log of SAP HANA, versions 1.0 and 2.0, does not log SELECT events if these events are part of a statement with the syntax CREATE TABLE <table_name> AS SELECT."}, {"lang": "es", "value": "El registro de auditor\u00eda de seguridad interna en SAP HANA 1.0 y 2.0 no registra los eventos SELECT si forman parte de una instrucci\u00f3n con la sintaxis CREATE TABLE AS SELECT."}], "id": "CVE-2018-2497", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-12-11T22:29:00.423", "references": [{"source": "cna@sap.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/106152"}, {"source": "cna@sap.com", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://launchpad.support.sap.com/#/notes/2704878"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}