CVE-2019-0267 - OpenCVE

SAP Manufacturing Integration and Intelligence, versions 15.0, 15.1 and 15.2, (Illuminator Servlet) currently does not provide Anti-XSRF tokens. This might lead to XSRF attacks in case the data is being posted to the Servlet from an external application.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sap	Manufacturing Integration And Intelligence

Configuration 1 [-]

OR	cpe:2.3:a:sap:manufacturing_integration_and_intelligence:15.0:::::::*
	cpe:2.3:a:sap:manufacturing_integration_and_intelligence:15.1:::::::*
	cpe:2.3:a:sap:manufacturing_integration_and_intelligence:15.2:::::::*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/106990
https://launchpad.support.sap.com/#/notes/2686535
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943

History

No history.

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2019-02-15T18:00:00

Updated: 2024-08-04T17:44:16.407Z

Reserved: 2018-11-26T00:00:00

Link: CVE-2019-0267

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-02-15T18:29:02.320

Modified: 2019-02-20T15:06:29.593

Link: CVE-2019-0267

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "SAP Manufacturing Integration and Intelligence", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 15.0"}, {"status": "affected", "version": "< 15.1"}, {"status": "affected", "version": "< 15.2"}]}], "datePublic": "2019-02-12T00:00:00", "descriptions": [{"lang": "en", "value": "SAP Manufacturing Integration and Intelligence, versions 15.0, 15.1 and 15.2, (Illuminator Servlet) currently does not provide Anti-XSRF tokens. This might lead to XSRF attacks in case the data is being posted to the Servlet from an external application."}], "problemTypes": [{"descriptions": [{"description": "Cross-Site Request Forgery", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-02-16T10:57:01", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"name": "106990", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/106990"}, {"tags": ["x_refsource_MISC"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943"}, {"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/2686535"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2019-0267", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP Manufacturing Integration and Intelligence", "version": {"version_data": [{"version_name": "<", "version_value": "15.0"}, {"version_name": "<", "version_value": "15.1"}, {"version_name": "<", "version_value": "15.2"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SAP Manufacturing Integration and Intelligence, versions 15.0, 15.1 and 15.2, (Illuminator Servlet) currently does not provide Anti-XSRF tokens. This might lead to XSRF attacks in case the data is being posted to the Servlet from an external application."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-Site Request Forgery"}]}]}, "references": {"reference_data": [{"name": "106990", "refsource": "BID", "url": "http://www.securityfocus.com/bid/106990"}, {"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943", "refsource": "MISC", "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943"}, {"name": "https://launchpad.support.sap.com/#/notes/2686535", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/2686535"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:44:16.407Z"}, "title": "CVE Program Container", "references": [{"name": "106990", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/106990"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://launchpad.support.sap.com/#/notes/2686535"}]}]}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2019-0267", "datePublished": "2019-02-15T18:00:00", "dateReserved": "2018-11-26T00:00:00", "dateUpdated": "2024-08-04T17:44:16.407Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:manufacturing_integration_and_intelligence:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "E49597EA-582C-4F2C-8D30-760620BA9FA6", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:manufacturing_integration_and_intelligence:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "514BCD2F-7F64-4504-80CD-808DC67514FC", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:manufacturing_integration_and_intelligence:15.2:*:*:*:*:*:*:*", "matchCriteriaId": "C174EF57-E203-46A0-B3CE-B88B86FA8507", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SAP Manufacturing Integration and Intelligence, versions 15.0, 15.1 and 15.2, (Illuminator Servlet) currently does not provide Anti-XSRF tokens. This might lead to XSRF attacks in case the data is being posted to the Servlet from an external application."}, {"lang": "es", "value": "SAP Manufacturing Integration and Intelligence, en versiones 15.0, 15.1 y 15.2, (Illuminator Servlet) actualmente no proporciona tokens Anti-XSRF. Esto podr\u00eda conducir a ataques XSRF si los datos se publican en el Servlet desde una aplicaci\u00f3n externa."}], "id": "CVE-2019-0267", "lastModified": "2019-02-20T15:06:29.593", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-02-15T18:29:02.320", "references": [{"source": "cna@sap.com", "tags": ["Third Party Advisory"], "url": "http://www.securityfocus.com/bid/106990"}, {"source": "cna@sap.com", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://launchpad.support.sap.com/#/notes/2686535"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}