CVE-2019-0284

Published: Apr 10, 2019Modified: Nov 21, 2024

6.0

Vector

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H

Exploitability: 0.8 / Impact: 5.2

Source: NVD

Description

SLD Registration in SAP HANA (fixed in versions 1.0, 2.0) does not sufficiently validate an XML document accepted from an untrusted source. The attacker can call SLDREG with an XML file containing a reference to an XML External Entity (XXE). This can cause SLDREG to, for example, continuously loop, read arbitrary files and even send local files.

Affected (2)

Products: Sap: Hana

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Sap Hana	Version 1.0
Sap Hana	Version 2.0

Related CWEs

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (4)

https://launchpad.support.sap.com/#/notes/2772376

Source: cna@sap.com

Permissions RequiredVendor Advisory

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114

Source: cna@sap.com

Vendor Advisory

https://launchpad.support.sap.com/#/notes/2772376

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions RequiredVendor Advisory

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.