CVE-2018-2492
HIGHSAP NetWeaver AS Java - XML External Entity Injection in SAML 2.0
Title source: llmDescription
SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. This is fixed in versions 7.2, 7.30, 7.31, 7.40 and 7.50.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_misc
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699
Permissions Required x_refsource_misc
https://launchpad.support.sap.com/#/notes/2642680
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/106153
Scores
CVSS v3
7.1
EPSS
0.0031
EPSS Percentile
53.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Details
CWE
CWE-611
Status
published
Products (5)
sap/netweaver_application_server_java
7.20
sap/netweaver_application_server_java
7.30
sap/netweaver_application_server_java
7.31
sap/netweaver_application_server_java
7.40
sap/netweaver_application_server_java
7.50
Published
Dec 11, 2018
Tracked Since
Feb 18, 2026