CVE-2019-0271
MEDIUMSAP ABAP Server and ABAP Platform - XML External Entity Injection via Untrusted XML Document
Title source: llmDescription
ABAP Server (used in NetWeaver and Suite/ERP) and ABAP Platform does not sufficiently validate an XML document accepted from an untrusted source, leading to an XML External Entity (XEE) vulnerability. Fixed in Kernel 7.21 or 7.22, that is ABAP Server 7.00 to 7.31 and Kernel 7.45, 7.49 or 7.53, that is ABAP Server 7.40 to 7.52 or ABAP Platform. For more recent updates please refer to Security Note 2870067 (which supersedes the solution of Security Note 2736825) in the reference section below.
References (5)
Core 5
Core References
Broken Link vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/107355
Permissions Required, Vendor Advisory x_refsource_confirm
https://launchpad.support.sap.com/#/notes/2870067
Vendor Advisory x_refsource_confirm
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812
Permissions Required, Vendor Advisory x_refsource_confirm
https://launchpad.support.sap.com/#/notes/2736825
Vendor Advisory x_refsource_confirm
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=515408080
Scores
CVSS v3
6.5
EPSS
0.0058
EPSS Percentile
69.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-20
Status
published
Products (7)
sap/advanced_business_application_programming_platform
sap/advanced_business_application_programming_server
7.00 - 7.31
sap/sap_kernel
7.21
sap/sap_kernel
7.22
sap/sap_kernel
7.45
sap/sap_kernel
7.49
sap/sap_kernel
7.53
Published
Mar 12, 2019
Tracked Since
Feb 18, 2026