CVE-2019-0283
HIGHSAP NetWeaver Process Integration - Digital Signature Spoofing via PI Axis Adapter
Title source: llmDescription
SAP NetWeaver Process Integration (Adapter Engine), fixed in versions 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; is vulnerable to Digital Signature Spoofing. It is possible to spoof XML signatures and send arbitrary requests to the server via PI Axis adapter. These requests will be accepted by the PI Axis adapter even if the payload has been altered, especially when the signed element is the body of the xml document.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114
Permissions Required, Vendor Advisory x_refsource_confirm
https://launchpad.support.sap.com/#/notes/2747683
Scores
CVSS v3
7.1
EPSS
0.0013
EPSS Percentile
31.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Details
CWE
CWE-290
Status
published
Products (6)
sap/netweaver_process_integration
7.10
sap/netweaver_process_integration
7.11
sap/netweaver_process_integration
7.30
sap/netweaver_process_integration
7.31
sap/netweaver_process_integration
7.40
sap/netweaver_process_integration
7.50
Published
Apr 10, 2019
Tracked Since
Feb 18, 2026