CVE-2019-0344

CRITICAL KEV

SAP Commerce Cloud 6.4-6.7, 1808-1905 - Remote Code Execution via Unsafe Deserialization in virtualjdbc Extension

Title source: llm

Exploitation Summary

CVE-2019-0344 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added September 30, 2024.

Description

Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection.

References (3)

Core 3

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-0344

Broken Link x_refsource_misc

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017

Permissions Required, Vendor Advisory x_refsource_misc

https://launchpad.support.sap.com/#/notes/2786035

Scores

CVSS v3 9.8

EPSS 0.4062

EPSS Percentile 97.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2024-09-30

VulnCheck KEV 2024-09-30

InTheWild.io 2024-09-30

ENISA EUVD EUVD-2019-1117

CWE

CWE-502

Status published

Products (7)

sap/commerce_cloud 6.4

sap/commerce_cloud 6.5

sap/commerce_cloud 6.6

sap/commerce_cloud 6.7

sap/commerce_cloud 1808

sap/commerce_cloud 1811

sap/commerce_cloud 1905

Published Aug 14, 2019

KEV Added Sep 30, 2024

Tracked Since Feb 18, 2026