CVE-2019-0344

CRITICAL KEV

SAP Commerce Cloud - Insecure Deserialization

Title source: rule

Description

Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection.

References (3)

[Permissions Required, Vendor Advisory] https://launchpad.support.sap.com/#/notes/2786035

[Broken Link] https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-0344

Scores

CVSS v3 9.8

EPSS 0.4062

EPSS Percentile 97.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

CISA KEV 2024-09-30

VulnCheck KEV 2024-09-30

InTheWild.io 2024-09-30

ENISA EUVD EUVD-2019-1117

Classification

CWE

CWE-502

Status published

Affected Products (7)

sap/commerce_cloud

Timeline

Published Aug 14, 2019

KEV Added Sep 30, 2024

Tracked Since Feb 18, 2026