CVE-2018-2415

moderate-risk
Published 2018-05-09

SAP NetWeaver Application Server Java Web Container and HTTP Service (Engine API, from 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; J2EE Engine Server Core 7.11, 7.30, 7.31, 7.40, 7.50) do not sufficiently encode user controlled inputs, resulting in a content spoofing vulnerability when error pages are displayed.

Do I need to act?

-
0.28% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.7/10 Medium
NETWORK / LOW complexity

Affected Products (11)

Netweaver Java Web Container And Http Service Engine
Netweaver Java Web Container And Http Service Engine
Netweaver Java Web Container And Http Service Engine
Netweaver Java Web Container And Http Service Engine
Netweaver Java Web Container And Http Service Engine
Netweaver Java Web Container And Http Service Engine
J2Ee Engine Server Core
J2Ee Engine Server Core
J2Ee Engine Server Core
J2Ee Engine Server Core
J2Ee Engine Server Core

Affected Vendors

Sap

References (6)

Third Party Advisory http://www.securityfocus.com/bid/104130
Vendor Advisory https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/
Permissions Required https://launchpad.support.sap.com/#/notes/2550202
Third Party Advisory http://www.securityfocus.com/bid/104130
Vendor Advisory https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/
Permissions Required https://launchpad.support.sap.com/#/notes/2550202
36
/ 100
moderate-risk
Severity 19/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 16/34 · Moderate