CVE-2018-2415

Summary

SAP NetWeaver Application Server Java Web Container and HTTP Service (Engine API, from 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; J2EE Engine Server Core 7.11, 7.30, 7.31, 7.40, 7.50) do not sufficiently encode user controlled inputs, resulting in a content spoofing vulnerability when error pages are displayed.

Affected Software

VendorProductVersion RangeStatus
SAP SESAP NetWeaver Application Server (Engine API)from 7.10 to 7.11affected
SAP SESAP NetWeaver Application Server (Engine API)7.30affected
SAP SESAP NetWeaver Application Server (Engine API)7.31affected
SAP SESAP NetWeaver Application Server (Engine API)7.40affected
SAP SESAP NetWeaver Application Server (Engine API)7.50affected
SAP SESAP NetWeaver Application Server (J2EE Engine Server Core)7.11affected
SAP SESAP NetWeaver Application Server (J2EE Engine Server Core)7.30affected
SAP SESAP NetWeaver Application Server (J2EE Engine Server Core)7.31affected
SAP SESAP NetWeaver Application Server (J2EE Engine Server Core)7.40affected
SAP SESAP NetWeaver Application Server (J2EE Engine Server Core)7.50affected

Weaknesses

  • Content Spoofing

ADP Enrichment

CVE Program Container

Additional References

References