CVE-2019-0379

Опубликовано: 08 окт. 2019

Источник: nvd

CVSS3: 5.3

CVSS2: 5

EPSS Низкий

Описание

SAP Process Integration, business-to-business add-on, versions 1.0, 2.0, does not perform authentication check properly when the default security provider is changed to BouncyCastle (BC), leading to Missing Authentication Check

Ссылки

https://launchpad.support.sap.com/#/notes/2826015
Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528123050
Vendor Advisory
https://launchpad.support.sap.com/#/notes/2826015
Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528123050
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:sap:process_integration:1.0:*:*:*:*:*:*:*

cpe:2.3:a:sap:process_integration:2.0:*:*:*:*:*:*:*

EPSS

Процентиль: 36%

0.00154

Низкий

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-306

Связанные уязвимости

GHSA-pwr7-6jj8-mwx4

github

больше 3 лет назад

In SAP NetWeaver Process Integration (AS2 Adapter), before versions 1.0 and 2.0, the attacker is able to consistently bypass the authenticity check by crafting ad-hoc public certificates based on arbitrary key-pairs leading to Missing Authentication Check.

BDU:2020-00067