CVE-2019-0330

The OS Command Plugin in the transaction GPA_ADMIN and the OSCommand Console of SAP Diagnostic Agent (LM-Service), version 7.2, allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.

CVSS v3 9.1 CRITICAL
CVSS v2.0 6.5 MEDIUM

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.securityfocus.com/bid/109068	Third Party Advisory VDB Entry
https://launchpad.support.sap.com/#/notes/2808158	Permissions Required Vendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sap:diagnostics_agent:7.20:*:*:*:*:*:*:*

History

19 Dec 2023, 15:32

Type	Values Removed	Values Added
CPE	cpe:2.3:a:sap:diagnostics_agents:7.20:::::::*	cpe:2.3:a:sap:diagnostics_agent:7.20:::::::*
First Time		Sap diagnostics Agent

Information

Published : 2019-07-10 20:15

Updated : 2023-12-19 15:32

NVD link : CVE-2019-0330

Mitre link : CVE-2019-0330

CVE.ORG link : CVE-2019-0330

JSON object : View

Products Affected

sap

diagnostics_agent

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2019-0330", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2019-07-10T20:15:12.263", "references": [{"url": "http://www.securityfocus.com/bid/109068", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cna@sap.com"}, {"url": "https://launchpad.support.sap.com/#/notes/2808158", "tags": ["Permissions Required", "Vendor Advisory"], "source": "cna@sap.com"}, {"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "The OS Command Plugin in the transaction GPA_ADMIN and the OSCommand Console of SAP Diagnostic Agent (LM-Service), version 7.2, allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application."}, {"lang": "es", "value": "El Plugin Command del OS en la transacci\u00f3n GPA_ADMIN y la Consola OSCommand del SAP Diagnostic Agent (LM-Service), versi\u00f3n 7.2, permite a un atacante inyectar c\u00f3digo que puede ser ejecutado por la aplicaci\u00f3n. Por lo tanto, un atacante podr\u00eda controlar el comportamiento de la aplicaci\u00f3n."}], "lastModified": "2023-12-19T15:32:08.840", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:diagnostics_agent:7.20:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ADDA865D-010B-44E9-9523-3817F7872F7A"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}