[CVE-2019-0344] SAP Commerce Cloud Deserialization of Untrusted Data Vulnerability

CISA KEV 정보

취약점명	SAP Commerce Cloud Deserialization of Untrusted Data Vulnerability
설명	SAP Commerce Cloud (formerly known as Hybris) contains a deserialization of untrusted data vulnerability within the mediaconversion and virtualjdbc extension that allows for code injection.
조치사항	Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
랜섬웨어 캠페인 악용	Unknown
CWE	CWE-502
등록일 (KEV)	2024-09-30
조치 기한	2024-10-21
추가 참고	https://web.archive.org/web/20191214053020/https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017 ; https://nvd.nist.gov/vuln/detail/CVE-2019-0344

NVD 상세 정보

CVSS v3.1: 9.8 CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

설명: Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection.

CWE: CWE-502 | CWE-502

참조

https://launchpad.support.sap.com/#/notes/2786035 [Permissions Required, Vendor Advisory]
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017 [Broken Link]
https://launchpad.support.sap.com/#/notes/2786035 [Permissions Required, Vendor Advisory]
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017 [Broken Link]
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-0344 [US Government Resource]

This product uses the NVD API but is not endorsed or certified by the NVD.

바로 가기

[CVE-2019-0344] SAP Commerce Cloud Deserialization of Untrusted Data Vulnerability

CISA KEV 정보

NVD 상세 정보

참조

IT 도구 서랍