CVE-2019-0271: Input Validation
First published: Tue Mar 12 2019(Updated: )
ABAP Server (used in NetWeaver and Suite/ERP) and ABAP Platform does not sufficiently validate an XML document accepted from an untrusted source, leading to an XML External Entity (XEE) vulnerability. Fixed in Kernel 7.21 or 7.22, that is ABAP Server 7.00 to 7.31 and Kernel 7.45, 7.49 or 7.53, that is ABAP Server 7.40 to 7.52 or ABAP Platform. For more recent updates please refer to Security Note 2870067 (which supersedes the solution of Security Note 2736825) in the reference section below.
Credit: cna@sap.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SAP Advanced Business Application Programming Platform Kernel | ||
| SAP Advanced Business Application Programming Server | >=7.00<=7.31 | |
| SAP Advanced Business Application Programming Server | >=7.40<=7.52 | |
| SAP Kernel | =7.21 | |
| SAP Kernel | =7.22 | |
| SAP Kernel | =7.45 | |
| SAP Kernel | =7.49 | |
| SAP Kernel | =7.53 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2019-0271?
CVE-2019-0271 is classified as a medium severity vulnerability that can lead to XML External Entity (XEE) attacks.
How do I fix CVE-2019-0271?
To resolve CVE-2019-0271, update your ABAP Server or Kernel to a version that is 7.21, 7.22, 7.45, 7.49, 7.53, or later.
Which SAP products are affected by CVE-2019-0271?
CVE-2019-0271 affects ABAP Platform versions from 7.00 to 7.31 and specific Kernel versions including 7.21, 7.22, 7.45, 7.49, and 7.53.
What type of vulnerability is CVE-2019-0271?
CVE-2019-0271 is an XML External Entity (XEE) vulnerability resulting from insufficient validation of XML documents from untrusted sources.
Is CVE-2019-0271 being actively exploited?
At the time of reporting, there are no indications of active exploitation for CVE-2019-0271, but it is recommended to patch promptly.
- agent/type
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/author
- agent/severity
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/sap
- canonical/sap advanced business application programming platform kernel
- canonical/sap advanced business application programming server
- version/sap advanced business application programming server/7.00
- version/sap advanced business application programming server/7.31
- version/sap advanced business application programming server/7.40
- version/sap advanced business application programming server/7.52
- canonical/sap kernel
- version/sap kernel/7.21
- version/sap kernel/7.22
- version/sap kernel/7.45
- version/sap kernel/7.49
- version/sap kernel/7.53