CVE-2019-0284: XEE
First published: Wed Apr 10 2019(Updated: )
SLD Registration in SAP HANA (fixed in versions 1.0, 2.0) does not sufficiently validate an XML document accepted from an untrusted source. The attacker can call SLDREG with an XML file containing a reference to an XML External Entity (XXE). This can cause SLDREG to, for example, continuously loop, read arbitrary files and even send local files.
Credit: cna@sap.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SAP HANA | =1.0 | |
| SAP HANA | =2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this SAP HANA vulnerability?
The vulnerability ID for this SAP HANA vulnerability is CVE-2019-0284.
What is the severity of CVE-2019-0284?
The severity of CVE-2019-0284 is medium.
How does the SLD Registration vulnerability in SAP HANA occur?
The SLD Registration vulnerability in SAP HANA occurs due to insufficient validation of an XML document from an untrusted source.
Which versions of SAP HANA are affected by this vulnerability?
This vulnerability affects SAP HANA versions 1.0 and 2.0.
How can an attacker exploit CVE-2019-0284?
An attacker can exploit CVE-2019-0284 by calling SLDREG with an XML file containing an XML External Entity (XXE) reference, which can cause SLDREG to continuously loop or perform other malicious actions.
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- agent/severity
- agent/weakness
- agent/tags
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- vendor/sap
- canonical/sap hana
- version/sap hana/1.0
- version/sap hana/2.0