Skip links
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

CVE-2018-2503 Wrong default authorizations in AS Java keystore service, SAP security note 2658279

Description

By default the keystore service does not sufficiently restrict the access to resources that should be protected.

Some well-known impacts of insuficient access restrictions are:

  • read, modify or delete sensitive information

Available fix and Supported packages

  • SERVERCORE | 7.11 | 7.11
  • SERVERCORE | 7.20 | 7.20
  • SERVERCORE | 7.30 | 7.30
  • SERVERCORE | 7.31 | 7.31
  • SERVERCORE | 7.40 | 7.40
  • SERVERCORE | 7.50 | 7.50
  • J2EE ENGINE SERVERCORE 7.11 | SP015 | 000023
  • J2EE ENGINE SERVERCORE 7.11 | SP016 | 000011
  • J2EE ENGINE SERVERCORE 7.11 | SP017 | 000008
  • J2EE ENGINE SERVERCORE 7.11 | SP018 | 000004
  • J2EE ENGINE SERVERCORE 7.11 | SP019 | 000000
  • J2EE ENGINE SERVERCORE 7.20 | SP009 | 000129
  • J2EE ENGINE SERVERCORE 7.30 | SP015 | 000020
  • J2EE ENGINE SERVERCORE 7.30 | SP016 | 000020
  • J2EE ENGINE SERVERCORE 7.30 | SP017 | 000024
  • J2EE ENGINE SERVERCORE 7.30 | SP018 | 000019
  • J2EE ENGINE SERVERCORE 7.30 | SP019 | 000000
  • J2EE ENGINE SERVERCORE 7.30 | SP020 | 000000
  • J2EE ENGINE SERVERCORE 7.31 | SP020 | 000027
  • J2EE ENGINE SERVERCORE 7.31 | SP021 | 000021
  • J2EE ENGINE SERVERCORE 7.31 | SP022 | 000020
  • J2EE ENGINE SERVERCORE 7.31 | SP023 | 000000
  • J2EE ENGINE SERVERCORE 7.31 | SP024 | 000000
  • J2EE ENGINE SERVERCORE 7.40 | SP015 | 000027
  • J2EE ENGINE SERVERCORE 7.40 | SP016 | 000021
  • J2EE ENGINE SERVERCORE 7.40 | SP017 | 000019

Affected component

    BC-JAS-SEC
    Security, User Management

CVSS

Score: 7.4
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Exploit

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2658279

TAGS

#default-access-control-confuguration
#&160-CVE-2018-2503

More to explorer

SAP Cloud Connector Certificate Validation Issue

Date of Release: February 13, 2024 Advisory ID: CVE-2024-25642 Affected Software: SAP Cloud Connector Versions Affected: 2.15.0 to 2.16.1 Vulnerability Summary:A critical vulnerability,