Skip links

CVE-2019-0388 Content spoofing vulnerability in UI5 HTTP Handler, SAP security note 2843016

Description

UPDATE 26th January 2021: We made few minor textual changes in the note. There have not been any changes done, which require customer action.

UPDATE 14th January 2020: This note has been re-released with updated “Manual Pre-Implementation Steps” step 6 and “Manual Post-Implementation Steps” step 3 (in releases where available).

UI5 HTTP Handler allows an attacker to manipulate content due to insufficient URL validation. Some well-known impacts of the vulnerability are:

  • phishing attacks to steal credentials of the victim
  • redirect users to untrusted webpages containing malware or similar malicious exploits
  • providing false information to the victim

Available fix and Supported packages

  • SAP_UI | 750 | 750
  • SAP_UI | 751 | 751
  • SAP_UI | 752 | 752
  • SAP_UI | 753 | 753
  • SAP_UI | 754 | 754
  • UI_700 | 200 | 200
  • SAP_UI 750 | SAPK-75016INSAPUI |
  • SAP_UI 753 | SAPK-75305INSAPUI |
  • SAP_UI 754 | SAPK-75401INSAPUI |
  • SAP_UI 751 | SAPK-75112INSAPUI |
  • SAP_UI 752 | SAPK-75209INSAPUI |
  • UI_700 200 | SAPK-20016INUI700 |

Affected component

    CA-UI5-DLV
    UI5 ABAP delivery tools

CVSS

Score: 4.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/2843016

TAGS

#Content-spoofing
#Phishing-attack
#&160-UI5-handler
#&160-CVE-2019-0388