Detections
Analytics
Virtual JDBC Remote Code Execution
critical Web App Scanning Plugin ID 113046
Language:
Synopsis
Virtual JDBC Remote Code ExecutionDescription
Due to unsafe deserialization used in Virtual JDBC all versions allows an unauthenticated attacker with HTTP access to the service to obtain arbitrary code execution.Solution
Disable or filter access to the Virtual JDBC endpoint.See Also
https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017
Plugin Details
Severity: Critical
ID: 113046
Type: remote
Family: Component Vulnerability
Published: 11/12/2021
Updated: 11/15/2021
Scan Template: basic, full, pci, scan
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: High
Base Score: 7.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2019-0344
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score Source: CVE-2019-0344
Reference Information
CVE: CVE-2019-0344
CWE: 502
OWASP: 2010-A4, 2013-A4, 2013-A9, 2017-A8, 2017-A9, 2021-A6, 2021-A8
WASC: Improper Input Handling
CAPEC: 586
DISA STIG: APSC-DV-002560, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-CM-6b, sp800_53-SI-10(5)
OWASP API: 2019-API7, 2019-API8, 2023-API8
OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.5.1