{"api_version":"1","generated_at":"2026-07-19T12:07:45+00:00","cve":"CVE-2018-2403","urls":{"html":"https://cve.report/CVE-2018-2403","api":"https://cve.report/api/cve/CVE-2018-2403.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-2403","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-2403"},"summary":{"title":"CVE-2018-2403","description":"Under certain conditions, SAP Disclosure Management 10.1 allows an attacker to access information which would otherwise be restricted. It is possible for an authorized user to get SAP Disclosure Management to point a specific chapter type to a chapter the user has not been given access to.","state":"PUBLIC","assigner":"cna@sap.com","published_at":"2018-04-10 15:29:00","updated_at":"2020-08-24 17:37:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://launchpad.support.sap.com/#/notes/2595800","name":"https://launchpad.support.sap.com/#/notes/2595800","refsource":"MISC","tags":["Permissions Required"],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/103727","name":"103727","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"SAP Disclosure Management Multiple Security Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/","name":"https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"SAP Security Patch Day – April 2018 | SAP Blogs","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-2403","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-2403","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"2403","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"sap","cpe5":"disclosure_management","cpe6":"10.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"2403","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"sap","cpe5":"disclosure_management","cpe6":"10.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cna@sap.com","ID":"CVE-2018-2403","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"SAP Disclosure Management","version":{"version_data":[{"version_affected":"=","version_value":"10.1"}]}}]},"vendor_name":"SAP SE"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Under certain conditions, SAP Disclosure Management 10.1 allows an attacker to access information which would otherwise be restricted. It is possible for an authorized user to get SAP Disclosure Management to point a specific chapter type to a chapter the user has not been given access to."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.4,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","version":"3.0"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Information Disclosure"}]}]},"references":{"reference_data":[{"name":"https://launchpad.support.sap.com/#/notes/2595800","refsource":"MISC","url":"https://launchpad.support.sap.com/#/notes/2595800"},{"name":"https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/","refsource":"CONFIRM","url":"https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/"},{"name":"103727","refsource":"BID","url":"http://www.securityfocus.com/bid/103727"}]}},"nvd":{"publishedDate":"2018-04-10 15:29:00","lastModifiedDate":"2020-08-24 17:37:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:sap:disclosure_management:10.1:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"2403","Ordinal":"117958","Title":"CVE-2018-2403","CVE":"CVE-2018-2403","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"2403","Ordinal":"1","NoteData":"Under certain conditions, SAP Disclosure Management 10.1 allows an attacker to access information which would otherwise be restricted. It is possible for an authorized user to get SAP Disclosure Management to point a specific chapter type to a chapter the user has not been given access to.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"2403","Ordinal":"2","NoteData":"2018-04-10","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"2403","Ordinal":"3","NoteData":"2018-04-12","Type":"Other","Title":"Modified"}]}}}