{"api_version":"1","generated_at":"2026-05-17T00:39:06+00:00","cve":"CVE-2018-2418","urls":{"html":"https://cve.report/CVE-2018-2418","api":"https://cve.report/api/cve/CVE-2018-2418.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-2418","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-2418"},"summary":{"title":"CVE-2018-2418","description":"SAP MaxDB ODBC driver (all versions before 7.9.09.07) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.","state":"PUBLIC","assigner":"cna@sap.com","published_at":"2018-05-09 20:29:00","updated_at":"2019-10-09 23:40:00"},"problem_types":["CWE-94"],"metrics":[],"references":[{"url":"http://www.securityfocus.com/bid/104115","name":"104115","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"SAP MaxDB ODBC Driver CVE-2018-2418 Unspecified Remote Code Injection Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://launchpad.support.sap.com/#/notes/2610231","name":"https://launchpad.support.sap.com/#/notes/2610231","refsource":"MISC","tags":["Permissions Required","Vendor Advisory"],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/","name":"https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"SAP Security Patch Day – May 2018 | SAP Blogs","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-2418","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-2418","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"2418","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"sap","cpe5":"maxdb_odbc_driver","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"2418","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"sap","cpe5":"maxdb_odbc_driver","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cna@sap.com","ID":"CVE-2018-2418","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"SAP MaxDB ODBC driver","version":{"version_data":[{"version_affected":"=","version_value":"all versions before 7.9.09.07"}]}}]},"vendor_name":"SAP SE"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"SAP MaxDB ODBC driver (all versions before 7.9.09.07) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application."}]},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L","version":"3.0"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Code Injection"}]}]},"references":{"reference_data":[{"name":"https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/","refsource":"CONFIRM","url":"https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/"},{"name":"https://launchpad.support.sap.com/#/notes/2610231","refsource":"MISC","url":"https://launchpad.support.sap.com/#/notes/2610231"},{"name":"104115","refsource":"BID","url":"http://www.securityfocus.com/bid/104115"}]},"source":{"discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2018-05-09 20:29:00","lastModifiedDate":"2019-10-09 23:40:00","problem_types":["CWE-94"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":true,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:sap:maxdb_odbc_driver:*:*:*:*:*:*:*:*","versionEndExcluding":"7.9.09.07","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"2418","Ordinal":"117973","Title":"CVE-2018-2418","CVE":"CVE-2018-2418","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"2418","Ordinal":"1","NoteData":"SAP MaxDB ODBC driver (all versions before 7.9.09.07) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"2418","Ordinal":"2","NoteData":"2018-05-09","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"2418","Ordinal":"3","NoteData":"2018-05-10","Type":"Other","Title":"Modified"}]}}}