← back
CVE-2018-2459

CVE-2018-2459

EPSS 1.7%
In short

A flaw in SAP Mobile Platform 3.0's Offline OData feature allows users to occasionally receive data belonging to other users when using delta tokens (a feature enabled by default). This is a privacy breach that exposes sensitive information to unauthorized users.

Technical detail

The Offline OData delta token mechanism in SAP Mobile Platform 3.0 fails to properly isolate user data during synchronization operations. An authenticated user with legitimate access to the application may receive data records assigned to other users due to improper token handling or cache isolation. The vulnerability affects deployments using the default delta token configuration and impacts data confidentiality.

Summary generated and translated by AI from the official description.
Users of an SAP Mobile Platform (version 3.0) Offline OData application, which uses Offline OData-supplied delta tokens (which is on by default), occasionally receive some data values of a different user.
Affected products
SAP · SAP Mobile Platform

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://launchpad.support.sap.com/#/notes/2672919https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499356993http://www.securityfocus.com/bid/105338