CVE-2016-4014

Опубликовано: 14 апр. 2016

Источник: nvd

CVSS3: 8.6

CVSS2: 9

EPSS Низкий

Описание

XML external entity (XXE) vulnerability in the UDDI component in SAP NetWeaver JAVA AS 7.4 allows remote attackers to cause a denial of service (system hang) via a crafted DTD in an XML request to uddi/api/replication, aka SAP Security Note 2254389.

Комментарий

CWE-611: Improper Restriction of XML External Entity Reference ('XXE')

Ссылки

http://packetstormsecurity.com/files/137919/SAP-NetWeaver-AS-JAVA-7.4-XXE-Injection.html
Exploit
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2016/Jul/45
Exploit
Third Party Advisory
https://erpscan.io/advisories/erpscan-16-020-sap-netweaver-java-uddi-component-xxe-vulnerability/
https://erpscan.io/press-center/blog/dos-vulnerabilities-on-the-rise-sap-security-notes-april-2016/
http://packetstormsecurity.com/files/137919/SAP-NetWeaver-AS-JAVA-7.4-XXE-Injection.html
Exploit
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2016/Jul/45
Exploit
Third Party Advisory
https://erpscan.io/advisories/erpscan-16-020-sap-netweaver-java-uddi-component-xxe-vulnerability/
https://erpscan.io/press-center/blog/dos-vulnerabilities-on-the-rise-sap-security-notes-april-2016/

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:sap:netweaver:7.4:*:*:*:java_as:*:*:*

EPSS

Процентиль: 91%

0.06906

Низкий

8.6 High

CVSS3

9 Critical

CVSS2

Дефекты

NVD-CWE-Other

Связанные уязвимости

GHSA-m8r4-h573-3frq

CVSS3: 8.6

github

больше 3 лет назад

BDU:2016-01032

fstec

почти 10 лет назад

Уязвимость программной интеграционной платформы SAP NetWeaver, позволяющая нарушителю вызвать отказ в обслуживании