Vulnerabilities > CVE-2016-4014 - XML External Entity Injection vulnerability in SAP Netweaver 7.4
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
COMPLETE Summary
XML external entity (XXE) vulnerability in the UDDI component in SAP NetWeaver JAVA AS 7.4 allows remote attackers to cause a denial of service (system hang) via a crafted DTD in an XML request to uddi/api/replication, aka SAP Security Note 2254389. <a href="http://cwe.mitre.org/data/definitions/611.html">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Packetstorm
data source | https://packetstormsecurity.com/files/download/137919/ERPSCAN-16-020.txt |
id | PACKETSTORM:137919 |
last seen | 2016-12-05 |
published | 2016-07-14 |
reporter | Vahagn Vardanyan |
source | https://packetstormsecurity.com/files/137919/SAP-NetWeaver-AS-JAVA-7.4-XXE-Injection.html |
title | SAP NetWeaver AS JAVA 7.4 XXE Injection |
References
- http://packetstormsecurity.com/files/137919/SAP-NetWeaver-AS-JAVA-7.4-XXE-Injection.html
- http://seclists.org/fulldisclosure/2016/Jul/45
- https://erpscan.io/advisories/erpscan-16-020-sap-netweaver-java-uddi-component-xxe-vulnerability/
- https://erpscan.io/press-center/blog/dos-vulnerabilities-on-the-rise-sap-security-notes-april-2016/