Vulnerabilities > CVE-2016-4014 - XML External Entity Injection vulnerability in SAP Netweaver 7.4

047910
CVSS 9.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
COMPLETE
network
low complexity
sap
critical
NVD
Published: 2016-04-14
Updated: 2018-12-10

Summary

XML external entity (XXE) vulnerability in the UDDI component in SAP NetWeaver JAVA AS 7.4 allows remote attackers to cause a denial of service (system hang) via a crafted DTD in an XML request to uddi/api/replication, aka SAP Security Note 2254389. <a href="http://cwe.mitre.org/data/definitions/611.html">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>

Vulnerable Configurations

Part Description Count
Application
Sap
1

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/137919/ERPSCAN-16-020.txt
idPACKETSTORM:137919
last seen2016-12-05
published2016-07-14
reporterVahagn Vardanyan
sourcehttps://packetstormsecurity.com/files/137919/SAP-NetWeaver-AS-JAVA-7.4-XXE-Injection.html
titleSAP NetWeaver AS JAVA 7.4 XXE Injection

References