Vulnerabilities > CVE-2017-8913 - XXE vulnerability in SAP Netweaver Application Server Java 7.50

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

sap

CWE-611

NVD

Published: 2017-05-23

Updated: 2021-04-20

Summary

The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default, aka SAP Security Note 2386873.

Vulnerable Configurations

Part	Description	Count
Application	Sap SAP Netweaver Application Server Java 7.50	1

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://erpscan.io/press-center/blog/sap-cyber-threat-intelligence-report-february-2017/
https://erpscan.io/advisories/erpscan-17-007-sap-netweaver-java-7-5-xxe-visual-composer-vc70runtime/