Vulnerabilities > CVE-2019-14678 - XXE vulnerability in SAS Base SAS and XML Mapper

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

sas

CWE-611

critical

NVD

Published: 2019-11-14

Updated: 2019-11-22

Summary

SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects the XMLV2 LIBNAME engine when the AUTOMAP option is used.

Vulnerable Configurations

Part	Description	Count
Application	Sas SAS XML Mapper 9.45 SAS Base SAS 9.4	2
OS	Hp HP HP UX -	1
OS	Ibm IBM AIX - IBM Z/Os -	2
OS	Linux Linux Linux Kernel -	1
OS	Microsoft Microsoft Windows - Microsoft Windows 10 - Microsoft Windows 7 - Microsoft Windows 8 - Microsoft Windows 8.1 - Microsoft Windows Server 2012 - Microsoft Windows Server 2012 R2 Microsoft Windows Server 2016 - Microsoft Windows Server 2019 -	14
OS	Oracle Oracle Solaris -	1

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References