Vulnerabilities > CVE-2019-14678 - XXE vulnerability in SAS Base SAS and XML Mapper

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

sas

CWE-611

NVD

Published: 2019-11-14

Updated: 2019-11-22

Summary

SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects the XMLV2 LIBNAME engine when the AUTOMAP option is used.

Vulnerable Configurations

Part	Description	Count
Application	Sas SAS XML Mapper 9.45 SAS Base SAS 9.4	2
OS	Hp HP HP UX -	1
OS	Ibm IBM AIX - IBM Z/Os -	2
OS	Linux Linux Linux Kernel -	1
OS	Microsoft Microsoft Windows - Microsoft Windows 10 - Microsoft Windows 7 - Microsoft Windows 8 - Microsoft Windows 8.1 - Microsoft Windows Server 2012 - Microsoft Windows Server 2012 R2 Microsoft Windows Server 2016 - Microsoft Windows Server 2019 -	14
OS	Oracle Oracle Solaris -	1

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References