CVE-2015-2812

XML external entity (XXE) vulnerability in XMLValidationComponent in SAP NetWeaver Portal 7.31.201109172004 allows remote attackers to send requests to intranet servers via crafted XML, aka SAP Security Note 2093966.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://packetstormsecurity.com/files/132356/SAP-NetWeaver-Portal-7.31-XXE-Injection.html
http://seclists.org/fulldisclosure/2015/Jun/62
http://www.securityfocus.com/archive/1/535826/100/800/threaded
https://erpscan.io/advisories/erpscan-15-004-sap-netweaver-portal-xmlvalidationcomponent-xxe/

Configurations

Configuration 1 (hide)

cpe:2.3:a:sap:netweaver_enterprise_portal:7.31:*:*:*:*:*:*:*

History

No history.

Information

Published : 2015-04-01 14:59

Updated : 2023-12-10 11:31

NVD link : CVE-2015-2812

Mitre link : CVE-2015-2812

CVE.ORG link : CVE-2015-2812

JSON object : View

Products Affected

sap

netweaver_enterprise_portal

CWE

NVD-CWE-Other

{"id": "CVE-2015-2812", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2015-04-01T14:59:11.037", "references": [{"url": "http://packetstormsecurity.com/files/132356/SAP-NetWeaver-Portal-7.31-XXE-Injection.html", "source": "cve@mitre.org"}, {"url": "http://seclists.org/fulldisclosure/2015/Jun/62", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/535826/100/800/threaded", "source": "cve@mitre.org"}, {"url": "https://erpscan.io/advisories/erpscan-15-004-sap-netweaver-portal-xmlvalidationcomponent-xxe/", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in XMLValidationComponent in SAP NetWeaver Portal 7.31.201109172004 allows remote attackers to send requests to intranet servers via crafted XML, aka SAP Security Note 2093966."}, {"lang": "es", "value": "Vulnerabilidad de entidad externa XML (XXE) en XMLValidationComponent en SAP NetWeaver Portal 7.31.201109172004 permite a atacantes remotos enviar solicitudes a servidores de intranet a trav\u00e9s de XML manipulado, tambi\u00e9n conocido como la nota de seguridad de SAP 2093966."}], "lastModified": "2018-12-10T19:29:07.357", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_enterprise_portal:7.31:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E666D8FD-1F21-4E97-80BB-D560AB125DB5"}], "operator": "OR"}]}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/611.html\">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>", "sourceIdentifier": "cve@mitre.org"}