CVE-2015-4091

XML external entity (XXE) vulnerability in SAP NetWeaver AS Java 7.4 allows remote attackers to send TCP requests to intranet servers or possibly have unspecified other impact via an XML request to tc~sld~wd~main/Main, related to "CIM UPLOAD," aka SAP Security Note 2090851.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://packetstormsecurity.com/files/133122/SAP-NetWeaver-AS-Java-XXE-Injection.html
http://seclists.org/fulldisclosure/2015/May/96
http://www.securityfocus.com/archive/1/536239/100/0/threaded
http://www.securityfocus.com/bid/74850
https://erpscan.io/advisories/erpscan-15-013-sap-netweaver-as-java-cim-upload-xxe

Configurations

Configuration 1 (hide)

cpe:2.3:a:sap:sap_netweaver_application_server_java:7.4:*:*:*:*:*:*:*

History

No history.

Information

Published : 2015-05-26 14:59

Updated : 2023-12-10 11:46

NVD link : CVE-2015-4091

Mitre link : CVE-2015-4091

CVE.ORG link : CVE-2015-4091

JSON object : View

Products Affected

sap

sap_netweaver_application_server_java

CWE

NVD-CWE-Other

{"id": "CVE-2015-4091", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2015-05-26T14:59:00.070", "references": [{"url": "http://packetstormsecurity.com/files/133122/SAP-NetWeaver-AS-Java-XXE-Injection.html", "source": "cve@mitre.org"}, {"url": "http://seclists.org/fulldisclosure/2015/May/96", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/536239/100/0/threaded", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/74850", "source": "cve@mitre.org"}, {"url": "https://erpscan.io/advisories/erpscan-15-013-sap-netweaver-as-java-cim-upload-xxe", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in SAP NetWeaver AS Java 7.4 allows remote attackers to send TCP requests to intranet servers or possibly have unspecified other impact via an XML request to tc~sld~wd~main/Main, related to \"CIM UPLOAD,\" aka SAP Security Note 2090851."}, {"lang": "es", "value": "Vulnerabilidad de XXE en SAP NetWeaver AS Java 7.4 permite a atacantes remotos enviar peticiones TCP a servidores intranet o posiblemente tener otro impacto no especificado a trav\u00e9s de una petici\u00f3n XML a tc~sld~wd~main/Main, relacionado con \"CIM UPLOAD\", tambi\u00e9n conocida como SAP Security Note 2090851."}], "lastModified": "2018-12-10T19:29:08.890", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:sap_netweaver_application_server_java:7.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "671D3122-7DB9-4CDD-BB0F-3A70092830CA"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}