Details of VAR-201508-0268

ID

VAR-201508-0268

CVE

CVE-2015-6662

TITLE

SAP NetWeaver Portal In XML External entity vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2015-004472

DESCRIPTION

XML external entity (XXE) vulnerability in SAP NetWeaver Portal 7.4 allows remote attackers to read arbitrary files and possibly have other unspecified impact via crafted XML data, aka SAP Security Note 2168485. Vendors have confirmed this vulnerability SAP Security Note 2168485 It is released as. Supplementary information : CWE Vulnerability type by CWE-611: Improper Restriction of XML External Entity Reference ('XXE') (XML Inappropriate restrictions on external entity references ) Has been identified. An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks

Trust: 1.89

sources: NVD: CVE-2015-6662 // JVNDB: JVNDB-2015-004472 // BID: 76424

AFFECTED PRODUCTS

vendor:	sap	model:	netweaver	scope:	eq	version:	7.40	Trust: 1.6
vendor:	sap	model:	netweaver	scope:	eq	version:	portal 7.4	Trust: 0.8

sources: JVNDB: JVNDB-2015-004472 // CNNVD: CNNVD-201508-514 // NVD: CVE-2015-6662

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-6662
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-6662
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201508-514
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2015-6662
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

sources: JVNDB: JVNDB-2015-004472 // CNNVD: CNNVD-201508-514 // NVD: CVE-2015-6662

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	CWE-Other	Trust: 0.8

sources: JVNDB: JVNDB-2015-004472 // NVD: CVE-2015-6662

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201508-514

TYPE

Design Error

Trust: 0.3

sources: BID: 76424

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-004472

PATCH

title:

SAP Security Note 2168485

url:

http://scn.sap.com/docs/DOC-55451

Trust: 0.8

sources: JVNDB: JVNDB-2015-004472

EXTERNAL IDS

db:	NVD	id:	CVE-2015-6662	Trust: 2.7
db:	PACKETSTORM	id:	134507	Trust: 1.0
db:	JVNDB	id:	JVNDB-2015-004472	Trust: 0.8
db:	CNNVD	id:	CNNVD-201508-514	Trust: 0.6
db:	BID	id:	76424	Trust: 0.3

sources: BID: 76424 // JVNDB: JVNDB-2015-004472 // CNNVD: CNNVD-201508-514 // NVD: CVE-2015-6662

REFERENCES

url:	http://erpscan.com/advisories/erpscan-15-018-sap-netweaver-7-4-xxe/	Trust: 1.4
url:	http://packetstormsecurity.com/files/134507/sap-netweaver-7.4-xxe-injection.html	Trust: 1.0
url:	http://www.securityfocus.com/archive/1/536957/100/0/threaded	Trust: 1.0
url:	http://seclists.org/fulldisclosure/2015/nov/92	Trust: 1.0
url:	https://erpscan.io/advisories/erpscan-15-018-sap-netweaver-7-4-xxe/	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-6662	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-6662	Trust: 0.8

sources: JVNDB: JVNDB-2015-004472 // CNNVD: CNNVD-201508-514 // NVD: CVE-2015-6662

CREDITS

Dmitry Chastuhin, Vahagn Vardanyana and Roman Bejan from ERPScan.

Trust: 0.3

sources: BID: 76424

SOURCES

db:	BID	id:	76424
db:	JVNDB	id:	JVNDB-2015-004472
db:	CNNVD	id:	CNNVD-201508-514
db:	NVD	id:	CVE-2015-6662

LAST UPDATE DATE

2024-11-23T23:09:14.662000+00:00

SOURCES UPDATE DATE

db:	BID	id:	76424	date:	2015-12-08T22:14:00
db:	JVNDB	id:	JVNDB-2015-004472	date:	2015-08-28T00:00:00
db:	CNNVD	id:	CNNVD-201508-514	date:	2015-08-25T00:00:00
db:	NVD	id:	CVE-2015-6662	date:	2024-11-21T02:35:23.393

SOURCES RELEASE DATE

db:	BID	id:	76424	date:	2015-08-13T00:00:00
db:	JVNDB	id:	JVNDB-2015-004472	date:	2015-08-28T00:00:00
db:	CNNVD	id:	CNNVD-201508-514	date:	2015-08-25T00:00:00
db:	NVD	id:	CVE-2015-6662	date:	2015-08-24T14:59:19.507