Sign-up

ID

VAR-201705-4094


CVE

CVE-2017-8913


TITLE

SAP NetWeaver AS JAVA of Visual Composer VC70RUNTIME In the component XML External entity attack vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-004275

DESCRIPTION

The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default, aka SAP Security Note 2386873. SAP Netweaver Visual Composer is prone to an information disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks

Trust: 1.89

sources: NVD: CVE-2017-8913 // JVNDB: JVNDB-2017-004275 // BID: 96204

AFFECTED PRODUCTS

vendor:sapmodel:netweaver application server javascope:eqversion:7.50

Trust: 1.0

vendor:sapmodel:netweaverscope:eqversion:as java 7.5

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:7.5

Trust: 0.6

vendor:sapmodel:visual composerscope:eqversion:0

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:0

Trust: 0.3

sources: BID: 96204 // JVNDB: JVNDB-2017-004275 // CNNVD: CNNVD-201705-660 // NVD: CVE-2017-8913

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-8913
value: HIGH

Trust: 1.0

NVD: CVE-2017-8913
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201705-660
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2017-8913
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2017-8913
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2017-8913
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2017-004275 // CNNVD: CNNVD-201705-660 // NVD: CVE-2017-8913

PROBLEMTYPE DATA

problemtype:CWE-611

Trust: 1.8

sources: JVNDB: JVNDB-2017-004275 // NVD: CVE-2017-8913

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201705-660

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201705-660

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-004275

PATCH
title:Top Pageurl:https://www.sap.com/index.html
Trust: 0.8
title:SAP NetWeaver AS JAVA Visual Composer VC70RUNTIME Fixes for component security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=70291
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-004275 // 
            
            
            
            CNNVD: CNNVD-201705-660

EXTERNAL IDS
db:NVDid:CVE-2017-8913
Trust: 2.7
db:JVNDBid:JVNDB-2017-004275
Trust: 0.8
db:CNNVDid:CNNVD-201705-660
Trust: 0.6
db:BIDid:96204
Trust: 0.3
sources:
            
            
            BID: 96204 // 
            
            
            
            JVNDB: JVNDB-2017-004275 // 
            
            
            
            CNNVD: CNNVD-201705-660 // 
            
            
            
            NVD: CVE-2017-8913

REFERENCES
url:https://erpscan.io/press-center/blog/sap-cyber-threat-intelligence-report-february-2017/
Trust: 1.6
url:https://erpscan.io/advisories/erpscan-17-007-sap-netweaver-java-7-5-xxe-visual-composer-vc70runtime/
Trust: 1.6
url:https://erpscan.com/press-center/blog/sap-cyber-threat-intelligence-report-february-2017/
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-8913
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-8913
Trust: 0.8
url:https://erpscan.com/advisories/erpscan-17-007-sap-netweaver-java-7-5-xxe-visual-composer-vc70runtime/
Trust: 0.8
url:http://www.sap.com/
Trust: 0.3
url:https://service.sap.com/sap/support/notes/2386873
Trust: 0.3
sources:
            
            
            BID: 96204 // 
            
            
            
            JVNDB: JVNDB-2017-004275 // 
            
            
            
            CNNVD: CNNVD-201705-660 // 
            
            
            
            NVD: CVE-2017-8913

CREDITS
ERPScan
Trust: 0.3
sources:
            
            
            BID: 96204

SOURCES
db:BIDid:96204
db:JVNDBid:JVNDB-2017-004275
db:CNNVDid:CNNVD-201705-660
db:NVDid:CVE-2017-8913

LAST UPDATE DATE
2024-11-23T21:41:12.787000+00:00

SOURCES UPDATE DATE
db:BIDid:96204date:2017-05-23T18:00:00
db:JVNDBid:JVNDB-2017-004275date:2017-06-21T00:00:00
db:CNNVDid:CNNVD-201705-660date:2021-04-22T00:00:00
db:NVDid:CVE-2017-8913date:2024-11-21T03:34:57.833

SOURCES RELEASE DATE
db:BIDid:96204date:2017-02-14T00:00:00
db:JVNDBid:JVNDB-2017-004275date:2017-06-21T00:00:00
db:CNNVDid:CNNVD-201705-660date:2017-05-16T00:00:00
db:NVDid:CVE-2017-8913date:2017-05-23T04:29:02.243