Details of VAR-201707-0530

ID

VAR-201707-0530

CVE

CVE-2017-11457

TITLE

SAP NetWeaver AS JAVA In XML External entity vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2017-006832

DESCRIPTION

XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249. SAP NetWeaver AS JAVA Is XML An external entity vulnerability exists. Vendors have confirmed this vulnerability SAP Security Note 2387249 It is released as.Information may be obtained. Attackers can exploit this issue to gain access to sensitive information or cause denial-of-service conditions

Trust: 1.89

sources: NVD: CVE-2017-11457 // JVNDB: JVNDB-2017-006832 // BID: 97572

AFFECTED PRODUCTS

vendor:	sap	model:	netweaver application server java	scope:	eq	version:	7.50	Trust: 1.0
vendor:	sap	model:	netweaver	scope:	eq	version:	7.5	Trust: 0.9
vendor:	sap	model:	netweaver	scope:	eq	version:	as java 7.5	Trust: 0.8
vendor:	sap	model:	netweaver as java	scope:	eq	version:	7.5	Trust: 0.3
vendor:	sap	model:	knowledge management	scope:	eq	version:	0	Trust: 0.3

sources: BID: 97572 // JVNDB: JVNDB-2017-006832 // CNNVD: CNNVD-201707-872 // NVD: CVE-2017-11457

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-11457
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-11457
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201707-872
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2017-11457
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2017-11457
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2017-11457
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2017-006832 // CNNVD: CNNVD-201707-872 // NVD: CVE-2017-11457

PROBLEMTYPE DATA

problemtype:

CWE-611

Trust: 1.8

sources: JVNDB: JVNDB-2017-006832 // NVD: CVE-2017-11457

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201707-872

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201707-872

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-006832

PATCH

title:	April 2017 (2387249)	url:	https://blogs.sap.com/2017/04/12/sap-cyber-threat-intelligence-report-april-2017/	Trust: 0.8
title:	SAP NetWeaver AS JAVA Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=148143	Trust: 0.6

sources: JVNDB: JVNDB-2017-006832 // CNNVD: CNNVD-201707-872

EXTERNAL IDS

db:	NVD	id:	CVE-2017-11457	Trust: 2.7
db:	BID	id:	97572	Trust: 1.9
db:	JVNDB	id:	JVNDB-2017-006832	Trust: 0.8
db:	CNNVD	id:	CNNVD-201707-872	Trust: 0.6

sources: BID: 97572 // JVNDB: JVNDB-2017-006832 // CNNVD: CNNVD-201707-872 // NVD: CVE-2017-11457

REFERENCES

url:	https://erpscan.io/advisories/erpscan-17-018-sap-netweaver-java-7-5-xxe-com-sap-km-cm-ice/	Trust: 1.6
url:	http://www.securityfocus.com/bid/97572	Trust: 1.6
url:	https://erpscan.com/advisories/erpscan-17-018-sap-netweaver-java-7-5-xxe-com-sap-km-cm-ice/	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-11457	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-11457	Trust: 0.8
url:	http://www.sap.com/	Trust: 0.3
url:	https://launchpad.support.sap.com/#/notes/2387249	Trust: 0.3
url:	https://blogs.sap.com/2017/04/11/sap-security-patch-day-april-2017/	Trust: 0.3

sources: BID: 97572 // JVNDB: JVNDB-2017-006832 // CNNVD: CNNVD-201707-872 // NVD: CVE-2017-11457

CREDITS

SAP

Trust: 0.3

sources: BID: 97572

SOURCES

db:	BID	id:	97572
db:	JVNDB	id:	JVNDB-2017-006832
db:	CNNVD	id:	CNNVD-201707-872
db:	NVD	id:	CVE-2017-11457

LAST UPDATE DATE

2024-11-23T22:52:24.764000+00:00

SOURCES UPDATE DATE

db:	BID	id:	97572	date:	2017-08-25T12:11:00
db:	JVNDB	id:	JVNDB-2017-006832	date:	2017-09-05T00:00:00
db:	CNNVD	id:	CNNVD-201707-872	date:	2021-04-22T00:00:00
db:	NVD	id:	CVE-2017-11457	date:	2024-11-21T03:07:49.280

SOURCES RELEASE DATE

db:	BID	id:	97572	date:	2017-04-11T00:00:00
db:	JVNDB	id:	JVNDB-2017-006832	date:	2017-09-05T00:00:00
db:	CNNVD	id:	CNNVD-201707-872	date:	2017-07-20T00:00:00
db:	NVD	id:	CVE-2017-11457	date:	2017-07-25T18:29:01.103