Details of VAR-201311-0408

ID

VAR-201311-0408

TITLE

SAP NetWeaver Web Application Server SHSTI_UPLOAD_XML XML External entity vulnerability

Trust: 0.8

sources: IVD: d61bd9e0-1efc-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-14586

DESCRIPTION

SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. The SAP NetWeaver Web Application Server has an error in the HSTI_UPLOAD_XML function when parsing XML entities, allowing restricted management commands to be sent to the gateway or message server via a specially crafted XML document containing external entity references

Trust: 0.72

sources: CNVD: CNVD-2013-14586 // IVD: d61bd9e0-1efc-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: d61bd9e0-1efc-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-14586

AFFECTED PRODUCTS

vendor:

sap

model:

netweaver as abap

scope:

version:

7.31

Trust: 0.8

sources: IVD: d61bd9e0-1efc-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-14586

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD:	CNVD-2013-14586
value:	MEDIUM
Trust: 0.6
IVD:	d61bd9e0-1efc-11e6-abef-000c29c66e3d
value:	LOW
Trust: 0.2

CNVD:	CNVD-2013-14586
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	d61bd9e0-1efc-11e6-abef-000c29c66e3d
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

sources: IVD: d61bd9e0-1efc-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-14586

TYPE

Design error

Trust: 0.2

sources: IVD: d61bd9e0-1efc-11e6-abef-000c29c66e3d

PATCH

title:

SAP NetWeaver Web Application Server SHSTI_UPLOAD_XML Patch for XML External Entity Vulnerabilities

url:

https://www.cnvd.org.cn/patchinfo/show/41196

Trust: 0.6

sources: CNVD: CNVD-2013-14586

EXTERNAL IDS

db:	CNVD	id:	CNVD-2013-14586	Trust: 0.8
db:	IVD	id:	D61BD9E0-1EFC-11E6-ABEF-000C29C66E3D	Trust: 0.2

sources: IVD: d61bd9e0-1efc-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-14586

REFERENCES

url:

http://erpscan.com/advisories/erpscan-13-020-sap-netweaver-shsti_upload_xml-xxe/

Trust: 0.6

sources: CNVD: CNVD-2013-14586

SOURCES

db:	IVD	id:	d61bd9e0-1efc-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2013-14586

LAST UPDATE DATE

2022-05-17T01:51:11.588000+00:00

SOURCES UPDATE DATE

db:

CNVD

id:

CNVD-2013-14586

date:

2013-11-21T00:00:00

SOURCES RELEASE DATE

db:	IVD	id:	d61bd9e0-1efc-11e6-abef-000c29c66e3d	date:	2013-11-21T00:00:00
db:	CNVD	id:	CNVD-2013-14586	date:	2013-11-21T00:00:00