Sign-up

ID

VAR-201410-1206


CVE

CVE-2014-8316


TITLE

SAP BusinessObjects Explorer XML External Entity Injection Vulnerability

Trust: 0.9

sources: BID: 70384 // CNNVD: CNNVD-201410-585

DESCRIPTION

XML External Entity (XXE) vulnerability in polestar_xml.jsp in SAP BusinessObjects Explorer 14.0.5 build 882 allows remote attackers to read arbitrary files via the xmlParameter parameter in an explorationSpaceUpdate request. Supplementary information : CWE Vulnerability type by CWE-611: Improper Restriction of XML External Entity Reference ('XXE') (XML Inappropriate restrictions on external entity references ) Has been identified. http://cwe.mitre.org/data/definitions/611.htmlBy a third party explorationSpaceUpdate Request xmlParameter An arbitrary file may be read through the parameter. Attackers can exploit this issue to obtain potentially sensitive information or cause a denial-of-service condition. This may lead to further attacks. BusinessObjects Explorer 14.0.5 (build 882) is vulnerable; other versions may also be affected

Trust: 1.89

sources: NVD: CVE-2014-8316 // JVNDB: JVNDB-2014-004937 // BID: 70384

AFFECTED PRODUCTS

vendor:sapmodel:businessobjects explorerscope:eqversion:14.0.5

Trust: 1.6

vendor:sapmodel:businessobjects explorerscope:eqversion:14.0.5 build 882

Trust: 0.8

vendor:sapmodel:businessobjects explorer (buildscope:eqversion:14.0.5882)

Trust: 0.3

sources: BID: 70384 // JVNDB: JVNDB-2014-004937 // CNNVD: CNNVD-201410-585 // NVD: CVE-2014-8316

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-8316
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-8316
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201410-585
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2014-8316
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-2014-004937 // CNNVD: CNNVD-201410-585 // NVD: CVE-2014-8316

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-Other

Trust: 0.8

sources: JVNDB: JVNDB-2014-004937 // NVD: CVE-2014-8316

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201410-585

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201410-585

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-004937

PATCH
title:SAP Security Note 1908531url:http://scn.sap.com/docs/DOC-55451
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-004937

EXTERNAL IDS
db:NVDid:CVE-2014-8316
Trust: 2.7
db:BIDid:70384
Trust: 1.9
db:PACKETSTORMid:128633
Trust: 1.6
db:JVNDBid:JVNDB-2014-004937
Trust: 0.8
db:CNNVDid:CNNVD-201410-585
Trust: 0.6
sources:
            
            
            BID: 70384 // 
            
            
            
            JVNDB: JVNDB-2014-004937 // 
            
            
            
            CNNVD: CNNVD-201410-585 // 
            
            
            
            NVD: CVE-2014-8316

REFERENCES
url:http://www.csnc.ch/misc/files/advisories/csnc-2013-018_sap_businessobjects_explorer_xxe.txt
Trust: 2.4
url:http://seclists.org/fulldisclosure/2014/oct/50
Trust: 1.9
url:http://www.securityfocus.com/bid/70384
Trust: 1.6
url:http://scn.sap.com/docs/doc-55451
Trust: 1.6
url:http://packetstormsecurity.com/files/128633/sap-businessobjects-explorer-14.0.5-xxe-injection.html
Trust: 1.6
url:https://service.sap.com/sap/support/notes/1908531
Trust: 1.6
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/96933
Trust: 1.0
url:http://www.securityfocus.com/archive/1/533673/100/0/threaded
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8316
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8316
Trust: 0.8
url:http://www.securityfocus.com/archive/1/archive/1/533673/100/0/threaded
Trust: 0.6
url:http://www.sap.com
Trust: 0.3
sources:
            
            
            BID: 70384 // 
            
            
            
            JVNDB: JVNDB-2014-004937 // 
            
            
            
            CNNVD: CNNVD-201410-585 // 
            
            
            
            NVD: CVE-2014-8316

CREDITS
Stefan Horlacher
Trust: 0.3
sources:
            
            
            BID: 70384

SOURCES
db:BIDid:70384
db:JVNDBid:JVNDB-2014-004937
db:CNNVDid:CNNVD-201410-585
db:NVDid:CVE-2014-8316

LAST UPDATE DATE
2025-04-13T23:31:37.105000+00:00

SOURCES UPDATE DATE
db:BIDid:70384date:2015-04-13T21:01:00
db:JVNDBid:JVNDB-2014-004937date:2015-12-02T00:00:00
db:CNNVDid:CNNVD-201410-585date:2014-10-22T00:00:00
db:NVDid:CVE-2014-8316date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:BIDid:70384date:2014-10-10T00:00:00
db:JVNDBid:JVNDB-2014-004937date:2014-10-23T00:00:00
db:CNNVDid:CNNVD-201410-585date:2014-10-22T00:00:00
db:NVDid:CVE-2014-8316date:2014-10-16T19:55:20.240