Details of VAR-201705-4094

ID

VAR-201705-4094

CVE

CVE-2017-8913

TITLE

SAP NetWeaver AS JAVA of Visual Composer VC70RUNTIME In the component XML External entity attack vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-004275

DESCRIPTION

The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default, aka SAP Security Note 2386873. SAP Netweaver Visual Composer is prone to an information disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks

Trust: 1.89

sources: NVD: CVE-2017-8913 // JVNDB: JVNDB-2017-004275 // BID: 96204

AFFECTED PRODUCTS

vendor:	sap	model:	netweaver application server java	scope:	eq	version:	7.50	Trust: 1.0
vendor:	sap	model:	netweaver	scope:	eq	version:	as java 7.5	Trust: 0.8
vendor:	sap	model:	netweaver	scope:	eq	version:	7.5	Trust: 0.6
vendor:	sap	model:	visual composer	scope:	eq	version:	0	Trust: 0.3
vendor:	sap	model:	netweaver	scope:	eq	version:	0	Trust: 0.3

sources: BID: 96204 // JVNDB: JVNDB-2017-004275 // NVD: CVE-2017-8913 // CNNVD: CNNVD-201705-660

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2017-8913
value:	HIGH
Trust: 1.8
CNNVD:	CNNVD-201705-660
value:	HIGH
Trust: 0.6

NVD:
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.0
NVD:	CVE-2017-8913
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8

NVD:
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2017-8913
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2017-004275 // NVD: CVE-2017-8913 // CNNVD: CNNVD-201705-660

PROBLEMTYPE DATA

problemtype:

CWE-611

Trust: 1.8

sources: JVNDB: JVNDB-2017-004275 // NVD: CVE-2017-8913

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201705-660

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201705-660

CONFIGURATIONS

sources: NVD: CVE-2017-8913

PATCH

title:	Top Page	url:	https://www.sap.com/index.html	Trust: 0.8
title:	SAP NetWeaver AS JAVA Visual Composer VC70RUNTIME Fixes for component security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=70291	Trust: 0.6

sources: JVNDB: JVNDB-2017-004275 // CNNVD: CNNVD-201705-660

EXTERNAL IDS

db:	NVD	id:	CVE-2017-8913	Trust: 2.7
db:	JVNDB	id:	JVNDB-2017-004275	Trust: 0.8
db:	CNNVD	id:	CNNVD-201705-660	Trust: 0.6
db:	BID	id:	96204	Trust: 0.3

sources: BID: 96204 // JVNDB: JVNDB-2017-004275 // NVD: CVE-2017-8913 // CNNVD: CNNVD-201705-660

REFERENCES

url:	https://erpscan.io/advisories/erpscan-17-007-sap-netweaver-java-7-5-xxe-visual-composer-vc70runtime/	Trust: 1.6
url:	https://erpscan.io/press-center/blog/sap-cyber-threat-intelligence-report-february-2017/	Trust: 1.6
url:	https://erpscan.com/press-center/blog/sap-cyber-threat-intelligence-report-february-2017/	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-8913	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8913	Trust: 0.8
url:	https://erpscan.com/advisories/erpscan-17-007-sap-netweaver-java-7-5-xxe-visual-composer-vc70runtime/	Trust: 0.8
url:	http://www.sap.com/	Trust: 0.3
url:	https://service.sap.com/sap/support/notes/2386873	Trust: 0.3

sources: BID: 96204 // JVNDB: JVNDB-2017-004275 // NVD: CVE-2017-8913 // CNNVD: CNNVD-201705-660

CREDITS

ERPScan

Trust: 0.3

sources: BID: 96204

SOURCES

db:	BID	id:	96204
db:	JVNDB	id:	JVNDB-2017-004275
db:	NVD	id:	CVE-2017-8913
db:	CNNVD	id:	CNNVD-201705-660

LAST UPDATE DATE

2023-12-18T14:01:35.907000+00:00

SOURCES UPDATE DATE

db:	BID	id:	96204	date:	2017-05-23T18:00:00
db:	JVNDB	id:	JVNDB-2017-004275	date:	2017-06-21T00:00:00
db:	NVD	id:	CVE-2017-8913	date:	2021-04-20T19:37:03.733
db:	CNNVD	id:	CNNVD-201705-660	date:	2021-04-22T00:00:00

SOURCES RELEASE DATE

db:	BID	id:	96204	date:	2017-02-14T00:00:00
db:	JVNDB	id:	JVNDB-2017-004275	date:	2017-06-21T00:00:00
db:	NVD	id:	CVE-2017-8913	date:	2017-05-23T04:29:02.243
db:	CNNVD	id:	CNNVD-201705-660	date:	2017-05-16T00:00:00