CVE-2019-14678

CRITICAL

10.0

Description

SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects the XMLV2 LIBNAME engine when the AUTOMAP option is used.

CVE Details

CVSS v3.1 Score10.0

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published11/14/2019

Last Modified11/21/2024

Sourcenvd

Honeypot Sightings0

Affected Products

hp:hp-uxibm:aixibm:z\/oslinux:linux_kernelmicrosoft:windowsmicrosoft:windows_10microsoft:windows_7microsoft:windows_8microsoft:windows_8.1microsoft:windows_server_2012microsoft:windows_server_2016microsoft:windows_server_2019oracle:solarissas:base_sassas:xml_mapper

Weaknesses (CWE)

CWE-611

References

http://support.sas.com/kb/64/719.html(cve@mitre.org)

https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-14678-Unsafe%20XML%20Parsing-SAS%20XML%20Mapper(cve@mitre.org)

http://support.sas.com/kb/64/719.html(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-14678-Unsafe%20XML%20Parsing-SAS%20XML%20Mapper(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.