XML injection in SAP BEx Web Java Runtime Export Web Service



Published: 2024-08-13
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2024-42374
CWE-ID CWE-91
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
BEx Web Java Runtime Export Web Service
Server applications / Other server solutions

Vendor SAP

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) XML injection

EUVDB-ID: #VU95817

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-42374

CWE-ID: CWE-91 - XML Injection

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information or perform a denial of service attack.

The vulnerability exists due to improper input validation when processing XML files. A remote unauthenticated attacker can pass a specially crafted XML file to the application and gain access to sensitive information from the SAP ADS system or exhaust the number of XMLForm service, rendering the SAP ADS (PDF creation) unavailable.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

BEx Web Java Runtime Export Web Service: All versions

External links

http://support.sap.com/en/my-support/knowledge-base/security-notes-news/august-2024.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###