XML injection in BEx Web Java Runtime Export Web Service - CVE-2024-42374

 

XML injection in BEx Web Java Runtime Export Web Service - CVE-2024-42374

Published: August 13, 2024


Vulnerability identifier: #VU95817
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-42374
CWE-ID: CWE-91
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: SAP
Affected software:
BEx Web Java Runtime Export Web Service

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to sensitive information or perform a denial of service attack.

The vulnerability exists due to improper input validation when processing XML files. A remote unauthenticated attacker can pass a specially crafted XML file to the application and gain access to sensitive information from the SAP ADS system or exhaust the number of XMLForm service, rendering the SAP ADS (PDF creation) unavailable.


How to mitigate CVE-2024-42374

Install updates from vendor's website.

Sources