âš  Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2016-9563

CWE-611 — XML External Entity (XXE)5 documents5 sources
Severity
6.5MEDIUM
EPSS
58.4%
top 1.80%
CISA KEV
KEV
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
SAP Netweaver Application Server Java
Timeline
PublishedNov 23
KEV addedNov 3
Latest updateApr 30
KEV dueMay 3
CISA Required Action: Apply updates per vendor instructions.

Description

BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

🔴Vulnerability Details

3
GHSA
GHSA-pqg2-q88q-5h4p: BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7↗2022-04-30
â–¶
CVEList
CVE-2016-9563: BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7↗2016-11-23
â–¶
VulnCheck
SAP NetWeaver XML External Entity (XXE) Vulnerability↗2016
â–¶

📋Vendor Advisories

1
CISA
SAP NetWeaver XML External Entity (XXE) Vulnerability↗2021-11-03
â–¶
CVE-2016-9563 (MEDIUM CVSS 6.5) | BC-BMT-BPM-DSK in SAP NetWeaver AS | cvebase.io