CVE-2017-11457XML External Entity (XXE) Injection in SAP Netweaver Application Server Java

CWE-611XML External Entity (XXE) Injection3 documents3 sources
Severity
6.5MEDIUMNVD
EPSS
0.6%
top 30.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
SAP Netweaver Application Server Java
Timeline
PublishedJul 25
Latest updateMay 13

Description

XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-r53w-3jx7-w388: XML external entity (XXE) vulnerability in com2022-05-13
CVEList
CVE-2017-11457: XML external entity (XXE) vulnerability in com2017-07-25
CVE-2017-11457 — XML External Entity (XXE) Injection | cvebase