Vulnerability Description
XML external entity (XXE) vulnerability in SAP NetWeaver AS Java 7.4 allows remote attackers to send TCP requests to intranet servers or possibly have unspecified other impact via an XML request to tc~sld~wd~main/Main, related to "CIM UPLOAD," aka SAP Security Note 2090851.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sap | Sap Netweaver Application Server Java | 7.4 |
References
- http://packetstormsecurity.com/files/133122/SAP-NetWeaver-AS-Java-XXE-Injection.
- http://seclists.org/fulldisclosure/2015/May/96
- http://www.securityfocus.com/archive/1/536239/100/0/threaded
- http://www.securityfocus.com/bid/74850
- https://erpscan.io/advisories/erpscan-15-013-sap-netweaver-as-java-cim-upload-xx
- http://packetstormsecurity.com/files/133122/SAP-NetWeaver-AS-Java-XXE-Injection.
- http://seclists.org/fulldisclosure/2015/May/96
- http://www.securityfocus.com/archive/1/536239/100/0/threaded
- http://www.securityfocus.com/bid/74850
- https://erpscan.io/advisories/erpscan-15-013-sap-netweaver-as-java-cim-upload-xx
FAQ
What is CVE-2015-4091?
CVE-2015-4091 is a vulnerability with a CVSS score of 7.5 (HIGH). XML external entity (XXE) vulnerability in SAP NetWeaver AS Java 7.4 allows remote attackers to send TCP requests to intranet servers or possibly have unspecified other impact via an XML request to tc...
How severe is CVE-2015-4091?
CVE-2015-4091 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-4091?
Check the references section above for vendor advisories and patch information. Affected products include: Sap Sap Netweaver Application Server Java.