CVE-2016-9563 — MEDIUM (6.5)

Vulnerability Description

BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Sap	Netweaver Application Server Java	7.50

Related Weaknesses (CWE)

CWE-611

References

http://www.securityfocus.com/bid/92419Broken LinkThird Party AdvisoryVDB Entry
https://erpscan.io/advisories/erpscan-16-034-sap-netweaver-java-xxe-vulnerabilitBroken LinkThird Party Advisory
https://launchpad.support.sap.com/#/notes/2296909Permissions Required
http://www.securityfocus.com/bid/92419Broken LinkThird Party AdvisoryVDB Entry
https://erpscan.io/advisories/erpscan-16-034-sap-netweaver-java-xxe-vulnerabilitBroken LinkThird Party Advisory
https://launchpad.support.sap.com/#/notes/2296909Permissions Required
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-US Government Resource

FAQ

What is CVE-2016-9563?

CVE-2016-9563 is a vulnerability with a CVSS score of 6.5 (MEDIUM). BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Sec...

How severe is CVE-2016-9563?

CVE-2016-9563 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-9563?

Check the references section above for vendor advisories and patch information. Affected products include: Sap Netweaver Application Server Java.