Vulnerability Description
SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects the XMLV2 LIBNAME engine when the AUTOMAP option is used.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sas | Xml Mapper | 9.45 |
| Sas | Base Sas | 9.4 |
| Hp | Hp-Ux | - |
| Ibm | Aix | - |
| Ibm | Z\/Os | - |
| Linux | Linux Kernel | - |
| Microsoft | Windows | - |
| Microsoft | Windows 10 | - |
| Microsoft | Windows 7 | - |
| Microsoft | Windows 8 | - |
| Microsoft | Windows 8.1 | - |
| Microsoft | Windows Server 2012 | - |
| Microsoft | Windows Server 2016 | - |
| Microsoft | Windows Server 2019 | - |
| Oracle | Solaris | - |
Related Weaknesses (CWE)
References
- http://support.sas.com/kb/64/719.htmlVendor Advisory
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-14678-Unsafe%2ExploitThird Party Advisory
- http://support.sas.com/kb/64/719.htmlVendor Advisory
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-14678-Unsafe%2ExploitThird Party Advisory
FAQ
What is CVE-2019-14678?
CVE-2019-14678 is a vulnerability with a CVSS score of 10.0 (CRITICAL). SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server...
How severe is CVE-2019-14678?
CVE-2019-14678 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-14678?
Check the references section above for vendor advisories and patch information. Affected products include: Sas Xml Mapper, Sas Base Sas, Hp Hp-Ux, Ibm Aix, Ibm Z\/Os.