SAP ADS BEx Web Runtime Export XML Validation Flaw
CVE-2024-42374 Published on August 13, 2024
XML injection in SAP BEx Web Java Runtime Export Web Service
BEx Web Java Runtime Export Web Service does not
sufficiently validate an XML document accepted from an untrusted source. An
attacker can retrieve information from the SAP ADS system and exhaust the
number of XMLForm service which makes the SAP ADS rendering (PDF creation)
unavailable. This affects the confidentiality and availability of the
application.
Vulnerability Analysis
CVE-2024-42374 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity, and a high impact on availability.
Weakness Type
What is an aka Blind XPath Injection Vulnerability?
The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. Within XML, special elements could include reserved words or characters such as "<", ">", """, and "&", which could then be used to add new data or modify XML syntax.
CVE-2024-42374 has been classified to as an aka Blind XPath Injection vulnerability or weakness.
Products Associated with CVE-2024-42374
Want to know whenever a new CVE is published for SAP Bex Web Java Runtime Export Web Service? stack.watch will email you.
Affected Versions
SAP_SE SAP BEx Web Java Runtime Export Web Service:- Version BI-BASE-E 7.5 is affected.
- Version BI-BASE-B 7.5 is affected.
- Version BI-IBC 7.5 is affected.
- Version BI-BASE-S 7.5 is affected.
- Version BIWEBAPP 7.5 is affected.
- Version bi-base-e7.5 is affected.
- Version bi-base-b7.5 is affected.
- Version bi-base-s7.5 is affected.
- Version biwebapp7.5 is affected.
- Version bi-ibc7.5 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.