CVE-2019-14678 : SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be l

SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects the XMLV2 LIBNAME engine when the AUTOMAP option is used.

Published 2019-11-14 21:15:11

Updated 2019-11-22 19:34:41

Source MITRE

View at NVD, CVE.org

Vulnerability category: XML external entity (XXE) injectionServer-side request forgery (SSRF) Denial of service

Products affected by CVE-2019-14678

SAS » Base Sas » Version: 9.4 Update Ts1m6
cpe:2.3:a:sas:base_sas:9.4:ts1m6:*:*:*:*:*:*
Matching versions
When used together with: HP » Hp-ux » Version: N/A
When used together with: IBM » AIX » Version: N/A
When used together with: IBM » Z/os » Version: N/A
When used together with: Linux » Linux Kernel » Version: N/A
When used together with: Microsoft » Windows » Version: N/A For X64
When used together with: Microsoft » Windows 10 » Version: N/A
When used together with: Microsoft » Windows 7 » Version: N/A Enterprise Edition
When used together with: Microsoft » Windows 7 » Version: N/A Home Premium Edition
When used together with: Microsoft » Windows 7 » Version: N/A Professional Edition
When used together with: Microsoft » Windows 7 » Version: N/A Ultimate Edition
When used together with: Microsoft » Windows 8 » Version: N/A Enterprise Edition
When used together with: Microsoft » Windows 8 » Version: N/A PRO Edition
When used together with: Microsoft » Windows 8.1 » Version: N/A PRO Edition
When used together with: Microsoft » Windows Server 2012 » Version: N/A Datacenter Edition
When used together with: Microsoft » Windows Server 2012 » Version: N/A Standard Edition
When used together with: Microsoft » Windows Server 2012 » Version: R2 Datacenter Edition
When used together with: Microsoft » Windows Server 2016 » Version: N/A
When used together with: Microsoft » Windows Server 2019 » Version: N/A
When used together with: Oracle » Solaris » Version: N/A For X64
SAS » Xml Mapper » Version: 9.45
cpe:2.3:a:sas:xml_mapper:9.45:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-14678

EPSS FAQ

0.80%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 73 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-14678

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
10.0	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H	3.9	6.0	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2019-14678

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-14678

https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-14678-Unsafe%20XML%20Parsing-SAS%20XML%20Mapper

Disclosures/CVE-2019-14678-Unsafe XML Parsing-SAS XML Mapper at master · DrunkenShells/Disclosures · GitHub
Exploit;Third Party Advisory
http://support.sas.com/kb/64/719.html

64719 - SAS® XML Mapper contains an XML External Entity (XXE) vulnerability that also affects the XMLV2 LIBNAME engine
Vendor Advisory

Jump to

Vulnerability Details : CVE-2019-14678

Products affected by CVE-2019-14678

Exploit prediction scoring system (EPSS) score for CVE-2019-14678

CVSS scores for CVE-2019-14678

CWE ids for CVE-2019-14678

References for CVE-2019-14678