XML Entity Expansion Attack
CVE-2024-47582

5.3MEDIUM

Key Information:

Vendor
SAP
Status
SAP Netweaver As Java
Vendor
CVE Published:
10 December 2024

Summary

Due to missing validation of XML input, an unauthenticated attacker could send malicious input to an endpoint which leads to XML Entity Expansion attack. This causes limited impact on availability of the application.

Affected Version(s)

SAP NetWeaver AS JAVA LM-CORE 7.50

References

https://me.sap.com/notes/3351041
https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.