Lucene search

MitreCVE-2014-8309

HistoryOct 16, 2014 - 7:55 p.m.

CVE-2014-8309

2014-10-1619:55:19

CWE-200

mitre

web.nvd.nist.gov

sap

businessobjects

vulnerability

remote attackers

authentication

enumeration

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

AI Score

7.2

Confidence

Low

EPSS

0.005

Percentile

76.3%

JSON

SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames via SecEnterprise authentication requests to the Session web service.

Affected configurations

Nvd

Node

sapbusinessobjectsMatch4.0

sapbusinessobjects_xiMatch3.1

sapbusinessobjects_xiMatchr2

VendorProductVersionCPE
sapbusinessobjects4.0cpe:2.3:a:sap:businessobjects:4.0:*:*:*:*:*:*:*
sapbusinessobjects_xi3.1cpe:2.3:a:sap:businessobjects_xi:3.1:*:*:*:*:*:*:*
sapbusinessobjects_xir2cpe:2.3:a:sap:businessobjects_xi:r2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sap	businessobjects	4.0	cpe:2.3:a:sap:businessobjects:4.0:::::::*
sap	businessobjects_xi	3.1	cpe:2.3:a:sap:businessobjects_xi:3.1:::::::*
sap	businessobjects_xi	r2	cpe:2.3:a:sap:businessobjects_xi:r2:::::::*

References

scn.sap.com/docs/DOC-8218

seclists.org/fulldisclosure/2014/Oct/42

www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-029

www.securityfocus.com/archive/1/533647/100/0/threaded

www.securityfocus.com/bid/70304

exchange.xforce.ibmcloud.com/vulnerabilities/96874

service.sap.com/sap/support/notes/2001109

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

AI Score

7.2

Confidence

Low

EPSS

0.005

Percentile

76.3%

JSON

Related for CVE-2014-8309