CVE-2014-8309

2014-10-1619:00:00

mitre

www.cve.org

AI Score

6.9

Confidence

Low

EPSS

0.005

Percentile

76.3%

JSON

SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames via SecEnterprise authentication requests to the Session web service.

References

scn.sap.com/docs/DOC-8218

seclists.org/fulldisclosure/2014/Oct/42

www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-029

www.securityfocus.com/archive/1/533647/100/0/threaded

www.securityfocus.com/bid/70304

exchange.xforce.ibmcloud.com/vulnerabilities/96874

service.sap.com/sap/support/notes/2001109