VAR-201707-0530
Vulnerability from variot - Updated: 2025-04-20 23:32XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249. SAP NetWeaver AS JAVA Is XML An external entity vulnerability exists. Vendors have confirmed this vulnerability SAP Security Note 2387249 It is released as.Information may be obtained. Attackers can exploit this issue to gain access to sensitive information or cause denial-of-service conditions
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201707-0530",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "netweaver application server java",
"scope": "eq",
"trust": 1.0,
"vendor": "sap",
"version": "7.50"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 0.9,
"vendor": "sap",
"version": "7.5"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 0.8,
"vendor": "sap",
"version": "as java 7.5"
},
{
"model": "netweaver as java",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.5"
},
{
"model": "knowledge management",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
}
],
"sources": [
{
"db": "BID",
"id": "97572"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-006832"
},
{
"db": "CNNVD",
"id": "CNNVD-201707-872"
},
{
"db": "NVD",
"id": "CVE-2017-11457"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:sap:netweaver",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-006832"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP",
"sources": [
{
"db": "BID",
"id": "97572"
}
],
"trust": 0.3
},
"cve": "CVE-2017-11457",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "CVE-2017-11457",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2017-11457",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.5,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2017-11457",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2017-11457",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2017-11457",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-201707-872",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-006832"
},
{
"db": "CNNVD",
"id": "CNNVD-201707-872"
},
{
"db": "NVD",
"id": "CVE-2017-11457"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249. SAP NetWeaver AS JAVA Is XML An external entity vulnerability exists. Vendors have confirmed this vulnerability SAP Security Note 2387249 It is released as.Information may be obtained. \nAttackers can exploit this issue to gain access to sensitive information or cause denial-of-service conditions",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-11457"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-006832"
},
{
"db": "BID",
"id": "97572"
}
],
"trust": 1.89
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-11457",
"trust": 2.7
},
{
"db": "BID",
"id": "97572",
"trust": 1.9
},
{
"db": "JVNDB",
"id": "JVNDB-2017-006832",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201707-872",
"trust": 0.6
}
],
"sources": [
{
"db": "BID",
"id": "97572"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-006832"
},
{
"db": "CNNVD",
"id": "CNNVD-201707-872"
},
{
"db": "NVD",
"id": "CVE-2017-11457"
}
]
},
"id": "VAR-201707-0530",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.27111164
},
"last_update_date": "2025-04-20T23:32:11.355000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "April 2017 (2387249)",
"trust": 0.8,
"url": "https://blogs.sap.com/2017/04/12/sap-cyber-threat-intelligence-report-april-2017/"
},
{
"title": "SAP NetWeaver AS JAVA Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=148143"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-006832"
},
{
"db": "CNNVD",
"id": "CNNVD-201707-872"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-611",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-006832"
},
{
"db": "NVD",
"id": "CVE-2017-11457"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.6,
"url": "https://erpscan.io/advisories/erpscan-17-018-sap-netweaver-java-7-5-xxe-com-sap-km-cm-ice/"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/97572"
},
{
"trust": 1.1,
"url": "https://erpscan.com/advisories/erpscan-17-018-sap-netweaver-java-7-5-xxe-com-sap-km-cm-ice/"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-11457"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-11457"
},
{
"trust": 0.3,
"url": "http://www.sap.com/"
},
{
"trust": 0.3,
"url": "https://launchpad.support.sap.com/#/notes/2387249"
},
{
"trust": 0.3,
"url": "https://blogs.sap.com/2017/04/11/sap-security-patch-day-april-2017/"
}
],
"sources": [
{
"db": "BID",
"id": "97572"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-006832"
},
{
"db": "CNNVD",
"id": "CNNVD-201707-872"
},
{
"db": "NVD",
"id": "CVE-2017-11457"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "BID",
"id": "97572"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-006832"
},
{
"db": "CNNVD",
"id": "CNNVD-201707-872"
},
{
"db": "NVD",
"id": "CVE-2017-11457"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-04-11T00:00:00",
"db": "BID",
"id": "97572"
},
{
"date": "2017-09-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-006832"
},
{
"date": "2017-07-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201707-872"
},
{
"date": "2017-07-25T18:29:01.103000",
"db": "NVD",
"id": "CVE-2017-11457"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-08-25T12:11:00",
"db": "BID",
"id": "97572"
},
{
"date": "2017-09-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-006832"
},
{
"date": "2021-04-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201707-872"
},
{
"date": "2025-04-20T01:37:25.860000",
"db": "NVD",
"id": "CVE-2017-11457"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201707-872"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP NetWeaver AS JAVA In XML External entity vulnerabilities",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-006832"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "code problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201707-872"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…