Lucene search

[email protected]CVE-2014-8309

HistoryOct 16, 2014 - 7:55 p.m.

CVE-2014-8309

2014-10-1619:55:19

CWE-200

[email protected]

web.nvd.nist.gov

sap

businessobjects

vulnerability

remote attackers

authentication

enumeration

nvd

7.2 High

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

76.3%

JSON

SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames via SecEnterprise authentication requests to the Session web service.

Affected configurations

NVD

Node

sapbusinessobjectsMatch4.0

sapbusinessobjects_xiMatch3.1

sapbusinessobjects_xiMatchr2

CPENameOperatorVersion
sap:businessobjectssap businessobjectseq4.0
sap:businessobjects_xisap businessobjects xieq3.1
sap:businessobjects_xisap businessobjects xieqr2

CPE	Name	Operator	Version
sap:businessobjects	sap businessobjects	eq	4.0
sap:businessobjects_xi	sap businessobjects xi	eq	3.1
sap:businessobjects_xi	sap businessobjects xi	eq	r2

References

scn.sap.com/docs/DOC-8218

seclists.org/fulldisclosure/2014/Oct/42

www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-029

www.securityfocus.com/archive/1/533647/100/0/threaded

www.securityfocus.com/bid/70304

exchange.xforce.ibmcloud.com/vulnerabilities/96874

service.sap.com/sap/support/notes/2001109

7.2 High

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

76.3%

JSON

Related for CVE-2014-8309

prion1 cvelist1 nvd1