CVE-2014-8309

2014-10-1619:00:00

mitre

www.cve.org

6.9 Medium

AI Score

Confidence

Low

0.005 Low

EPSS

Percentile

76.4%

JSON

SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames via SecEnterprise authentication requests to the Session web service.

References

scn.sap.com/docs/DOC-8218

seclists.org/fulldisclosure/2014/Oct/42

www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-029

www.securityfocus.com/archive/1/533647/100/0/threaded

www.securityfocus.com/bid/70304

exchange.xforce.ibmcloud.com/vulnerabilities/96874

service.sap.com/sap/support/notes/2001109