Design/Logic Flaw

2014-10-1619:55:00

PRIOn knowledge base

www.prio-n.com

7.5 High

AI Score

Confidence

Low

0.005 Low

EPSS

Percentile

76.4%

JSON

SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames via SecEnterprise authentication requests to the Session web service.

CPENameOperatorVersion
businessobjectseq4.0
businessobjects_xieq2.0.114
businessobjects_xieq3.1

Name	Operator	Version
businessobjects	eq	4.0
businessobjects_xi	eq	2.0.114
businessobjects_xi	eq	3.1

References

scn.sap.com/docs/DOC-8218

seclists.org/fulldisclosure/2014/Oct/42

www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-029

www.securityfocus.com/archive/1/533647/100/0/threaded

www.securityfocus.com/bid/70304

exchange.xforce.ibmcloud.com/vulnerabilities/96874

service.sap.com/sap/support/notes/2001109