CVE-2019-14678
https://notcve.org/view.php?id=CVE-2019-14678
SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects the XMLV2 LIBNAME engine when the AUTOMAP option is used. SAS XML Mapper versión 9.45, tiene una vulnerabilidad de tipo XML External Entity (XXE) que los atacantes maliciosos pueden aprovechar en múltiples maneras. Algunos ejemplos son la Lectura de Archivos Local, la Filtración de Archivos Fuera de Banda, la Falsificación de Peticiones del Lado del Servidor o potenciales ataques de denegación de servicio. • https://github.com/mbadanoiu/CVE-2019-14678 http://support.sas.com/kb/64/719.html https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-14678-Unsafe%20XML%20Parsing-SAS%20XML%20Mapper • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2014-2262
https://notcve.org/view.php?id=CVE-2014-2262
Buffer overflow in the client application in Base SAS 9.2 TS2M3, SAS 9.3 TS1M1 and TS1M2, and SAS 9.4 TS1M0 allows user-assisted remote attackers to execute arbitrary code via a crafted SAS program. Desbordamiento de buffer en la aplicación cliente en Base SAS 9.2 TS2M3, SAS 9.3 TS1M1 y TS1M2 y SAS 9.4 TS1M0 permite a atacantes remotos asistidos por usuario ejecutar código arbitrario a través de un programa SAS manipulado. • http://secunia.com/advisories/57029 http://support.sas.com/kb/51/701.html http://www.securityfocus.com/archive/1/531283/100/0/threaded http://www.securityfocus.com/bid/65853 https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140227-0_SAS_Buffer_overflow_v10.txt • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2002-0218
https://notcve.org/view.php?id=CVE-2002-0218
Format string vulnerability in (1) sastcpd in SAS/Base 8.0 and 8.1 or (2) objspawn in SAS/Integration Technologies 8.0 and 8.1 allows local users to execute arbitrary code via format specifiers in a command line argument. Vulnerabilidad en cadena de formato en SAStcpd en SAS/Base oobjspawn en Sas/Integration Technologies 8.0 y 8.1permite a usuarios locales ejecutar código arbitrario mediante especificadores de formato en un argumento de línea de comandos. • http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0032.html http://online.securityfocus.com/archive/1/252847 http://online.securityfocus.com/archive/1/252891 http://www.iss.net/security_center/static/8018.php http://www.sas.com/service/techsup/unotes/SN/004/004201.html http://www.securityfocus.com/bid/3980 •
CVE-2002-0219
https://notcve.org/view.php?id=CVE-2002-0219
Buffer overflow in (1) sastcpd in SAS/Base 8.0 and 8.1 or (2) objspawn in SAS/Integration Technologies 8.0 and 8.1 allows local users to execute arbitrary code via large command line argument. Desbordamiento de Buffer en SAS/Base 8.0 y 8.1 oSAS/Integration Technologies 8.0 y 8.1 permite a usuarios locales ejecutar código arbitrario mediante argumentos de linea de comando largos. • http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0032.html http://online.securityfocus.com/archive/1/252847 http://online.securityfocus.com/archive/1/252891 http://www.iss.net/security_center/static/8017.php http://www.sas.com/service/techsup/unotes/SN/004/004201.html http://www.securityfocus.com/bid/3979 •