CVE-2014-8309
Severity Score
5.0
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames via SecEnterprise authentication requests to the Session web service.
SAP BusinessObjects 4.0 y BusinessObjects XI (BOXI) R2 y 3.1 generan mensajes de error tras un intento de inicio de sesión fallido con diferente tiempo de retraso dependiendo de si la cuenta de usuario existe o no, lo que permite a atacantes remotos enumerar nombres de usuario válidos a través de peticiones de autenticación SecEnterprise al servicio web Session.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2014-10-16 CVE Reserved
- 2014-10-16 CVE Published
- 2024-05-28 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| http://seclists.org/fulldisclosure/2014/Oct/42 | Mailing List |
|
| http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-029 | X_refsource_misc | |
| http://www.securityfocus.com/archive/1/533647/100/0/threaded | Mailing List | |
| http://www.securityfocus.com/bid/70304 | Vdb Entry | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/96874 | Vdb Entry |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://scn.sap.com/docs/DOC-8218 | 2018-10-09 | |
| https://service.sap.com/sap/support/notes/2001109 | 2018-10-09 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Sap Search vendor "Sap" | Businessobjects Search vendor "Sap" for product "Businessobjects" | 4.0 Search vendor "Sap" for product "Businessobjects" and version "4.0" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Businessobjects Xi Search vendor "Sap" for product "Businessobjects Xi" | 3.1 Search vendor "Sap" for product "Businessobjects Xi" and version "3.1" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Businessobjects Xi Search vendor "Sap" for product "Businessobjects Xi" | r2 Search vendor "Sap" for product "Businessobjects Xi" and version "r2" | - |
Affected
| ||||||