CVE-2019-14678

Severity Score

10.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects the XMLV2 LIBNAME engine when the AUTOMAP option is used.

SAS XML Mapper versión 9.45, tiene una vulnerabilidad de tipo XML External Entity (XXE) que los atacantes maliciosos pueden aprovechar en múltiples maneras. Algunos ejemplos son la Lectura de Archivos Local, la Filtración de Archivos Fuera de Banda, la Falsificación de Peticiones del Lado del Servidor o potenciales ataques de denegación de servicio. Esta vulnerabilidad también afecta al motor XMLV2 LIBNAME cuando se utiliza la opción AUTOMAP.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-08-05 CVE Reserved
2019-11-14 CVE Published
2023-10-21 EPSS Updated
2024-03-12 First Exploit
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-611: Improper Restriction of XML External Entity Reference

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC
https://github.com/mbadanoiu/CVE-2019-14678	2024-03-12
https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-14678-Unsafe%20XML%20Parsing-SAS%20XML%20Mapper	2024-08-05

URL	Date	SRC

URL	Date	SRC
http://support.sas.com/kb/64/719.html	2019-11-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sas Search vendor "Sas"	Base Sas Search vendor "Sas" for product "Base Sas"	9.4 Search vendor "Sas" for product "Base Sas" and version "9.4"	ts1m6	Affected	in	Hp Search vendor "Hp"	Hp-ux Search vendor "Hp" for product "Hp-ux"	-	-	Safe
Sas Search vendor "Sas"	Base Sas Search vendor "Sas" for product "Base Sas"	9.4 Search vendor "Sas" for product "Base Sas" and version "9.4"	ts1m6	Affected	in	Ibm Search vendor "Ibm"	Aix Search vendor "Ibm" for product "Aix"	-	-	Safe
Sas Search vendor "Sas"	Base Sas Search vendor "Sas" for product "Base Sas"	9.4 Search vendor "Sas" for product "Base Sas" and version "9.4"	ts1m6	Affected	in	Ibm Search vendor "Ibm"	Z\/os Search vendor "Ibm" for product "Z\/os"	-	-	Safe
Sas Search vendor "Sas"	Base Sas Search vendor "Sas" for product "Base Sas"	9.4 Search vendor "Sas" for product "Base Sas" and version "9.4"	ts1m6	Affected	in	Linux Search vendor "Linux"	Linux Kernel Search vendor "Linux" for product "Linux Kernel"	-	-	Safe
Sas Search vendor "Sas"	Base Sas Search vendor "Sas" for product "Base Sas"	9.4 Search vendor "Sas" for product "Base Sas" and version "9.4"	ts1m6	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	x64	Safe
Sas Search vendor "Sas"	Base Sas Search vendor "Sas" for product "Base Sas"	9.4 Search vendor "Sas" for product "Base Sas" and version "9.4"	ts1m6	Affected	in	Microsoft Search vendor "Microsoft"	Windows 10 Search vendor "Microsoft" for product "Windows 10"	-	-	Safe
Sas Search vendor "Sas"	Base Sas Search vendor "Sas" for product "Base Sas"	9.4 Search vendor "Sas" for product "Base Sas" and version "9.4"	ts1m6	Affected	in	Microsoft Search vendor "Microsoft"	Windows 7 Search vendor "Microsoft" for product "Windows 7"	-	enterprise	Safe
Sas Search vendor "Sas"	Base Sas Search vendor "Sas" for product "Base Sas"	9.4 Search vendor "Sas" for product "Base Sas" and version "9.4"	ts1m6	Affected	in	Microsoft Search vendor "Microsoft"	Windows 7 Search vendor "Microsoft" for product "Windows 7"	-	home_premium	Safe
Sas Search vendor "Sas"	Base Sas Search vendor "Sas" for product "Base Sas"	9.4 Search vendor "Sas" for product "Base Sas" and version "9.4"	ts1m6	Affected	in	Microsoft Search vendor "Microsoft"	Windows 7 Search vendor "Microsoft" for product "Windows 7"	-	professional	Safe
Sas Search vendor "Sas"	Base Sas Search vendor "Sas" for product "Base Sas"	9.4 Search vendor "Sas" for product "Base Sas" and version "9.4"	ts1m6	Affected	in	Microsoft Search vendor "Microsoft"	Windows 7 Search vendor "Microsoft" for product "Windows 7"	-	ultimate	Safe
Sas Search vendor "Sas"	Base Sas Search vendor "Sas" for product "Base Sas"	9.4 Search vendor "Sas" for product "Base Sas" and version "9.4"	ts1m6	Affected	in	Microsoft Search vendor "Microsoft"	Windows 8 Search vendor "Microsoft" for product "Windows 8"	-	enterprise	Safe
Sas Search vendor "Sas"	Base Sas Search vendor "Sas" for product "Base Sas"	9.4 Search vendor "Sas" for product "Base Sas" and version "9.4"	ts1m6	Affected	in	Microsoft Search vendor "Microsoft"	Windows 8 Search vendor "Microsoft" for product "Windows 8"	-	pro	Safe
Sas Search vendor "Sas"	Base Sas Search vendor "Sas" for product "Base Sas"	9.4 Search vendor "Sas" for product "Base Sas" and version "9.4"	ts1m6	Affected	in	Microsoft Search vendor "Microsoft"	Windows 8.1 Search vendor "Microsoft" for product "Windows 8.1"	-	pro	Safe
Sas Search vendor "Sas"	Base Sas Search vendor "Sas" for product "Base Sas"	9.4 Search vendor "Sas" for product "Base Sas" and version "9.4"	ts1m6	Affected	in	Microsoft Search vendor "Microsoft"	Windows Server 2012 Search vendor "Microsoft" for product "Windows Server 2012"	-	datacenter	Safe
Sas Search vendor "Sas"	Base Sas Search vendor "Sas" for product "Base Sas"	9.4 Search vendor "Sas" for product "Base Sas" and version "9.4"	ts1m6	Affected	in	Microsoft Search vendor "Microsoft"	Windows Server 2012 Search vendor "Microsoft" for product "Windows Server 2012"	-	standard	Safe
Sas Search vendor "Sas"	Base Sas Search vendor "Sas" for product "Base Sas"	9.4 Search vendor "Sas" for product "Base Sas" and version "9.4"	ts1m6	Affected	in	Microsoft Search vendor "Microsoft"	Windows Server 2012 Search vendor "Microsoft" for product "Windows Server 2012"	r2 Search vendor "Microsoft" for product "Windows Server 2012" and version "r2"	datacenter	Safe
Sas Search vendor "Sas"	Base Sas Search vendor "Sas" for product "Base Sas"	9.4 Search vendor "Sas" for product "Base Sas" and version "9.4"	ts1m6	Affected	in	Microsoft Search vendor "Microsoft"	Windows Server 2016 Search vendor "Microsoft" for product "Windows Server 2016"	-	-	Safe
Sas Search vendor "Sas"	Base Sas Search vendor "Sas" for product "Base Sas"	9.4 Search vendor "Sas" for product "Base Sas" and version "9.4"	ts1m6	Affected	in	Microsoft Search vendor "Microsoft"	Windows Server 2019 Search vendor "Microsoft" for product "Windows Server 2019"	-	-	Safe
Sas Search vendor "Sas"	Base Sas Search vendor "Sas" for product "Base Sas"	9.4 Search vendor "Sas" for product "Base Sas" and version "9.4"	ts1m6	Affected	in	Oracle Search vendor "Oracle"	Solaris Search vendor "Oracle" for product "Solaris"	-	x64	Safe
Sas Search vendor "Sas"		Xml Mapper Search vendor "Sas" for product "Xml Mapper"				9.45 Search vendor "Sas" for product "Xml Mapper" and version "9.45"		-		Affected