Vulnerability-Lookup

CNVD-2015-05785

Vulnerability from cnvd - Published: 2015-09-02

Title

SAP Mobile Platform application import XML外部实体漏洞

Description

SAP Mobile Platform（SMP）是德国思爱普（SAP）公司的一套移动应用开发平台。该平台用于构建适用于任意设备的打包和定制开发应用。 SMP 2.3版本的application import功能中存在XML外部实体漏洞。远程攻击者可借助特制的XML数据利用该漏洞读取任意文件。

Severity

中

Formal description

目前没有详细解决方案提供： http://www.sap.com

Reference

http://erpscan.com/advisories/erpscan-15-020-sap-mobile-platform-2-3-xxe-in-application-import/

Impacted products

Name
SAP SMP 2.3

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-6664"
    }
  },
  "description": "SAP Mobile Platform\uff08SMP\uff09\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957\u79fb\u52a8\u5e94\u7528\u5f00\u53d1\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u7528\u4e8e\u6784\u5efa\u9002\u7528\u4e8e\u4efb\u610f\u8bbe\u5907\u7684\u6253\u5305\u548c\u5b9a\u5236\u5f00\u53d1\u5e94\u7528\u3002\r\n\r\nSMP 2.3\u7248\u672c\u7684application import\u529f\u80fd\u4e2d\u5b58\u5728XML\u5916\u90e8\u5b9e\u4f53\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u7684XML\u6570\u636e\u5229\u7528\u8be5\u6f0f\u6d1e\u8bfb\u53d6\u4efb\u610f\u6587\u4ef6\u3002",
  "discovererName": "SAP",
  "formalWay": "\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u89e3\u51b3\u65b9\u6848\u63d0\u4f9b\uff1a\r\nhttp://www.sap.com",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-05785",
  "openTime": "2015-09-02",
  "products": {
    "product": "SAP SMP 2.3"
  },
  "referenceLink": "http://erpscan.com/advisories/erpscan-15-020-sap-mobile-platform-2-3-xxe-in-application-import/",
  "serverity": "\u4e2d",
  "submitTime": "2015-08-25",
  "title": "SAP Mobile Platform application import XML\u5916\u90e8\u5b9e\u4f53\u6f0f\u6d1e"
}

CVE-2015-6664 (GCVE-0-2015-6664)

Vulnerability from cvelistv5 – Published: 2015-08-24 14:00 – Updated: 2024-08-06 07:29

Summary

XML external entity (XXE) vulnerability in the application import functionality in SAP Mobile Platform 2.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via crafted XML data, aka SAP Security Note 2152227.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://erpscan.io/advisories/erpscan-15-020-sap-…	x_refsource_MISC
	http://www.securityfocus.com/archive/1/536954/100…	mailing-listx_refsource_BUGTRAQ
	http://seclists.org/fulldisclosure/2015/Nov/96	mailing-listx_refsource_FULLDISC
	http://packetstormsecurity.com/files/134509/SAP-M…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T07:29:24.347Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://erpscan.io/advisories/erpscan-15-020-sap-mobile-platform-2-3-xxe-in-application-import/"
          },
          {
            "name": "20151123 [ERPSCAN-15-020] SAP Mobile Platform 2.3 - XXE in application import",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/536954/100/0/threaded"
          },
          {
            "name": "20151124 [ERPSCAN-15-020] SAP Mobile Platform 2.3 - XXE in application import",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2015/Nov/96"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/134509/SAP-Mobile-Platform-2.3-XXE-Injection.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-08-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "XML external entity (XXE) vulnerability in the application import functionality in SAP Mobile Platform 2.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via crafted XML data, aka SAP Security Note 2152227."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-12-10T17:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://erpscan.io/advisories/erpscan-15-020-sap-mobile-platform-2-3-xxe-in-application-import/"
        },
        {
          "name": "20151123 [ERPSCAN-15-020] SAP Mobile Platform 2.3 - XXE in application import",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/536954/100/0/threaded"
        },
        {
          "name": "20151124 [ERPSCAN-15-020] SAP Mobile Platform 2.3 - XXE in application import",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2015/Nov/96"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/134509/SAP-Mobile-Platform-2.3-XXE-Injection.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-6664",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "XML external entity (XXE) vulnerability in the application import functionality in SAP Mobile Platform 2.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via crafted XML data, aka SAP Security Note 2152227."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://erpscan.io/advisories/erpscan-15-020-sap-mobile-platform-2-3-xxe-in-application-import/",
              "refsource": "MISC",
              "url": "https://erpscan.io/advisories/erpscan-15-020-sap-mobile-platform-2-3-xxe-in-application-import/"
            },
            {
              "name": "20151123 [ERPSCAN-15-020] SAP Mobile Platform 2.3 - XXE in application import",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/536954/100/0/threaded"
            },
            {
              "name": "20151124 [ERPSCAN-15-020] SAP Mobile Platform 2.3 - XXE in application import",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2015/Nov/96"
            },
            {
              "name": "http://packetstormsecurity.com/files/134509/SAP-Mobile-Platform-2.3-XXE-Injection.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/134509/SAP-Mobile-Platform-2.3-XXE-Injection.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2015-6664",
    "datePublished": "2015-08-24T14:00:00",
    "dateReserved": "2015-08-24T00:00:00",
    "dateUpdated": "2024-08-06T07:29:24.347Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2015-05785

CVE-2015-6664 (GCVE-0-2015-6664)

Tags

Sightings

Nomenclature