CVE-2016-9563

CVE Published	2016-11-23
Related CWE(s)	CWE-611: Improper Restriction of XML External Entity Reference
Related Vendor(s)	sap
Related Product(s)	netweaver_application_server_java
Exploitation Reported (CISA KEV)	2021-11-03
CVSS 3 Base Score	6.5 (MEDIUM)
CVSS 3 Attack Complexity	LOW
CVSS 3 Attack Vector	NETWORK

BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909.

Cyber Threat Graph Context

Explore how this CVE relates to the wider threat graph

Associated CAPEC Patterns

Data Serialization External Entities Blowup (CAPEC-221)

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.

References

CVE-2016-9563

Cyber Threat Graph Context

Associated CAPEC Patterns

Data Serialization External Entities Blowup (CAPEC-221)

References

CVE.org

NIST National Vulnerability Database

CISA Known Exploited Vulnerabilities