Vulnerability Note VU#303900
SAP Sybase Adaptive Server Enterprise vulnerable to XML injection
SAP Sybase Adaptive Server Enterprise Version 15.7 ESD 2 and possibly earlier versions contains an XML injection vulnerability (CWE-91).
CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
SAP Sybase Adaptive Server Enterprise (ASE) Version 15.7 ESD 2 contains an XML injection vulnerability, which can lead to information exposure. This is due to the expanded use of XML External Entity (XXE) Processing. The XMLParse procedure is vulnerable to attack. Using a specially crafted SQL request, an authenticated attacker may be able to read files with the permissions of the user running the ASE application.
An authenticated attacker may be able to use the vulnerabilities to read user credentials. This may be used to obtain unauthorized administrative or privileged access to the system.
Apply an Update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|SAP||Affected||08 Jan 2013||15 Oct 2013|
CVSS Metrics (Learn More)
Thanks to Igor Bulatenko for reporting this vulnerability.
This document was written by Adam Rauf.
- CVE IDs: CVE-2013-6025
- Date Public: 01 Oct 2013
- Date First Published: 17 Oct 2013
- Date Last Updated: 05 Dec 2013
- Document Revision: 30
If you have feedback, comments, or additional information about this vulnerability, please send us email.