CVE-2019-14678

Summary

CVE	CVE-2019-14678
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-11-14 21:15:00 UTC
Updated	2019-11-22 19:34:00 UTC
Description	SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects the XMLV2 LIBNAME engine when the AUTOMAP option is used.

Risk And Classification

Problem Types: CWE-611

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Hp	Hp-ux	-	All	All	All
Operating System	Hp	Hp-ux	-	All	All	All
Operating System	Ibm	Aix	-	All	All	All
Operating System	Ibm	Aix	-	All	All	All
Operating System	Ibm	Z/os	-	All	All	All
Operating System	Ibm	Z/os	-	All	All	All
Operating System	Ibm	Z/os	-	All	All	All
Operating System	Linux	Linux Kernel	-	All	All	All
Operating System	Linux	Linux Kernel	-	All	All	All
Operating System	Microsoft	Windows	-	All	All	All
Operating System	Microsoft	Windows	-	All	All	All
Operating System	Microsoft	Windows 10	-	All	All	All
Operating System	Microsoft	Windows 10	-	All	All	All
Operating System	Microsoft	Windows 7	-	-	All	All
Operating System	Microsoft	Windows 7	-	-	All	All
Operating System	Microsoft	Windows 7	-	-	All	All
Operating System	Microsoft	Windows 7	-	-	All	All
Operating System	Microsoft	Windows 7	-	-	All	All
Operating System	Microsoft	Windows 7	-	-	All	All
Operating System	Microsoft	Windows 7	-	-	All	All
Operating System	Microsoft	Windows 7	-	-	All	All
Operating System	Microsoft	Windows 8	-	All	All	All
Operating System	Microsoft	Windows 8	-	All	All	All
Operating System	Microsoft	Windows 8	-	All	All	All
Operating System	Microsoft	Windows 8	-	All	All	All
Operating System	Microsoft	Windows 8.1	-	All	All	All
Operating System	Microsoft	Windows 8.1	-	All	All	All
Operating System	Microsoft	Windows Server 2012	-	All	All	All
Operating System	Microsoft	Windows Server 2012	-	All	All	All
Operating System	Microsoft	Windows Server 2012	r2	All	All	All
Operating System	Microsoft	Windows Server 2012	-	All	All	All
Operating System	Microsoft	Windows Server 2012	-	All	All	All
Operating System	Microsoft	Windows Server 2012	r2	All	All	All
Operating System	Microsoft	Windows Server 2016	-	All	All	All
Operating System	Microsoft	Windows Server 2016	-	All	All	All
Operating System	Microsoft	Windows Server 2019	-	All	All	All
Operating System	Microsoft	Windows Server 2019	-	All	All	All
Operating System	Oracle	Solaris	-	All	All	All
Operating System	Oracle	Solaris	-	All	All	All
Application	Sas	Base Sas	9.4	ts1m6	All	All
Application	Sas	Base Sas	9.4	ts1m6	All	All
Application	Sas	Xml Mapper	9.45	All	All	All
Application	Sas	Xml Mapper	9.45	All	All	All

References

Reference	Source	Link	Tags
64719 - SAS® XML Mapper contains an XML External Entity (XXE) vulnerability that also affects the XMLV2 LIBNAME engine	MISC	support.sas.com	Vendor Advisory
Disclosures/CVE-2019-14678-Unsafe XML Parsing-SAS XML Mapper at master · DrunkenShells/Disclosures · GitHub	MISC	github.com	Exploit, Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.