CVE-2019-14678: XEE
First published: Thu Nov 14 2019(Updated: )
SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects the XMLV2 LIBNAME engine when the AUTOMAP option is used.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SAS XML Mapper | =9.45 | |
| Sas Base Sas | =9.4-ts1m6 | |
| HP HP-UX | ||
| IBM AIX | ||
| Ibm Z\/os | ||
| Linux Linux kernel | ||
| Microsoft Windows | ||
| Microsoft Windows 10 | ||
| Microsoft Windows 7 | ||
| Microsoft Windows 7 | ||
| Microsoft Windows 7 | ||
| Microsoft Windows 7 | ||
| Microsoft Windows 8 | ||
| Microsoft Windows 8 | ||
| Microsoft Windows 8.1 | ||
| Microsoft Windows Server 2012 | ||
| Microsoft Windows Server 2012 | ||
| Microsoft Windows Server 2012 | =r2 | |
| Microsoft Windows Server 2016 | ||
| Microsoft Windows Server 2019 | ||
| Oracle Solaris |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this SAS XML Mapper vulnerability?
The vulnerability ID for this SAS XML Mapper vulnerability is CVE-2019-14678.
What is the severity of CVE-2019-14678?
The severity of CVE-2019-14678 is critical, with a severity value of 10.
What is the affected software for CVE-2019-14678?
The affected software for CVE-2019-14678 includes SAS XML Mapper 9.45 and SAS Base SAS 9.4 TS1M6.
What are the potential attacks that can be leveraged by this vulnerability?
This vulnerability can be leveraged by malicious attackers for potential attacks such as Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and Potential Denial of Service.
Where can I find more information about CVE-2019-14678?
You can find more information about CVE-2019-14678 in the SAS Knowledge Base article at http://support.sas.com/kb/64/719.html and the disclosure on GitHub at https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-14678-Unsafe%20XML%20Parsing-SAS%20XML%20Mapper.
- agent/references
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/weakness
- agent/severity
- agent/author
- agent/description
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/sas
- canonical/sas xml mapper
- version/sas xml mapper/9.45
- canonical/sas base sas
- version/sas base sas/9.4-ts1m6
- vendor/hp
- canonical/hp hp-ux
- vendor/ibm
- canonical/ibm aix
- canonical/ibm z\/os
- vendor/linux
- canonical/linux linux kernel
- vendor/microsoft
- canonical/microsoft windows
- canonical/microsoft windows 10
- canonical/microsoft windows 7
- canonical/microsoft windows 8
- canonical/microsoft windows 8.1
- canonical/microsoft windows server 2012
- version/microsoft windows server 2012/r2
- canonical/microsoft windows server 2016
- canonical/microsoft windows server 2019
- vendor/oracle
- canonical/oracle solaris