CVE-2024-47582 - Vulnerability Details - OpenCVE

Due to missing validation of XML input, an unauthenticated attacker could send malicious input to an endpoint which leads to XML Entity Expansion attack. This causes limited impact on availability of the application.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00108.

Exploitation none

Automatable yes

Technical Impact partial

No data.

No data.

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://me.sap.com/notes/3351041
https://url.sap/sapsecuritypatchday

History

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00086}`	epss `{'score': 0.00096}`

Tue, 10 Dec 2024 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Dec 2024 00:45:00 +0000

Type	Values Removed	Values Added
Description		Due to missing validation of XML input, an unauthenticated attacker could send malicious input to an endpoint which leads to XML Entity Expansion attack. This causes limited impact on availability of the application.
Title		XML Entity Expansion Vulnerability in SAP NetWeaver AS JAVA
Weaknesses		CWE-611
References		https://me.sap.com/notes/3351041 https://url.sap/sapsecuritypatchday
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2024-12-10T00:12:24.270Z

Updated: 2024-12-10T20:38:26.239Z

Reserved: 2024-09-27T20:05:49.544Z

Link: CVE-2024-47582

Vulnrichment

Updated: 2024-12-10T20:38:22.466Z

NVD

Status : Received

Published: 2024-12-10T01:15:06.280

Modified: 2024-12-10T01:15:06.280

Link: CVE-2024-47582

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47582", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2024-09-27T20:05:49.544Z", "datePublished": "2024-12-10T00:12:24.270Z", "dateUpdated": "2024-12-10T20:38:26.239Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP NetWeaver AS JAVA", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "LM-CORE 7.50"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Due to missing validation of XML input, an unauthenticated attacker could send malicious input to an endpoint which leads to XML Entity Expansion attack. This causes limited impact on availability of the application.</p>"}], "value": "Due to missing validation of XML input, an unauthenticated attacker could send malicious input to an endpoint which leads to XML Entity Expansion attack. This causes limited impact on availability of the application."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2024-12-10T00:12:24.270Z"}, "references": [{"url": "https://me.sap.com/notes/3351041"}, {"url": "https://url.sap/sapsecuritypatchday"}], "source": {"discovery": "UNKNOWN"}, "title": "XML Entity Expansion Vulnerability in SAP NetWeaver AS JAVA", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-10T20:38:12.896235Z", "id": "CVE-2024-47582", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-10T20:38:26.239Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47582", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-10T20:38:12.896235Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-10T20:38:22.466Z"}}], "cna": {"title": "XML Entity Expansion Vulnerability in SAP NetWeaver AS JAVA", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP NetWeaver AS JAVA", "versions": [{"status": "affected", "version": "LM-CORE 7.50"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3351041"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Due to missing validation of XML input, an unauthenticated attacker could send malicious input to an endpoint which leads to XML Entity Expansion attack. This causes limited impact on availability of the application.", "supportingMedia": [{"type": "text/html", "value": "<p>Due to missing validation of XML input, an unauthenticated attacker could send malicious input to an endpoint which leads to XML Entity Expansion attack. This causes limited impact on availability of the application.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2024-12-10T00:12:24.270Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47582", "state": "PUBLISHED", "dateUpdated": "2024-12-10T20:38:26.239Z", "dateReserved": "2024-09-27T20:05:49.544Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2024-12-10T00:12:24.270Z", "assignerShortName": "sap"}, "dataVersion": "5.1"}