CVE-2017-8913
high
CVSS v3
8.8
CVSS v4 NEW
โ
VIR risk
8.8
Description
The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default, aka SAP Security Note 2386873.
Predictions
Exploit likelihood
92%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| sap | netweaver_application_server_java | 7.50 | |
References
- https://erpscan.io/advisories/erpscan-17-007-sap-netweaver-java-7-5-xxe-visual-composer-vc70runtime/
- https://erpscan.io/press-center/blog/sap-cyber-threat-intelligence-report-february-2017/
- https://erpscan.io/advisories/erpscan-17-007-sap-netweaver-java-7-5-xxe-visual-composer-vc70runtime/
- https://erpscan.io/press-center/blog/sap-cyber-threat-intelligence-report-february-2017/
CWEs
CWE-611
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.