Information disclosure in Sap Businessobjects
CVE-2014-8309
SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid…
Vulnerability class: Information Disclosure
EPSS: 0.005 (66.0th percentile) — read the EPSS interpretation.
Affected products
- Sap Businessobjects — versions 4.0
- Sap Businessobjects_xi — versions 3.1, r2
- N/a — versions n/a
Weakness classification (CWE)
References
- cve@mitre.org (x_refsource_CONFIRM, Vendor Advisory)
- sap-businessobjects-timing-info-disc(96874) (vdb-entry, x_refsource_XF)
- 20141008 [Onapsis Security Advisory 2014-029] SAP Business Objects Information Disclosure (mailing-list, x_refsource_BUGTRAQ)
- 20141008 [Onapsis Security Advisory 2014-029] SAP Business Objects Information Disclosure (mailing-list, x_refsource_FULLDISC)
- cve@mitre.org (x_refsource_MISC)
- cve@mitre.org (x_refsource_CONFIRM, Vendor Advisory)
- 70304 (vdb-entry, x_refsource_BID)