CVE-2014-8309

Name of the Vulnerable Software and Affected Versions SAP BusinessObjects versions 3.1 through 4.0

Description The issue allows remote attackers to enumerate valid usernames via SecEnterprise authentication requests to the "Session web service" endpoint. This is possible because the software generates error messages for failed logon attempts with different time delays depending on whether the user account exists.

Recommendations For SAP BusinessObjects versions 3.1 through 4.0, consider restricting access to the Session web service endpoint as a temporary workaround until a patch is available. Additionally, monitor authentication requests for unusual patterns to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.