CVE-2019-14678

Name of the Vulnerable Software and Affected Versions SAS XML Mapper version 9.45

Description The issue is an XML External Entity (XXE) vulnerability. This can be exploited by malicious attackers in various ways, including Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. The XMLV2 LIBNAME engine is also affected when the AUTOMAP option is used.

Recommendations For SAS XML Mapper version 9.45, consider disabling the AUTOMAP option in the XMLV2 LIBNAME engine as a temporary workaround to minimize the risk of exploitation. Restrict access to sensitive files and directories to prevent potential Local File Reading and Out Of Band File Exfiltration attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.