CVE-2015-2812

Vulnerability

The XMLValidationComponent in SAP NetWeaver Portal 7.31 (build 7.31.201109172004) mishandles XML parsing by not disabling external entity processing. This XML External Entity (XXE) vulnerability, tracked as CWE-611, allows an attacker who supplies crafted XML input to the component to have the parser resolve external entities referencing local files or internal network resources [1]. The affected version is SAP NetWeaver Portal 7.31; other versions may also be vulnerable [1].

Exploitation

An unauthenticated remote attacker can send a specially crafted XML document to the XMLValidationComponent endpoint. The XML parser will process external entity definitions within the input, which can point to local file paths (e.g., file:///etc/passwd) or internal URLs (e.g., http://internal-server/). No authentication or special privileges are required, as the component is accessible over the network [1].

Impact

Successful exploitation can lead to local file disclosure (reading arbitrary files on the server), server-side request forgery (SSRF) allowing requests to intranet servers, denial of service (DoS) via resource exhaustion, and potential upload of malicious content if the parser allows entity expansion into the response stream [1]. The attacker gains information disclosure and may pivot to internal infrastructure, but does not achieve direct remote code execution from the XXE alone.

Mitigation

SAP released Security Notes 2098608 and 2093966 to address the vulnerability [1]. Install these notes on SAP NetWeaver Portal 7.31. The fixed versions and release dates are specified in the vendor notes. If patching is delayed, restrict network access to the XMLValidationComponent endpoint as a workaround. No evidence of listing in CISA KEV was provided.