CVE-2014-8309

SAP BusinessObjects 4.0 and XI R2/R3.1 - Username Enumeration via SecEnterprise Authentication Timing

Title source: llm

Description

SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames via SecEnterprise authentication requests to the Session web service.

References (7)

Core 7

Core References

Vendor Advisory x_refsource_confirm

https://service.sap.com/sap/support/notes/2001109

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/96874

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/533647/100/0/threaded

Mailing List mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2014/Oct/42

Various Sources x_refsource_misc

http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-029

Vendor Advisory x_refsource_confirm

http://scn.sap.com/docs/DOC-8218

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/70304

Scores

EPSS 0.0049

EPSS Percentile 65.7%

Details

CWE

CWE-200

Status published

Products (3)

sap/businessobjects 4.0

sap/businessobjects_xi 3.1

sap/businessobjects_xi r2

Published Oct 16, 2014

Tracked Since Feb 18, 2026