CVE-2019-14678

CRITICAL

SAS XML Mapper 9.45 - SSRF

Title source: llm

Description

SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects the XMLV2 LIBNAME engine when the AUTOMAP option is used.

Exploits (1)

nomisec SUSPICIOUS

by mbadanoiu · poc

https://github.com/mbadanoiu/CVE-2019-14678

View Code ZIP pw:eip

References (2)

[Vendor Advisory] http://support.sas.com/kb/64/719.html

[Exploit, Third Party Advisory] https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-14678-Unsafe%20XML%20Parsing-SAS%20XML%20Mapper

Scores

CVSS v3 10.0

EPSS 0.0080

EPSS Percentile 74.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-611

Status published

Products (2)

sas/base_sas 9.4 ts1m6

sas/xml_mapper 9.45

Published Nov 14, 2019

Tracked Since Feb 18, 2026