All the vulnerabilites related to SAP_SE - SAP NetWeaver AS JAVA
cve-2024-28164
Vulnerability from cvelistv5
Published
2024-06-11 02:18
Modified
2024-08-02 00:48
Summary
SAP NetWeaver AS Java (CAF - Guided Procedures) allows an unauthenticated user to access non-sensitive information about the server which would otherwise be restricted causing low impact on confidentiality of the application.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:sap:netweaver:7.50:*:*:*:java_as:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "netweaver",
            "vendor": "sap",
            "versions": [
              {
                "status": "affected",
                "version": "7.50"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-28164",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-28T15:00:57.290351Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-03T16:44:43.157Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:48:49.198Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://me.sap.com/notes/3425571"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SAP NetWeaver AS Java",
          "vendor": "SAP_SE",
          "versions": [
            {
              "status": "affected",
              "version": "GP-CORE 7.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "SAP NetWeaver AS Java (CAF - Guided Procedures)\nallows an unauthenticated user to access non-sensitive information about the\nserver which would otherwise be restricted causing low impact on\nconfidentiality of the application."
            }
          ],
          "value": "SAP NetWeaver AS Java (CAF - Guided Procedures)\nallows an unauthenticated user to access non-sensitive information about the\nserver which would otherwise be restricted causing low impact on\nconfidentiality of the application."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-11T10:10:35.316Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "url": "https://me.sap.com/notes/3425571"
        },
        {
          "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Information Disclosure vulnerability in SAP NetWeaver AS Java (Guided Procedures)",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2024-28164",
    "datePublished": "2024-06-11T02:18:48.019Z",
    "dateReserved": "2024-03-06T06:12:27.005Z",
    "dateUpdated": "2024-08-02T00:48:49.198Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-47582
Vulnerability from cvelistv5
Published
2024-12-10 00:12
Modified
2024-12-10 20:38
Summary
Due to missing validation of XML input, an unauthenticated attacker could send malicious input to an endpoint which leads to XML Entity Expansion attack. This causes limited impact on availability of the application.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-47582",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-10T20:38:12.896235Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-10T20:38:26.239Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SAP NetWeaver AS JAVA",
          "vendor": "SAP_SE",
          "versions": [
            {
              "status": "affected",
              "version": "LM-CORE 7.50"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eDue to missing validation of XML input, an unauthenticated attacker could send malicious input to an endpoint which leads to XML Entity Expansion attack. This causes limited impact on availability of the application.\u003c/p\u003e"
            }
          ],
          "value": "Due to missing validation of XML input, an unauthenticated attacker could send malicious input to an endpoint which leads to XML Entity Expansion attack. This causes limited impact on availability of the application."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611: Improper Restriction of XML External Entity Reference",
              "lang": "eng",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-10T00:12:24.270Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "url": "https://me.sap.com/notes/3351041"
        },
        {
          "url": "https://url.sap/sapsecuritypatchday"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "XML Entity Expansion Vulnerability in SAP NetWeaver AS JAVA",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2024-47582",
    "datePublished": "2024-12-10T00:12:24.270Z",
    "dateReserved": "2024-09-27T20:05:49.544Z",
    "dateUpdated": "2024-12-10T20:38:26.239Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2023-42477
Vulnerability from cvelistv5
Published
2023-10-10 01:37
Modified
2024-09-18 18:55
Summary
SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50, allows an attacker to send a crafted request from a vulnerable web application, causing limited impact on confidentiality and integrity of the application.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T19:23:39.133Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://me.sap.com/notes/3333426"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-42477",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-18T18:54:26.974833Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-18T18:55:58.441Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SAP NetWeaver AS Java",
          "vendor": "SAP_SE",
          "versions": [
            {
              "status": "affected",
              "version": "7.50"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50,\u00a0allows an attacker to send a crafted request from a vulnerable web application, causing limited impact on confidentiality and integrity of the application.\u003c/p\u003e"
            }
          ],
          "value": "SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50,\u00a0allows an attacker to send a crafted request from a vulnerable web application, causing limited impact on confidentiality and integrity of the application.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "eng",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-10T01:37:54.816Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "url": "https://me.sap.com/notes/3333426"
        },
        {
          "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application)",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2023-42477",
    "datePublished": "2023-10-10T01:37:54.816Z",
    "dateReserved": "2023-09-11T07:15:13.775Z",
    "dateUpdated": "2024-09-18T18:55:58.441Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-34688
Vulnerability from cvelistv5
Published
2024-06-11 02:02
Modified
2024-08-02 02:59
Summary
Due to unrestricted access to the Meta Model Repository services in SAP NetWeaver AS Java, attackers can perform DoS attacks on the application, which may prevent legitimate users from accessing it. This can result in no impact on confidentiality and integrity but a high impact on the availability of the application.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:sap:netweaver:7.50:*:*:*:java_as:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "netweaver",
            "vendor": "sap",
            "versions": [
              {
                "status": "affected",
                "version": "7.50"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-34688",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-11T13:36:48.543897Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-11T13:40:34.530Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:59:22.017Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://me.sap.com/notes/3460407"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SAP NetWeaver AS Java",
          "vendor": "SAP_SE",
          "versions": [
            {
              "status": "affected",
              "version": "MMR_SERVER 7.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Due to unrestricted access to the Meta Model\nRepository services in SAP NetWeaver AS Java, attackers can perform DoS attacks\non the application, which may prevent legitimate users from accessing it. This\ncan result in no impact on confidentiality and integrity but a high impact on\nthe availability of the application."
            }
          ],
          "value": "Due to unrestricted access to the Meta Model\nRepository services in SAP NetWeaver AS Java, attackers can perform DoS attacks\non the application, which may prevent legitimate users from accessing it. This\ncan result in no impact on confidentiality and integrity but a high impact on\nthe availability of the application."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-11T10:12:32.680Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "url": "https://me.sap.com/notes/3460407"
        },
        {
          "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository)",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2024-34688",
    "datePublished": "2024-06-11T02:02:21.587Z",
    "dateReserved": "2024-05-07T05:46:11.658Z",
    "dateUpdated": "2024-08-02T02:59:22.017Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}