All the vulnerabilites related to SAP_SE - SAP NetWeaver Application Server ABAP
cve-2024-47593
Vulnerability from cvelistv5
Published
2024-11-12 00:27
Modified
2024-11-12 14:49
Severity ?
EPSS score ?
Summary
SAP NetWeaver Application Server ABAP allows an unauthenticated attacker with network access to read files from the server, which otherwise would be restricted.This attack is possible only if a Web Dispatcher or some sort of Proxy Server is in use and the file in question was previously opened or downloaded in an application based on SAP GUI for HTML Technology. This will not compromise the application's integrity or availability.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | SAP_SE | SAP NetWeaver Application Server ABAP |
Version: KRNL64UC 7.53 Version: KERNEL 7.53 Version: 7.54 Version: 7.77 Version: 7.89 Version: 7.93 Version: 9.12 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:sap_se:sap_netweaver_and_abap_platform:*:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "sap_netweaver_and_abap_platform", "vendor": "sap_se", "versions": [ { "status": "affected", "version": "KRNL64UC_7.53" }, { "status": "affected", "version": "KERNEL_7.53" }, { "status": "affected", "version": "7.54" }, { "status": "affected", "version": "7.77" }, { "status": "affected", "version": "7.89" }, { "status": "affected", "version": "7.93" }, { "status": "affected", "version": "9.12" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-47593", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-11-12T14:44:18.510838Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-276", "description": "CWE-276 Incorrect Default Permissions", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-12T14:49:44.745Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "SAP NetWeaver Application Server ABAP", "vendor": "SAP_SE", "versions": [ { "status": "affected", "version": "KRNL64UC 7.53" }, { "status": "affected", "version": "KERNEL 7.53" }, { "status": "affected", "version": "7.54" }, { "status": "affected", "version": "7.77" }, { "status": "affected", "version": "7.89" }, { "status": "affected", "version": "7.93" }, { "status": "affected", "version": "9.12" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eSAP NetWeaver Application Server ABAP allows an unauthenticated attacker with network access to read files from the server, which otherwise would be restricted.This attack is possible only if a Web Dispatcher or some sort of Proxy Server is in use and the file in question was previously opened or downloaded in an application based on SAP GUI for HTML Technology. This will not compromise the application\u0027s integrity or availability.\u003c/p\u003e" } ], "value": "SAP NetWeaver Application Server ABAP allows an unauthenticated attacker with network access to read files from the server, which otherwise would be restricted.This attack is possible only if a Web Dispatcher or some sort of Proxy Server is in use and the file in question was previously opened or downloaded in an application based on SAP GUI for HTML Technology. This will not compromise the application\u0027s integrity or availability." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "description": "WE-524: Use of Cache Containing Sensitive Information", "lang": "eng" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-12T00:27:17.815Z", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap" }, "references": [ { "url": "https://me.sap.com/notes/3508947" }, { "url": "https://url.sap/sapsecuritypatchday" } ], "source": { "discovery": "UNKNOWN" }, "title": "Information Disclosure Vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2024-47593", "datePublished": "2024-11-12T00:27:17.815Z", "dateReserved": "2024-09-27T20:05:59.022Z", "dateUpdated": "2024-11-12T14:49:44.745Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-41732
Vulnerability from cvelistv5
Published
2024-08-13 03:58
Modified
2024-08-13 13:28
Severity ?
EPSS score ?
Summary
SAP NetWeaver Application Server ABAP allows
an unauthenticated attacker to craft a URL link that could bypass allowlist
controls. Depending on the web applications provided by this server, the
attacker might inject CSS code or links into the web application that could
allow the attacker to read or modify information. There is no impact on
availability of application.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | SAP_SE | SAP NetWeaver Application Server ABAP |
Version: SAP_UI 754 Version: 755 Version: 756 Version: 757 Version: 758 Version: SAP_BASIS 700 Version: SAP_BASIS 701 Version: SAP_BASIS 702 Version: SAP_BASIS 731 Version: SAP_BASIS 912 |
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-41732", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-08-13T13:02:08.351578Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-13T13:28:06.622Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "SAP NetWeaver Application Server ABAP", "vendor": "SAP_SE", "versions": [ { "status": "affected", "version": "SAP_UI 754" }, { "status": "affected", "version": "755" }, { "status": "affected", "version": "756" }, { "status": "affected", "version": "757" }, { "status": "affected", "version": "758" }, { "status": "affected", "version": "SAP_BASIS 700" }, { "status": "affected", "version": "SAP_BASIS 701" }, { "status": "affected", "version": "SAP_BASIS 702" }, { "status": "affected", "version": "SAP_BASIS 731" }, { "status": "affected", "version": "SAP_BASIS 912" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003ctable\u003e\n \u003ctbody\u003e\u003ctr\u003e\n \u003ctd\u003e\n \u003cp\u003eSAP NetWeaver Application Server ABAP allows\n an unauthenticated attacker to craft a URL link that could bypass allowlist\n controls. Depending on the web applications provided by this server, the\n attacker might inject CSS code or links into the web application that could\n allow the attacker to read or modify information. There is no impact on\n availability of application.\u003c/p\u003e\n \u003cp\u003e\u0026nbsp;\u003c/p\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n\u003c/tbody\u003e\u003c/table\u003e" } ], "value": "SAP NetWeaver Application Server ABAP allows\n an unauthenticated attacker to craft a URL link that could bypass allowlist\n controls. Depending on the web applications provided by this server, the\n attacker might inject CSS code or links into the web application that could\n allow the attacker to read or modify information. There is no impact on\n availability of application." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-08-13T03:58:36.444Z", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap" }, "references": [ { "url": "https://me.sap.com/notes/3468102" }, { "url": "https://url.sap/sapsecuritypatchday" } ], "source": { "discovery": "UNKNOWN" }, "title": "Improper Access Control in SAP Netweaver Application Server ABAP", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2024-41732", "datePublished": "2024-08-13T03:58:36.444Z", "dateReserved": "2024-07-22T08:06:52.676Z", "dateUpdated": "2024-08-13T13:28:06.622Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-54198
Vulnerability from cvelistv5
Published
2024-12-10 00:12
Modified
2024-12-10 21:28
Severity ?
EPSS score ?
Summary
In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These credentials can then be further exploited to completely compromise the remote service, potentially resulting in a significant impact on the confidentiality, integrity, and availability of the application.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | SAP_SE | SAP NetWeaver Application Server ABAP |
Version: KRNL64NUC 7.22 Version: 7.22EXT Version: KRNL64UC 7.22 Version: 7.53 Version: KERNEL 7.22 Version: 7.54 Version: 7.77 Version: 7.89 Version: 7.93 |
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-54198", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-12-10T21:27:54.079190Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-12-10T21:28:02.565Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "SAP NetWeaver Application Server ABAP", "vendor": "SAP_SE", "versions": [ { "status": "affected", "version": "KRNL64NUC 7.22" }, { "status": "affected", "version": "7.22EXT" }, { "status": "affected", "version": "KRNL64UC 7.22" }, { "status": "affected", "version": "7.53" }, { "status": "affected", "version": "KERNEL 7.22" }, { "status": "affected", "version": "7.54" }, { "status": "affected", "version": "7.77" }, { "status": "affected", "version": "7.89" }, { "status": "affected", "version": "7.93" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eIn certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These credentials can then be further exploited to completely compromise the remote service, potentially resulting in a significant impact on the confidentiality, integrity, and availability of the application.\u003c/p\u003e" } ], "value": "In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These credentials can then be further exploited to completely compromise the remote service, potentially resulting in a significant impact on the confidentiality, integrity, and availability of the application." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-914", "description": "CWE-914: Improper Control of Dynamically-Identified Variables", "lang": "eng", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-12-10T00:12:47.729Z", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap" }, "references": [ { "url": "https://me.sap.com/notes/3469791" }, { "url": "https://url.sap/sapsecuritypatchday" } ], "source": { "discovery": "UNKNOWN" }, "title": "Information Disclosure vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2024-54198", "datePublished": "2024-12-10T00:12:47.729Z", "dateReserved": "2024-12-02T11:40:44.769Z", "dateUpdated": "2024-12-10T21:28:02.565Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }