Vulnerabilites related to sap - netweaver_application_server_abap
Vulnerability from fkie_nvd
Published
2021-06-16 15:15
Modified
2024-11-21 05:58
Severity ?
Summary
SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious users to obtain illegitimate access to the system.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3007182 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3007182 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_abap | 700 | |
| sap | netweaver_abap | 701 | |
| sap | netweaver_abap | 702 | |
| sap | netweaver_abap | 731 | |
| sap | netweaver_abap | 740 | |
| sap | netweaver_abap | 750 | |
| sap | netweaver_abap | 751 | |
| sap | netweaver_abap | 752 | |
| sap | netweaver_abap | 753 | |
| sap | netweaver_abap | 754 | |
| sap | netweaver_abap | 755 | |
| sap | netweaver_abap | 804 | |
| sap | netweaver_application_server_abap | 700 | |
| sap | netweaver_application_server_abap | 701 | |
| sap | netweaver_application_server_abap | 702 | |
| sap | netweaver_application_server_abap | 731 | |
| sap | netweaver_application_server_abap | 740 | |
| sap | netweaver_application_server_abap | 750 | |
| sap | netweaver_application_server_abap | 751 | |
| sap | netweaver_application_server_abap | 752 | |
| sap | netweaver_application_server_abap | 753 | |
| sap | netweaver_application_server_abap | 754 | |
| sap | netweaver_application_server_abap | 755 | |
| sap | netweaver_application_server_abap | 804 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "E0DA7CC6-A0F6-4839-965D-C60F691496AD", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "6497854E-9C7B-4DAF-ADC6-F26523BB7D47", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "FFC58754-3A9D-4320-AB4F-385FB72608E7", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5B8A73A5-4526-40E1-A540-0A6C3F93DA05", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "09A38B6E-03DC-4086-A307-542B35814E0E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "4651257F-7BFC-41AE-8E37-8C96F822CE58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "EECB438D-D5CD-4483-934F-4C814A725A35", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "14A1CD95-14E1-438A-92FB-A0E47A88C59F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "4148303B-133A-4FD2-B546-DD86C5D0E7C1", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "E51EF6BC-4C1C-4F1B-9873-D571BE3788F5", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "424A3D68-0825-4A2C-BEB1-DC9A212A5E42", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:804:*:*:*:*:*:*:*", matchCriteriaId: "5EFD3BCC-9B3E-49F2-B469-C465381303B4", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:804:*:*:*:*:*:*:*", matchCriteriaId: "2132C1C0-AD61-4C85-BA07-523206815A4D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious users to obtain illegitimate access to the system.", }, { lang: "es", value: "SAP NetWeaver ABAP Server y ABAP Platform, versiones - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, no crea información sobre el usuario RFC interno y externo en un formato consistente y distinguible, lo que podría conllevar a una autenticación inapropiada y podría ser explotado por usuarios maliciosos para obtener acceso ilegítimo al sistema", }, ], id: "CVE-2021-27610", lastModified: "2024-11-21T05:58:17.543", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 2.2, impactScore: 6, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-06-16T15:15:08.363", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3007182", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3007182", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-09-12 03:15
Modified
2024-11-21 08:19
Severity ?
5.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
SAP NetWeaver AS ABAP (applications based on Unified Rendering) - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 702, SAP_BASIS 731, allows an attacker to inject JavaScript code that can be executed in the web-application. An attacker could thereby control the behavior of this web-application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3323163 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://me.sap.com/notes/3323163 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | 702 | |
| sap | netweaver_application_server_abap | 731 | |
| sap | netweaver_application_server_abap | 754 | |
| sap | netweaver_application_server_abap | 755 | |
| sap | netweaver_application_server_abap | 756 | |
| sap | netweaver_application_server_abap | 757 | |
| sap | netweaver_application_server_abap | 758 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:sap_basis:*:*:*", matchCriteriaId: "2BD9FE51-F76C-439A-A3C0-5279EC1059F7", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:sap_basis:*:*:*", matchCriteriaId: "4EB54432-0E1A-45F2-BEE1-8DC28FAADA9F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:sap_ui:*:*:*", matchCriteriaId: "E46A16E9-567E-4E24-B6A5-197EE62B4055", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:sap_ui:*:*:*", matchCriteriaId: "27F238D5-561C-4E52-B679-D9E72860AE78", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:sap_ui:*:*:*", matchCriteriaId: "4F144BB2-80C6-4587-9F8B-B9E5118A981D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:sap_ui:*:*:*", matchCriteriaId: "74A938BD-9F65-4BDC-8FB6-EA0D9026DA7A", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:758:*:*:*:sap_ui:*:*:*", matchCriteriaId: "7A83A25D-5A3A-459B-906A-300DD0EC6989", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP (applications based on Unified Rendering) - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 702, SAP_BASIS 731, allows an attacker to inject JavaScript code that can be executed in the web-application. An attacker could thereby control the behavior of this web-application.\n\n", }, { lang: "es", value: "SAP NetWeaver AS ABAP (aplicaciones basadas en renderizado unificado): versiones SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 702, SAP_BASIS 731, permite a un atacante inyectar código JavaScript que se puede ejecutar en la aplicación web . De este modo, un atacante podría controlar el comportamiento de esta aplicación web.", }, ], id: "CVE-2023-40624", lastModified: "2024-11-21T08:19:50.723", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 2.1, impactScore: 3.4, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-09-12T03:15:13.970", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://me.sap.com/notes/3323163", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://me.sap.com/notes/3323163", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-05-12 18:15
Modified
2024-11-21 05:35
Severity ?
Summary
SAP NetWeaver AS ABAP (Web Dynpro ABAP), versions (SAP_UI 750, 752, 753, 754 and SAP_BASIS 700, 710, 730, 731, 804) allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service leading to Denial of Service
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2856923 | Permissions Required | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2856923 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222 | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:710:*:*:*:*:*:*:*", matchCriteriaId: "9B5BF1EC-C2A6-486B-8E63-0A7ED431C1F0", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:*", matchCriteriaId: "2F1B47E4-C4E3-4D79-9048-EF6A82B8085E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:804:*:*:*:*:*:*:*", matchCriteriaId: "2132C1C0-AD61-4C85-BA07-523206815A4D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP (Web Dynpro ABAP), versions (SAP_UI 750, 752, 753, 754 and SAP_BASIS 700, 710, 730, 731, 804) allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service leading to Denial of Service", }, { lang: "es", value: "SAP NetWeaver AS ABAP (Web Dynpro ABAP), versiones (SAP_UI 750, 752, 753, 754 y SAP_BASIS 700, 710, 730, 731, 804), permite a un atacante no autenticado impedir a usuarios legítimos el acceso a un servicio, ya sea mediante el bloqueo o la inundación del servicio que conlleva a una Denegación de Servicio.", }, ], id: "CVE-2020-6240", lastModified: "2024-11-21T05:35:21.767", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-05-12T18:15:13.677", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/2856923", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/2856923", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-08-12 14:15
Modified
2024-11-21 05:35
Severity ?
Summary
Improper access control in SOA Configuration Trace component in SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 702, 730, 731, 740, 750, allows any authenticated user to enumerate all SAP users, leading to Information Disclosure.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2944988 | Permissions Required | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2944988 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | abap_platform | 7.31 | |
| sap | abap_platform | 7.40 | |
| sap | abap_platform | 7.50 | |
| sap | abap_platform | 700 | |
| sap | abap_platform | 701 | |
| sap | abap_platform | 702 | |
| sap | abap_platform | 710 | |
| sap | abap_platform | 711 | |
| sap | abap_platform | 751 | |
| sap | abap_platform | 753 | |
| sap | abap_platform | 755 | |
| sap | netweaver_application_server_abap | 700 | |
| sap | netweaver_application_server_abap | 701 | |
| sap | netweaver_application_server_abap | 702 | |
| sap | netweaver_application_server_abap | 710 | |
| sap | netweaver_application_server_abap | 711 | |
| sap | netweaver_application_server_abap | 731 | |
| sap | netweaver_application_server_abap | 740 | |
| sap | netweaver_application_server_abap | 750 | |
| sap | netweaver_application_server_abap | 751 | |
| sap | netweaver_application_server_abap | 753 | |
| sap | netweaver_application_server_abap | 755 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:abap_platform:7.31:*:*:*:*:*:*:*", matchCriteriaId: "D7E7672B-1021-4592-AA5F-2B51B63627BA", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:7.40:*:*:*:*:*:*:*", matchCriteriaId: "4AB22F97-3C28-4AA0-8BA2-84559AB56279", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:7.50:*:*:*:*:*:*:*", matchCriteriaId: "A7AAA98F-50DD-4752-8D42-1E7B5B93BDB1", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:700:*:*:*:*:*:*:*", matchCriteriaId: "9AA5D36E-BE80-422B-8A6B-0ABDDE274146", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:701:*:*:*:*:*:*:*", matchCriteriaId: "C04D8608-83F0-4D7F-A7A9-59B616240F14", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:702:*:*:*:*:*:*:*", matchCriteriaId: "E4DF5956-1396-41FA-B101-E24F7898D135", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:710:*:*:*:*:*:*:*", matchCriteriaId: "ADE0E878-BE4E-4CFD-907D-7ABB745A4CE8", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:711:*:*:*:*:*:*:*", matchCriteriaId: "D14E8DCD-B365-4FC0-B08C-1A89787111C9", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:751:*:*:*:*:*:*:*", matchCriteriaId: "65320F25-669B-40D8-A246-07B0202C00A9", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:753:*:*:*:*:*:*:*", matchCriteriaId: "E1C86F45-445E-4970-A378-199A35B23F4B", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:755:*:*:*:*:*:*:*", matchCriteriaId: "5B48E0FF-814F-4F9C-B5B1-87D978E1B4A4", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:710:*:*:*:*:*:*:*", matchCriteriaId: "9B5BF1EC-C2A6-486B-8E63-0A7ED431C1F0", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:711:*:*:*:*:*:*:*", matchCriteriaId: "17847B21-8BE6-4359-913B-B6592D37C655", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Improper access control in SOA Configuration Trace component in SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 702, 730, 731, 740, 750, allows any authenticated user to enumerate all SAP users, leading to Information Disclosure.", }, { lang: "es", value: "Un control de acceso inapropiado en el componente SOA Configuration Trace en SAP NetWeaver (ABAP Server) y la plataforma ABAP, versiones - 702, 730, 731, 740, 750, permite a cualquier usuario autenticado enumerar todos los usuarios de SAP, conllevando a una Divulgación de Información", }, ], id: "CVE-2020-6310", lastModified: "2024-11-21T05:35:29.030", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-08-12T14:15:14.767", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/2944988", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/2944988", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-07-14 13:15
Modified
2024-11-21 05:35
Severity ?
Summary
SAP NetWeaver (ABAP Server) and ABAP Platform, versions 731, 740, 750, allows an attacker with admin privileges to access certain files which should otherwise be restricted, leading to Information Disclosure.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2927373 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2927373 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | abap_platform | 7.31 | |
| sap | abap_platform | 7.40 | |
| sap | abap_platform | 7.50 | |
| sap | netweaver_application_server_abap | 731 | |
| sap | netweaver_application_server_abap | 740 | |
| sap | netweaver_application_server_abap | 750 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:abap_platform:7.31:*:*:*:*:*:*:*", matchCriteriaId: "D7E7672B-1021-4592-AA5F-2B51B63627BA", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:7.40:*:*:*:*:*:*:*", matchCriteriaId: "4AB22F97-3C28-4AA0-8BA2-84559AB56279", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:7.50:*:*:*:*:*:*:*", matchCriteriaId: "A7AAA98F-50DD-4752-8D42-1E7B5B93BDB1", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver (ABAP Server) and ABAP Platform, versions 731, 740, 750, allows an attacker with admin privileges to access certain files which should otherwise be restricted, leading to Information Disclosure.", }, { lang: "es", value: "SAP NetWeaver (ABAP Server) y ABAP Platform, versiones 731, 740, 750, permiten a un atacante con privilegios de administrador acceder a determinados archivos que de otro modo deberían estar restringidos, conllevando a una Divulgación de Información", }, ], id: "CVE-2020-6280", lastModified: "2024-11-21T05:35:25.693", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 2.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, exploitabilityScore: 1.2, impactScore: 1.4, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 2.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 1.2, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-07-14T13:15:12.610", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/2927373", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/2927373", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-02-09 23:15
Modified
2024-11-21 06:46
Severity ?
Summary
SAP NetWeaver AS ABAP (Workplace Server) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787, allows an attacker to execute crafted database queries, that could expose the backend database. Successful attacks could result in disclosure of a table of contents from the system, but no risk of modification possible.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3140587 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3140587 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:787:*:*:*:*:*:*:*", matchCriteriaId: "204DBA8B-9C40-4D5D-8BEB-4D05DE962A02", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP (Workplace Server) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787, allows an attacker to execute crafted database queries, that could expose the backend database. Successful attacks could result in disclosure of a table of contents from the system, but no risk of modification possible.", }, { lang: "es", value: "SAP NetWeaver AS ABAP (Workplace Server) - versiones 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787, permite a un atacante ejecutar consultas a la base de datos diseñadas, que podrían exponer la base de datos del backend. Los ataques con éxito podrían resultar en una revelación de una tabla de contenidos del sistema, pero no se presenta riesgo de modificación posible", }, ], id: "CVE-2022-22540", lastModified: "2024-11-21T06:46:59.310", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-02-09T23:15:18.817", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3140587", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3140587", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-07-14 12:15
Modified
2024-11-21 06:09
Severity ?
Summary
SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 702, 730, 731, 804, 740, 750, 784, expose functions to external which can lead to information disclosure.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3044754 | Permissions Required | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3044754 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_abap | 700 | |
| sap | netweaver_abap | 702 | |
| sap | netweaver_abap | 730 | |
| sap | netweaver_abap | 731 | |
| sap | netweaver_abap | 740 | |
| sap | netweaver_abap | 750 | |
| sap | netweaver_abap | 784 | |
| sap | netweaver_abap | 804 | |
| sap | netweaver_application_server_abap | 700 | |
| sap | netweaver_application_server_abap | 702 | |
| sap | netweaver_application_server_abap | 730 | |
| sap | netweaver_application_server_abap | 731 | |
| sap | netweaver_application_server_abap | 740 | |
| sap | netweaver_application_server_abap | 750 | |
| sap | netweaver_application_server_abap | 784 | |
| sap | netweaver_application_server_abap | 804 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "E0DA7CC6-A0F6-4839-965D-C60F691496AD", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "FFC58754-3A9D-4320-AB4F-385FB72608E7", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:730:*:*:*:*:*:*:*", matchCriteriaId: "6D46B6A9-C9F3-4270-AA6D-9988D6D4E608", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5B8A73A5-4526-40E1-A540-0A6C3F93DA05", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "09A38B6E-03DC-4086-A307-542B35814E0E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "4651257F-7BFC-41AE-8E37-8C96F822CE58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:784:*:*:*:*:*:*:*", matchCriteriaId: "0F9CF5F7-EA03-41C4-9BF9-F3FC28F4EE9F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:804:*:*:*:*:*:*:*", matchCriteriaId: "5EFD3BCC-9B3E-49F2-B469-C465381303B4", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:*", matchCriteriaId: "2F1B47E4-C4E3-4D79-9048-EF6A82B8085E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:784:*:*:*:*:*:*:*", matchCriteriaId: "E968B8C6-B6A4-4BCC-9233-E6AA7D354709", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:804:*:*:*:*:*:*:*", matchCriteriaId: "2132C1C0-AD61-4C85-BA07-523206815A4D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 702, 730, 731, 804, 740, 750, 784, expose functions to external which can lead to information disclosure.", }, { lang: "es", value: "El servidor ABAP de SAP NetWeaver y la Plataforma ABAP, versiones - 700, 702, 730, 731, 804, 740, 750, 784, expone funciones al exterior que pueden conllevar a una divulgación de información", }, ], id: "CVE-2021-33677", lastModified: "2024-11-21T06:09:20.617", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 2.5, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-07-14T12:15:08.340", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3044754", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3044754", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-Other", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-04-13 19:15
Modified
2024-11-21 05:58
Severity ?
Summary
An RFC enabled function module SPI_WAIT_MILLIS in SAP NetWeaver AS ABAP, versions - 731, 740, 750, allows to keep a work process busy for any length of time. An attacker could call this function module multiple times to block all work processes thereby causing Denial of Service and affecting the Availability of the SAP system.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3028729 | Permissions Required | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3028729 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | 731 | |
| sap | netweaver_application_server_abap | 740 | |
| sap | netweaver_application_server_abap | 750 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An RFC enabled function module SPI_WAIT_MILLIS in SAP NetWeaver AS ABAP, versions - 731, 740, 750, allows to keep a work process busy for any length of time. An attacker could call this function module multiple times to block all work processes thereby causing Denial of Service and affecting the Availability of the SAP system.", }, { lang: "es", value: "Un módulo de función SPI_WAIT_MILLIS habilitado para RFC en SAP NetWeaver AS ABAP, versiones - 731, 740, 750, permite mantener un proceso de trabajo ocupado durante cualquier período de tiempo. Un atacante podría llamar a este módulo de funciones varias veces para bloquear todos los procesos de trabajo, conllevando a una Denegación de Servicio y afectaría la Disponibilidad del sistema SAP", }, ], id: "CVE-2021-27603", lastModified: "2024-11-21T05:58:16.687", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 4, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-04-13T19:15:15.397", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3028729", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3028729", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-03-14 06:15
Modified
2024-11-21 07:53
Severity ?
8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
Summary
SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker to exploit insufficient validation of path information provided by users, thus exploiting a directory traversal flaw in an available service to delete system files. In this attack, no data can be read but potentially critical OS files can be deleted making the system unavailable, causing significant impact on both availability and integrity
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:*:*:*:*", matchCriteriaId: "421A5354-F764-402B-A3A4-2D746EACEB46", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:791:*:*:*:*:*:*:*", matchCriteriaId: "312DBCA5-D3F6-4F42-B632-34759D799856", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker to exploit insufficient validation of path information provided by users, thus exploiting a directory traversal flaw in an available service to delete system files. In this attack, no data can be read but potentially critical OS files can be deleted making the system unavailable, causing significant impact on both availability and integrity\n\n", }, ], id: "CVE-2023-27501", lastModified: "2024-11-21T07:53:02.323", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.7, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 5.8, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 5.8, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-03-14T06:15:12.213", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3294954", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3294954", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-10-12 15:15
Modified
2024-11-21 06:16
Severity ?
Summary
SAP NetWeaver AS ABAP and ABAP Platform - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3080710 | Permissions Required | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3080710 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_abap | 700 | |
| sap | netweaver_abap | 701 | |
| sap | netweaver_abap | 702 | |
| sap | netweaver_abap | 730 | |
| sap | netweaver_abap | 731 | |
| sap | netweaver_abap | 740 | |
| sap | netweaver_abap | 750 | |
| sap | netweaver_abap | 751 | |
| sap | netweaver_abap | 752 | |
| sap | netweaver_abap | 753 | |
| sap | netweaver_abap | 754 | |
| sap | netweaver_abap | 755 | |
| sap | netweaver_abap | 756 | |
| sap | netweaver_application_server_abap | 700 | |
| sap | netweaver_application_server_abap | 701 | |
| sap | netweaver_application_server_abap | 702 | |
| sap | netweaver_application_server_abap | 730 | |
| sap | netweaver_application_server_abap | 731 | |
| sap | netweaver_application_server_abap | 740 | |
| sap | netweaver_application_server_abap | 750 | |
| sap | netweaver_application_server_abap | 751 | |
| sap | netweaver_application_server_abap | 752 | |
| sap | netweaver_application_server_abap | 753 | |
| sap | netweaver_application_server_abap | 754 | |
| sap | netweaver_application_server_abap | 755 | |
| sap | netweaver_application_server_abap | 756 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "E0DA7CC6-A0F6-4839-965D-C60F691496AD", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "6497854E-9C7B-4DAF-ADC6-F26523BB7D47", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "FFC58754-3A9D-4320-AB4F-385FB72608E7", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:730:*:*:*:*:*:*:*", matchCriteriaId: "6D46B6A9-C9F3-4270-AA6D-9988D6D4E608", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5B8A73A5-4526-40E1-A540-0A6C3F93DA05", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "09A38B6E-03DC-4086-A307-542B35814E0E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "4651257F-7BFC-41AE-8E37-8C96F822CE58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "EECB438D-D5CD-4483-934F-4C814A725A35", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "14A1CD95-14E1-438A-92FB-A0E47A88C59F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "4148303B-133A-4FD2-B546-DD86C5D0E7C1", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "E51EF6BC-4C1C-4F1B-9873-D571BE3788F5", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "424A3D68-0825-4A2C-BEB1-DC9A212A5E42", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "5F4A410E-6276-4DD2-8C84-8B7DD06AD8FD", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:*", matchCriteriaId: "2F1B47E4-C4E3-4D79-9048-EF6A82B8085E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP and ABAP Platform - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.", }, { lang: "es", value: "SAP NetWeaver AS ABAP y ABAP Platform - versiones 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, permite a un atacante impedir que los usuarios legítimos accedan a un servicio, ya sea al bloquear o inundar el servicio", }, ], id: "CVE-2021-38181", lastModified: "2024-11-21T06:16:35.023", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-10-12T15:15:08.860", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3080710", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3080710", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-09-10 04:15
Modified
2024-09-16 14:14
Severity ?
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Summary
Due to missing authorization check, SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker logged in as a developer to read objects contained in a package. This causes an impact on confidentiality, as this attacker would otherwise not have access to view these objects.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3496410 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Patch |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:*:*:*:*", matchCriteriaId: "421A5354-F764-402B-A3A4-2D746EACEB46", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:758:*:*:*:*:*:*:*", matchCriteriaId: "48DFFD36-0A4A-417F-9BC5-77FD4152B637", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:912:*:*:*:*:*:*:*", matchCriteriaId: "D2F8173D-96E8-4194-9927-681AFF56B3F0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Due to missing authorization check, SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker logged in as a developer to read objects contained in a package. This causes an impact on confidentiality, as this attacker would otherwise not have access to view these objects.", }, { lang: "es", value: "Debido a la falta de verificación de autorización, SAP NetWeaver Application Server para ABAP y ABAP Platform permite que un atacante que haya iniciado sesión como desarrollador lea objetos incluidos en un paquete. Esto afecta la confidencialidad, ya que, de lo contrario, el atacante no tendría acceso para ver estos objetos.", }, ], id: "CVE-2024-41728", lastModified: "2024-09-16T14:14:52.840", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 2.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 1.2, impactScore: 1.4, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 2.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 1.2, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-09-10T04:15:04.470", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3496410", }, { source: "cna@sap.com", tags: [ "Patch", ], url: "https://url.sap/sapsecuritypatchday", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-862", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-08-13 04:15
Modified
2024-09-11 17:52
Severity ?
4.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary
SAP NetWeaver Application Server ABAP allows
an unauthenticated attacker to craft a URL link that could bypass allowlist
controls. Depending on the web applications provided by this server, the
attacker might inject CSS code or links into the web application that could
allow the attacker to read or modify information. There is no impact on
availability of application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3468102 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | 755 | |
| sap | netweaver_application_server_abap | 756 | |
| sap | netweaver_application_server_abap | 757 | |
| sap | netweaver_application_server_abap | 758 | |
| sap | netweaver_application_server_abap | sap_basis_700 | |
| sap | netweaver_application_server_abap | sap_basis_701 | |
| sap | netweaver_application_server_abap | sap_basis_702 | |
| sap | netweaver_application_server_abap | sap_basis_731 | |
| sap | netweaver_application_server_abap | sap_basis_912 | |
| sap | netweaver_application_server_abap | sap_ui_754 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:*:*:*:*", matchCriteriaId: "421A5354-F764-402B-A3A4-2D746EACEB46", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:758:*:*:*:*:*:*:*", matchCriteriaId: "48DFFD36-0A4A-417F-9BC5-77FD4152B637", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:sap_basis_700:*:*:*:*:*:*:*", matchCriteriaId: "AB7909F4-1D66-4C4F-95F3-34ACB0190DB8", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:sap_basis_701:*:*:*:*:*:*:*", matchCriteriaId: "F8310EBA-2438-427F-80C2-BE151E35D97D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:sap_basis_702:*:*:*:*:*:*:*", matchCriteriaId: "732E155D-C866-4F0E-BC86-037B94308B7D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:sap_basis_731:*:*:*:*:*:*:*", matchCriteriaId: "035EDBAC-C29B-49DB-ACEE-CA64750E7290", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:sap_basis_912:*:*:*:*:*:*:*", matchCriteriaId: "1CC51692-5E94-4678-99B0-4EC1D633DDF8", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:sap_ui_754:*:*:*:*:*:*:*", matchCriteriaId: "D1C94D7F-EF14-41AB-9A6A-EB99E40AD99A", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver Application Server ABAP allows\n an unauthenticated attacker to craft a URL link that could bypass allowlist\n controls. Depending on the web applications provided by this server, the\n attacker might inject CSS code or links into the web application that could\n allow the attacker to read or modify information. There is no impact on\n availability of application.", }, { lang: "es", value: "SAP NetWeaver Application Server ABAP permite a un atacante no autenticado crear un enlace URL que podría eludir los controles de la lista de permitidos. Dependiendo de las aplicaciones web proporcionadas por este servidor, el atacante podría inyectar código CSS o enlaces en la aplicación web que podrían permitirle leer o modificar información. No hay ningún impacto en la disponibilidad de la aplicación.", }, ], id: "CVE-2024-41732", lastModified: "2024-09-11T17:52:39.477", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 1.6, impactScore: 2.7, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.5, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-08-13T04:15:08.637", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3468102", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://url.sap/sapsecuritypatchday", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-284", }, ], source: "cna@sap.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-08-08 01:15
Modified
2024-11-21 08:11
Severity ?
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
SAP NetWeaver Application Server ABAP and ABAP Platform - versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 793, SAP_BASIS 804, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read sensitive information which can be used in a subsequent serious attack.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3348000 | Permissions Required | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://me.sap.com/notes/3348000 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:sap_basis:*:*:*", matchCriteriaId: "6F048ED9-2DDF-4EB9-8571-73832AFABF6A", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:sap_basis:*:*:*", matchCriteriaId: "C37DC475-6B9A-493C-9A6F-28CDD65D2A5B", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:sap_basis:*:*:*", matchCriteriaId: "2BD9FE51-F76C-439A-A3C0-5279EC1059F7", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:sap_basis:*:*:*", matchCriteriaId: "4EB54432-0E1A-45F2-BEE1-8DC28FAADA9F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:sap_basis:*:*:*", matchCriteriaId: "8E96C58C-ED44-487B-A67E-FDAE3C29023A", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:sap_basis:*:*:*", matchCriteriaId: "A14DF5EB-B8CE-4A47-9959-2F65A5DCEF5F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:sap_basis:*:*:*", matchCriteriaId: "419BA423-0803-4F51-8889-014A521F02CE", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:sap_basis:*:*:*", matchCriteriaId: "DA20ECDC-8807-462C-A0F0-70DF6F5A119B", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:sap_basis:*:*:*", matchCriteriaId: "800AAC21-325C-4F16-AE5A-9F89327E5356", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:sap_basis:*:*:*", matchCriteriaId: "BDC15DB7-A95B-475F-AAA6-60A801F65690", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:sap_basis:*:*:*", matchCriteriaId: "55A2FECF-A32E-4188-9563-E8BA0E952261", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:sap_basis:*:*:*", matchCriteriaId: "9CBF2E53-17F0-4BF0-9C38-749C7E611BF4", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:758:*:*:*:sap_basis:*:*:*", matchCriteriaId: "5160572B-E3AB-4B96-8950-07DDAFA0E4A6", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:793:*:*:*:sap_basis:*:*:*", matchCriteriaId: "AB104F44-D209-41D3-AE25-A5A4A8CE3323", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:804:*:*:*:sap_basis:*:*:*", matchCriteriaId: "FF9FC6F8-E0D3-4F96-BB6C-E922C4C87327", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver Application Server ABAP and ABAP Platform - versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 793, SAP_BASIS 804, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read sensitive information which can be used in a subsequent serious attack.", }, ], id: "CVE-2023-37492", lastModified: "2024-11-21T08:11:49.560", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 1.2, impactScore: 3.6, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-08-08T01:15:18.993", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3348000", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3348000", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-863", }, ], source: "cna@sap.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-862", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-03-14 05:15
Modified
2024-11-21 07:49
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in an unused class for error handling in which an attacker authenticated as a non-administrative user can craft a request with certain parameters which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:*:*:*:*", matchCriteriaId: "421A5354-F764-402B-A3A4-2D746EACEB46", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:791:*:*:*:*:*:*:*", matchCriteriaId: "312DBCA5-D3F6-4F42-B632-34759D799856", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in an unused class for error handling in which an attacker authenticated as a non-administrative user can craft a request with certain parameters which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information.\n\n", }, ], id: "CVE-2023-25618", lastModified: "2024-11-21T07:49:50.493", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-03-14T05:15:29.967", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3296346", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3296346", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-400", }, ], source: "cna@sap.com", type: "Primary", }, { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2023-03-14 06:15
Modified
2024-11-21 07:53
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Summary
An attacker with non-administrative authorizations can exploit a directory traversal flaw in program SAPRSBRO to over-write system files. In this attack, no data can be read but potentially critical OS files can be over-written making the system unavailable.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:*:*:*:*", matchCriteriaId: "421A5354-F764-402B-A3A4-2D746EACEB46", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An attacker with non-administrative authorizations can exploit a directory traversal flaw in program SAPRSBRO to over-write system files. In this attack, no data can be read but potentially critical OS files can be over-written making the system unavailable.\n\n", }, ], id: "CVE-2023-27500", lastModified: "2024-11-21T07:53:02.147", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 5.8, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-03-14T06:15:12.100", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3302162", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3302162", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "cna@sap.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-22", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-11-08 22:15
Modified
2024-11-21 07:22
Severity ?
4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Summary
SAP NetWeaver ABAP Server and ABAP Platform allows an unauthenticated attacker to redirect users to a malicious site due to insufficient URL validation. This could lead to the user being tricked to disclose personal information.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3251202 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3251202 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | 700 | |
| sap | netweaver_application_server_abap | 731 | |
| sap | netweaver_application_server_abap | 740 | |
| sap | netweaver_application_server_abap | 750 | |
| sap | netweaver_application_server_abap | 789 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:789:*:*:*:*:*:*:*", matchCriteriaId: "8F57219A-C89A-4E49-B933-25ACE71BC884", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver ABAP Server and ABAP Platform allows an unauthenticated attacker to redirect users to a malicious site due to insufficient URL validation. This could lead to the user being tricked to disclose personal information.\n\n", }, { lang: "es", value: "SAP NetWeaver ABAP Server y ABAP Platform permiten que un atacante no autenticado redirija a los usuarios a un sitio malicioso debido a una validación de URL insuficiente. Esto podría llevar a que se engañe al usuario para que revele información personal.", }, ], id: "CVE-2022-41215", lastModified: "2024-11-21T07:22:50.783", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-11-08T22:15:19.383", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3251202", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3251202", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-601", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-10-12 15:15
Modified
2024-11-21 06:24
Severity ?
Summary
There are multiple Denial-of Service vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755. An unauthorized attacker can use the public SICF service /sap/public/bc/abap to reduce the performance of SAP NetWeaver Application Server ABAP and ABAP Platform.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3099011 | Permissions Required | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3099011 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_abap | 740 | |
| sap | netweaver_abap | 750 | |
| sap | netweaver_abap | 751 | |
| sap | netweaver_abap | 752 | |
| sap | netweaver_abap | 753 | |
| sap | netweaver_abap | 754 | |
| sap | netweaver_abap | 755 | |
| sap | netweaver_application_server_abap | 740 | |
| sap | netweaver_application_server_abap | 750 | |
| sap | netweaver_application_server_abap | 751 | |
| sap | netweaver_application_server_abap | 752 | |
| sap | netweaver_application_server_abap | 753 | |
| sap | netweaver_application_server_abap | 754 | |
| sap | netweaver_application_server_abap | 755 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "09A38B6E-03DC-4086-A307-542B35814E0E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "4651257F-7BFC-41AE-8E37-8C96F822CE58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "EECB438D-D5CD-4483-934F-4C814A725A35", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "14A1CD95-14E1-438A-92FB-A0E47A88C59F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "4148303B-133A-4FD2-B546-DD86C5D0E7C1", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "E51EF6BC-4C1C-4F1B-9873-D571BE3788F5", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "424A3D68-0825-4A2C-BEB1-DC9A212A5E42", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "There are multiple Denial-of Service vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755. An unauthorized attacker can use the public SICF service /sap/public/bc/abap to reduce the performance of SAP NetWeaver Application Server ABAP and ABAP Platform.", }, { lang: "es", value: "Se presentan múltiples vulnerabilidades de denegación de servicio en SAP NetWeaver Application Server for ABAP y ABAP Platform - versiones 740, 750, 751, 752, 753, 754, 755. Un atacante no autorizado puede usar el servicio público SICF /sap/public/bc/abap para reducir el rendimiento de SAP NetWeaver Application Server ABAP y ABAP Platform", }, ], id: "CVE-2021-40495", lastModified: "2024-11-21T06:24:15.617", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-10-12T15:15:09.127", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3099011", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3099011", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-06-10 13:15
Modified
2024-11-21 05:35
Severity ?
Summary
SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Server Side Request Forgery Attack where in an attacker can use inappropriate path names containing malicious server names in the import/export of sessions functionality and coerce the web server into authenticating with the malicious server. Furthermore, if NTLM is setup the attacker can compromise confidentiality, integrity and availability of the SAP database.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2912939 | Permissions Required | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2912939 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775 | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:710:*:*:*:*:*:*:*", matchCriteriaId: "9B5BF1EC-C2A6-486B-8E63-0A7ED431C1F0", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:711:*:*:*:*:*:*:*", matchCriteriaId: "17847B21-8BE6-4359-913B-B6592D37C655", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:*", matchCriteriaId: "2F1B47E4-C4E3-4D79-9048-EF6A82B8085E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Server Side Request Forgery Attack where in an attacker can use inappropriate path names containing malicious server names in the import/export of sessions functionality and coerce the web server into authenticating with the malicious server. Furthermore, if NTLM is setup the attacker can compromise confidentiality, integrity and availability of the SAP database.", }, { lang: "es", value: "SAP Netweaver AS ABAP, versiones 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, son vulnerables a un ataque de tipo Server Side Request Forgery, donde un atacante puede usar nombres de ruta inapropiados que contienen nombres de servidores maliciosos en la funcionalidad de importación/exportación de sesiones y obligan al servidor web a autenticarse con el servidor malicioso. Adicionalmente, si NTLM está configurado, el atacante puede comprometer la confidencialidad, integridad y disponibilidad de la base de datos de SAP", }, ], id: "CVE-2020-6275", lastModified: "2024-11-21T05:35:25.340", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "HIGH", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 7.6, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 1, impactScore: 6, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-06-10T13:15:18.667", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/2912939", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/2912939", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-918", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-02-14 04:15
Modified
2024-11-21 07:49
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
SAP NetWeaver AS ABAP (BSP Framework) application - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allow an unauthenticated attacker to inject the code that can be executed by the application over the network. On successful exploitation it can gain access to the sensitive information which leads to a limited impact on the confidentiality and the integrity of the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3274585 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3274585 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:*:*:*:*", matchCriteriaId: "421A5354-F764-402B-A3A4-2D746EACEB46", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP (BSP Framework) application - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allow an unauthenticated attacker to inject the code that can be executed by the application over the network. On successful exploitation it can gain access to the sensitive information which leads to a limited impact on the confidentiality and the integrity of the application.\n\n", }, ], id: "CVE-2023-25614", lastModified: "2024-11-21T07:49:49.983", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-02-14T04:15:13.193", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3274585", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3274585", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-09-13 16:15
Modified
2024-11-21 07:18
Severity ?
Summary
An attacker with no prior authentication could craft and send malicious script to SAP GUI for HTML within Fiori Launchpad, resulting in reflected cross-site scripting attack. This could lead to stealing session information and impersonating the affected user.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3229820 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3229820 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | 7.54 | |
| sap | netweaver_application_server_abap | 7.81 | |
| sap | netweaver_application_server_abap | 7.85 | |
| sap | netweaver_application_server_abap | 7.89 | |
| sap | netweaver_application_server_abap | kernel_7.77 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.54:*:*:*:*:*:*:*", matchCriteriaId: "92EBF7BA-BB05-4946-9CA8-E170AB80ECA3", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.81:*:*:*:*:*:*:*", matchCriteriaId: "252DCEF2-8DDF-467F-8869-B69A0A3426F8", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.85:*:*:*:*:*:*:*", matchCriteriaId: "9BC578BE-2308-491E-9D56-6B45AFF0FCFA", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.89:*:*:*:*:*:*:*", matchCriteriaId: "4C5C5010-9631-4C70-AD90-A0D16B03BFA5", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.77:*:*:*:*:*:*:*", matchCriteriaId: "208F59B2-7D79-4E0E-97DA-AEB9976C8EEA", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An attacker with no prior authentication could craft and send malicious script to SAP GUI for HTML within Fiori Launchpad, resulting in reflected cross-site scripting attack. This could lead to stealing session information and impersonating the affected user.", }, { lang: "es", value: "Un atacante sin autenticación previa podría diseñar y enviar un script malicioso a la Interfaz Gráfica de Usuario de SAP para HTML dentro de Fiori Launchpad, resultando en un ataque de tipo cross-site scripting. Esto podría conllevar a un robo de información de sesión y una suplantación del usuario afectado", }, ], id: "CVE-2022-39799", lastModified: "2024-11-21T07:18:16.317", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-09-13T16:15:09.110", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3229820", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3229820", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-07-14 12:15
Modified
2024-11-21 06:09
Severity ?
Summary
SAP NetWeaver AS ABAP and ABAP Platform, versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.77, 7.81, 7.84, allows an attacker to send overlong content in the RFC request type thereby crashing the corresponding work process because of memory corruption vulnerability. The work process will attempt to restart itself after the crash and hence the impact on the availability is low.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3032624 | Permissions Required | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3032624 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_abap | 7.21 | |
| sap | netweaver_abap | 7.21ext | |
| sap | netweaver_abap | 7.22 | |
| sap | netweaver_abap | 7.22ext | |
| sap | netweaver_abap | 7.49 | |
| sap | netweaver_abap | 7.53 | |
| sap | netweaver_abap | 7.77 | |
| sap | netweaver_abap | 7.81 | |
| sap | netweaver_abap | kernel_8.04 | |
| sap | netweaver_abap | krnl32nuc_7.21 | |
| sap | netweaver_abap | krnl32uc_7.21 | |
| sap | netweaver_abap | krnl64nuc_7.21 | |
| sap | netweaver_abap | krnl64uc_8.04 | |
| sap | netweaver_application_server_abap | 7.21 | |
| sap | netweaver_application_server_abap | 7.21ext | |
| sap | netweaver_application_server_abap | 7.22 | |
| sap | netweaver_application_server_abap | 7.22ext | |
| sap | netweaver_application_server_abap | 7.49 | |
| sap | netweaver_application_server_abap | 7.53 | |
| sap | netweaver_application_server_abap | 7.77 | |
| sap | netweaver_application_server_abap | 7.81 | |
| sap | netweaver_application_server_abap | kernel_8.04 | |
| sap | netweaver_application_server_abap | krnl32nuc_7.21 | |
| sap | netweaver_application_server_abap | krnl32uc_7.21 | |
| sap | netweaver_application_server_abap | krnl64nuc_7.21 | |
| sap | netweaver_application_server_abap | krnl64uc_8.04 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_abap:7.21:*:*:*:*:*:*:*", matchCriteriaId: "A46A215F-D013-4E5D-B597-EEE7FD65C27E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:7.21ext:*:*:*:*:*:*:*", matchCriteriaId: "125D552D-24DF-4BE6-9DA6-55177DFA6ADD", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:7.22:*:*:*:*:*:*:*", matchCriteriaId: "FFBA8C16-AD2E-4046-A22D-B8AB2A38DAD0", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "A701B328-CC8D-4F10-8CDB-47883CAAC116", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:7.49:*:*:*:*:*:*:*", matchCriteriaId: "699E6EA8-1AA9-4C0E-A373-7E2F93E2F861", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:7.53:*:*:*:*:*:*:*", matchCriteriaId: "8A748DC7-E701-4E5B-9918-5CA6D7F52899", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:7.77:*:*:*:*:*:*:*", matchCriteriaId: "9E438D5E-F211-4361-AC2D-E86A7CE88026", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:7.81:*:*:*:*:*:*:*", matchCriteriaId: "87B7FA96-2BA0-4328-8C97-31129E72D779", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:kernel_8.04:*:*:*:*:*:*:*", matchCriteriaId: "7679B78A-CF53-42FA-8A96-319F13B40A8F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:krnl32nuc_7.21:*:*:*:*:*:*:*", matchCriteriaId: "3BA319BA-6236-4D24-B6D4-1F8159944002", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:krnl32uc_7.21:*:*:*:*:*:*:*", matchCriteriaId: "4C568E18-9F51-47C4-B190-75E2ADF9981C", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:krnl64nuc_7.21:*:*:*:*:*:*:*", matchCriteriaId: "C318C2FD-3521-4DA9-8934-693D3DFC137E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:krnl64uc_8.04:*:*:*:*:*:*:*", matchCriteriaId: "6DCEFFCC-4529-4A75-A146-C28A4CA80DC3", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.21:*:*:*:*:*:*:*", matchCriteriaId: "F36D87C9-12A9-4D37-9BBB-E22D8A054341", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.21ext:*:*:*:*:*:*:*", matchCriteriaId: "AA1D3FB7-DE15-4F23-908F-DDEAAB3C577C", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.22:*:*:*:*:*:*:*", matchCriteriaId: "16B3C589-DF11-459D-8A3F-1A1FD2265022", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "AF64539B-0DE2-4076-91B9-F03F4DDFAE2F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.49:*:*:*:*:*:*:*", matchCriteriaId: "9FBC5614-7C3F-4AD8-8640-0499B8B03C64", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.53:*:*:*:*:*:*:*", matchCriteriaId: "9E8CB869-C342-4362-9A4A-298F0B5F4003", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.77:*:*:*:*:*:*:*", matchCriteriaId: "89E7439E-F4D6-45EA-99FC-C9B34D4D590E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.81:*:*:*:*:*:*:*", matchCriteriaId: "252DCEF2-8DDF-467F-8869-B69A0A3426F8", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_8.04:*:*:*:*:*:*:*", matchCriteriaId: "379FDFC8-947E-4D09-A9DD-4B3F7481F648", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl32nuc_7.21:*:*:*:*:*:*:*", matchCriteriaId: "5A3C05E4-BD11-4E9C-8476-70AF2A236056", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl32uc_7.21:*:*:*:*:*:*:*", matchCriteriaId: "674E3638-1270-4AEA-ABA3-8CD116FFEE48", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.21:*:*:*:*:*:*:*", matchCriteriaId: "94631E8C-631B-4972-A30F-BA93E58005B4", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_8.04:*:*:*:*:*:*:*", matchCriteriaId: "88CD861F-08FB-4CE1-923C-79D1480A2259", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP and ABAP Platform, versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.77, 7.81, 7.84, allows an attacker to send overlong content in the RFC request type thereby crashing the corresponding work process because of memory corruption vulnerability. The work process will attempt to restart itself after the crash and hence the impact on the availability is low.", }, { lang: "es", value: "SAP NetWeaver AS ABAP y ABAP Platform, versiones - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7. 53, KERNEL 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.77, 7.81, 7.84, permite a un atacante enviar contenido excesivamente largo en el tipo de petición RFC, bloqueando así el proceso de trabajo correspondiente debido a una vulnerabilidad de corrupción de memoria. El proceso de trabajo intentará reiniciarse por sí mismo después del bloqueo y, por lo tanto, el impacto en la disponibilidad es bajo", }, ], id: "CVE-2021-33684", lastModified: "2024-11-21T06:09:21.680", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-07-14T12:15:09.497", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3032624", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3032624", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-787", }, ], source: "cna@sap.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-787", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-03-10 17:47
Modified
2024-11-21 06:53
Severity ?
Summary
Due to missing authorization check, SAP NetWeaver Application Server for ABAP - versions 700, 701, 702, 731, allows an authenticated attacker, to access content on the start screen of any transaction that is available with in the same SAP system even if he/she isn't authorized for that transaction. A successful exploitation could expose information and in worst case manipulate data before the start screen is executed, resulting in limited impact on confidentiality and integrity of the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10 | Vendor Advisory | |
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3145997 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3145997 | Permissions Required, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | 700 | |
| sap | netweaver_application_server_abap | 701 | |
| sap | netweaver_application_server_abap | 702 | |
| sap | netweaver_application_server_abap | 731 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Due to missing authorization check, SAP NetWeaver Application Server for ABAP - versions 700, 701, 702, 731, allows an authenticated attacker, to access content on the start screen of any transaction that is available with in the same SAP system even if he/she isn't authorized for that transaction. A successful exploitation could expose information and in worst case manipulate data before the start screen is executed, resulting in limited impact on confidentiality and integrity of the application.", }, { lang: "es", value: "Debido a una falta de comprobación de la autorización, SAP NetWeaver Application Server for ABAP - versiones 700, 701, 702, 731, permite a un atacante autenticado, acceder al contenido de la pantalla de inicio de cualquier transacción que esté disponible con en el mismo sistema SAP, incluso si él / ella no está autorizado para esa transacción. Una explotación con éxito podría exponer información y, en el peor de los casos, manipular datos antes de que sea ejecutada la pantalla de inicio, lo que tendría un impacto limitado en la confidencialidad e integridad de la aplicación", }, ], id: "CVE-2022-26102", lastModified: "2024-11-21T06:53:25.997", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 5.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.5, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-03-10T17:47:30.490", references: [ { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10", }, { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3145997", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3145997", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-862", }, ], source: "cna@sap.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-862", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-12-12 02:15
Modified
2024-11-21 08:33
Severity ?
4.1 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
9.4 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
9.4 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Summary
SAP GUI for Windows and SAP GUI for Java allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to write data to a database table. By doing so the attacker could increase response times of the AS ABAP, leading to mild impact on availability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3392547 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://me.sap.com/notes/3392547 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | 700 | |
| sap | netweaver_application_server_abap | 731 | |
| sap | netweaver_application_server_abap | 740 | |
| sap | netweaver_application_server_abap | 750 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:sap_basis:*:*:*", matchCriteriaId: "6F048ED9-2DDF-4EB9-8571-73832AFABF6A", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:sap_basis:*:*:*", matchCriteriaId: "4EB54432-0E1A-45F2-BEE1-8DC28FAADA9F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:sap_basis:*:*:*", matchCriteriaId: "8E96C58C-ED44-487B-A67E-FDAE3C29023A", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:sap_basis:*:*:*", matchCriteriaId: "A14DF5EB-B8CE-4A47-9959-2F65A5DCEF5F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP GUI for Windows and SAP GUI for Java allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to write data to a database table. By doing so the attacker could increase response times of the AS ABAP, leading to mild impact on availability.\n\n", }, { lang: "es", value: "SAP GUI para Windows y SAP GUI para Java permiten que un atacante no autenticado acceda a información que de otro modo estaría restringida y confidencial. Además, esta vulnerabilidad permite que un atacante no autenticado escriba datos en una tabla de base de datos. Al hacerlo, el atacante podría aumentar los tiempos de respuesta del AS ABAP, lo que tendría un impacto leve en la disponibilidad.", }, ], id: "CVE-2023-49581", lastModified: "2024-11-21T08:33:35.943", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 0.7, impactScore: 3.4, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 9.4, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.5, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-12-12T02:15:07.710", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://me.sap.com/notes/3392547", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://me.sap.com/notes/3392547", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "cna@sap.com", type: "Primary", }, { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2022-05-11 15:15
Modified
2024-11-21 06:59
Severity ?
Summary
SAP NetWeaver Application Server ABAP allows an authenticated attacker to upload malicious files and delete (theme) data, which could result in Stored Cross-Site Scripting (XSS) attack.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3146336 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3146336 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | 753 | |
| sap | netweaver_application_server_abap | 754 | |
| sap | netweaver_application_server_abap | 755 | |
| sap | netweaver_application_server_abap | 756 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver Application Server ABAP allows an authenticated attacker to upload malicious files and delete (theme) data, which could result in Stored Cross-Site Scripting (XSS) attack.", }, { lang: "es", value: "SAP NetWeaver Application Server ABAP permite que un atacante autenticado cargue archivos maliciosos y elimine (tema) datos, lo que podría resultar en un ataque de tipo Cross-Site Scripting (XSS) Almacenado", }, ], id: "CVE-2022-29610", lastModified: "2024-11-21T06:59:25.557", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-05-11T15:15:09.840", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3146336", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3146336", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-02-14 04:15
Modified
2024-11-21 07:46
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Due to insufficient input validation, SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to send a crafted URL to a user, and by clicking the URL, the tricked user accesses SAP and might be directed with the response to somewhere out-side SAP and enter sensitive data. This could cause a limited impact on confidentiality and integrity of the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3293786 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3293786 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:*:*:*:*", matchCriteriaId: "421A5354-F764-402B-A3A4-2D746EACEB46", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Due to insufficient input validation, SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to send a crafted URL to a user, and by clicking the URL, the tricked user accesses SAP and might be directed with the response to somewhere out-side SAP and enter sensitive data. This could cause a limited impact on confidentiality and integrity of the application.\n\n", }, ], id: "CVE-2023-23858", lastModified: "2024-11-21T07:46:59.097", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-02-14T04:15:11.980", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3293786", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3293786", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-09-12 02:15
Modified
2024-11-21 08:19
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
SAP CommonCryptoLib allows an unauthenticated attacker to craft a request, which when submitted to an open port causes a memory corruption error in a library which in turn causes the target component to crash making it unavailable. There is no ability to view or modify any information.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3327896 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://me.sap.com/notes/3327896 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:commoncryptolib:8.0.0:*:*:*:*:*:*:*", matchCriteriaId: "92E07A81-F35C-4BF4-8AB4-E5B3C3D09487", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:content_server:6.50:*:*:*:*:*:*:*", matchCriteriaId: "85520864-E99A-4576-847C-5E0EA1E6CEC5", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:content_server:7.53:*:*:*:*:*:*:*", matchCriteriaId: "A02FB973-7FA0-4881-B912-27F4CFBDC673", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:content_server:7.54:*:*:*:*:*:*:*", matchCriteriaId: "ED7FD33E-6870-48EB-8695-67B9169D1808", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:extended_application_services_and_runtime:1.0:*:*:*:*:*:*:*", matchCriteriaId: "FF475F4D-11D8-401A-BAB8-8A31E81CEEEB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:hana_database:2.0:*:*:*:*:*:*:*", matchCriteriaId: "30B0858F-6AE9-4163-B001-1481FD3AFF9F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:host_agent:722:*:*:*:*:*:*:*", matchCriteriaId: "6A56308E-B097-49F3-8963-1F34E8716CD9", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "AF64539B-0DE2-4076-91B9-F03F4DDFAE2F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.22:*:*:*:*:*:*:*", matchCriteriaId: "6C07042F-C47F-441E-AB32-B58A066909E2", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.53:*:*:*:*:*:*:*", matchCriteriaId: "DBC44C62-0BFD-4170-B094-C82DEA473938", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.54:*:*:*:*:*:*:*", matchCriteriaId: "D99F18BB-B44E-48B5-BD7C-D20E40915268", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.77:*:*:*:*:*:*:*", matchCriteriaId: "208F59B2-7D79-4E0E-97DA-AEB9976C8EEA", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.85:*:*:*:*:*:*:*", matchCriteriaId: "A120BC2E-92B2-404A-ADF6-F1AF512631E6", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.89:*:*:*:*:*:*:*", matchCriteriaId: "56F63498-DAC3-40EE-9625-51FA522BA0DB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.91:*:*:*:*:*:*:*", matchCriteriaId: "06155DA1-7EDD-4EBA-8EBB-F7352F4EC7D2", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.92:*:*:*:*:*:*:*", matchCriteriaId: "104EE65A-202C-4F4E-B725-791A73687167", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.93:*:*:*:*:*:*:*", matchCriteriaId: "0269C487-81F8-4240-BEF8-1A7C33864519", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_8.04:*:*:*:*:*:*:*", matchCriteriaId: "379FDFC8-947E-4D09-A9DD-4B3F7481F648", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel64nuc_7.22:*:*:*:*:*:*:*", matchCriteriaId: "7184F3A2-3408-4B7E-BEA6-BBF55909969F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel64nuc_7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "BB2D30A5-DB16-4CB7-8135-3CE106FA5477", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.22:*:*:*:*:*:*:*", matchCriteriaId: "D1657980-CBAC-41AC-A20E-18D7199EA244", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "771ED2D0-3BC5-4C36-BCEB-1A1C46667363", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.53:*:*:*:*:*:*:*", matchCriteriaId: "0F05534F-3D2B-4983-9CC1-3A8BC7D421C8", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_8.04:*:*:*:*:*:*:*", matchCriteriaId: "AE19A598-2F90-4014-AC5B-352FBC154907", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.22:*:*:*:*:*:*:*", matchCriteriaId: "97EDAAC4-4885-46CE-860A-DDF92FF205C4", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.53:*:*:*:*:*:*:*", matchCriteriaId: "4E53E262-A23E-4D99-B2D8-DDCBEED85EA2", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.54:*:*:*:*:*:*:*", matchCriteriaId: "F7E61257-B187-4A83-96BD-D53CE11061D7", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.77:*:*:*:*:*:*:*", matchCriteriaId: "34E0B493-0860-4074-A383-F9C2A06EA8E9", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.85:*:*:*:*:*:*:*", matchCriteriaId: "D338B951-5C8F-4C14-931C-5F8AEA7F5924", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.89:*:*:*:*:*:*:*", matchCriteriaId: "525603B5-ADDC-4F58-B730-FC748A56D6E1", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.91:*:*:*:*:*:*:*", matchCriteriaId: "CA2270AE-437E-4FDE-9F53-690C0BCF9C2E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.92:*:*:*:*:*:*:*", matchCriteriaId: "BD374580-7D80-4D7F-8D89-8F52F2DEA8D4", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.93:*:*:*:*:*:*:*", matchCriteriaId: "59253D09-D58D-4013-8F29-2172C1B83AA8", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel_8.04:*:*:*:*:*:*:*", matchCriteriaId: "21316691-9A18-4B41-915E-491225CEF966", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel64nuc_7.22:*:*:*:*:*:*:*", matchCriteriaId: "2BB08C06-0E07-4317-B1AC-C1ECCF931E7A", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel64nuc_7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "8692B960-38A9-4035-88F5-C33D15B6A018", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.22:*:*:*:*:*:*:*", matchCriteriaId: "1D9E47FB-D39A-40C3-AEEE-D6A5AE27F063", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "80C5A218-C623-41C5-A001-304046608CF9", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.53:*:*:*:*:*:*:*", matchCriteriaId: "92E7B426-D50F-4AEE-B6F3-5D00C8A195F5", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_8.04:*:*:*:*:*:*:*", matchCriteriaId: "039A11C9-D9D1-42BC-8DD4-2BCDAAF464CD", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:sapssoext:17.0:*:*:*:*:*:*:*", matchCriteriaId: "784CA842-6657-4A02-96B0-76A66AC469C9", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:web_dispatcher:7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "D3F76E6A-2F27-450C-AAB5-E49A64079CAC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:web_dispatcher:7.53:*:*:*:*:*:*:*", matchCriteriaId: "47D4D542-2EC2-490B-B4E9-3E7BB8D59B77", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:web_dispatcher:7.54:*:*:*:*:*:*:*", matchCriteriaId: "950DF1E2-990E-41EF-8779-CEC54C7CDC60", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:web_dispatcher:7.77:*:*:*:*:*:*:*", matchCriteriaId: "E33D9481-3CF6-4AA3-B115-7903AC6DAE25", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:web_dispatcher:7.85:*:*:*:*:*:*:*", matchCriteriaId: "F74EE4D5-E968-4851-89E6-4152F64930F2", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:web_dispatcher:7.89:*:*:*:*:*:*:*", matchCriteriaId: "097ED3E8-49B1-497E-BD43-28C397FBEAE8", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP CommonCryptoLib allows an unauthenticated attacker to craft a request, which when submitted to an open port causes a memory corruption error in a library which in turn causes the target component to crash making it unavailable. There is no ability to view or modify any information.", }, { lang: "es", value: "SAP CommonCryptoLib permite que un atacante no autenticado cree una solicitud que, cuando se envía a un puerto abierto, provoca un error de corrupción de memoria en una librería, lo que a su vez provoca que el componente de target falle y deje de estar disponible. No hay posibilidad de ver o modificar ninguna información.", }, ], id: "CVE-2023-40308", lastModified: "2024-11-21T08:19:12.393", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-09-12T02:15:12.610", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://me.sap.com/notes/3327896", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://me.sap.com/notes/3327896", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-787", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-04-11 03:15
Modified
2024-11-21 07:53
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC, 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could craft a malicious URL and lure the victim to click, the script supplied by the attacker will execute in the victim user's browser. The information from the victim's web browser can either be modified or read and sent to the attacker.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver | 7.22ext | |
| sap | netweaver_application_server_abap | 7.22 | |
| sap | netweaver_application_server_abap | 7.53 | |
| sap | netweaver_application_server_abap | 7.54 | |
| sap | netweaver_application_server_abap | 7.77 | |
| sap | netweaver_application_server_abap | 7.81 | |
| sap | netweaver_application_server_abap | 7.85 | |
| sap | netweaver_application_server_abap | 7.89 | |
| sap | netweaver_application_server_abap | 7.91 | |
| sap | netweaver_application_server_abap | krnl64uc | |
| sap | netweaver_application_server_abap | krnl64uc_7.22 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver:7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "71AFBCEC-649C-4389-85C2-6C245290E91A", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.22:*:*:*:*:*:*:*", matchCriteriaId: "16B3C589-DF11-459D-8A3F-1A1FD2265022", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.53:*:*:*:*:*:*:*", matchCriteriaId: "9E8CB869-C342-4362-9A4A-298F0B5F4003", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.54:*:*:*:*:*:*:*", matchCriteriaId: "92EBF7BA-BB05-4946-9CA8-E170AB80ECA3", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.77:*:*:*:*:*:*:*", matchCriteriaId: "89E7439E-F4D6-45EA-99FC-C9B34D4D590E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.81:*:*:*:*:*:*:*", matchCriteriaId: "252DCEF2-8DDF-467F-8869-B69A0A3426F8", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.85:*:*:*:*:*:*:*", matchCriteriaId: "9BC578BE-2308-491E-9D56-6B45AFF0FCFA", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.89:*:*:*:*:*:*:*", matchCriteriaId: "4C5C5010-9631-4C70-AD90-A0D16B03BFA5", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.91:*:*:*:*:*:*:*", matchCriteriaId: "5E1807BC-8549-438A-BF6F-DD15C660CCF5", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc:*:*:*:*:*:*:*", matchCriteriaId: "4F6FABE8-A600-491F-AF0A-049F5E5C1E16", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.22:*:*:*:*:*:*:*", matchCriteriaId: "23257C18-B75C-471C-9EAF-1E86DEE845FA", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC, 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could craft a malicious URL and lure the victim to click, the script supplied by the attacker will execute in the victim user's browser. The information from the victim's web browser can either be modified or read and sent to the attacker.\n\n", }, ], id: "CVE-2023-27499", lastModified: "2024-11-21T07:53:01.980", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-04-11T03:15:07.547", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3275458", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3275458", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "cna@sap.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-10-12 15:15
Modified
2024-11-21 06:24
Severity ?
Summary
Client-side printing services SAP Cloud Print Manager and SAPSprint for SAP NetWeaver Application Server for ABAP - versions 7.70, 7.70 PI, 7.70 BYD, allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3100882 | Permissions Required | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3100882 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | 7.70 | |
| sap | netweaver_application_server_abap | 7.70_pi | |
| sap | netweaver_application_server_abap | 7.70byd |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.70:*:*:*:*:*:*:*", matchCriteriaId: "1506470D-41D9-44F8-AA3A-FA4971640FA8", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.70_pi:*:*:*:*:*:*:*", matchCriteriaId: "981B6677-8B4E-4683-B68D-446A58185298", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.70byd:*:*:*:*:*:*:*", matchCriteriaId: "EAC4702C-896D-401E-AFF0-F96FFC94EBEC", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Client-side printing services SAP Cloud Print Manager and SAPSprint for SAP NetWeaver Application Server for ABAP - versions 7.70, 7.70 PI, 7.70 BYD, allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.", }, { lang: "es", value: "Los servicios de impresión del lado del cliente SAP Cloud Print Manager y SAPSprint para SAP NetWeaver Application Server for ABAP - versiones 7.70, 7.70 PI, 7.70 BYD, permiten a un atacante inyectar código que puede ser ejecutado por la aplicación. Un atacante podría así controlar el comportamiento de la aplicación", }, ], id: "CVE-2021-40499", lastModified: "2024-11-21T06:24:16.160", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-10-12T15:15:09.637", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3100882", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3100882", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-94", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-10-12 15:15
Modified
2024-11-21 06:16
Severity ?
Summary
The software logistics system of SAP NetWeaver AS ABAP and ABAP Platform versions - 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, enables a malicious user to transfer ABAP code artifacts or content, by-passing the established quality gates. By this vulnerability malicious code can reach quality and production, and can compromise the confidentiality, integrity, and availability of the system and its data.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3097887 | Permissions Required | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3097887 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_abap | 700 | |
| sap | netweaver_abap | 701 | |
| sap | netweaver_abap | 702 | |
| sap | netweaver_abap | 710 | |
| sap | netweaver_abap | 730 | |
| sap | netweaver_abap | 731 | |
| sap | netweaver_abap | 740 | |
| sap | netweaver_abap | 750 | |
| sap | netweaver_abap | 751 | |
| sap | netweaver_abap | 752 | |
| sap | netweaver_abap | 753 | |
| sap | netweaver_abap | 754 | |
| sap | netweaver_abap | 755 | |
| sap | netweaver_abap | 756 | |
| sap | netweaver_application_server_abap | 700 | |
| sap | netweaver_application_server_abap | 701 | |
| sap | netweaver_application_server_abap | 702 | |
| sap | netweaver_application_server_abap | 710 | |
| sap | netweaver_application_server_abap | 730 | |
| sap | netweaver_application_server_abap | 731 | |
| sap | netweaver_application_server_abap | 740 | |
| sap | netweaver_application_server_abap | 750 | |
| sap | netweaver_application_server_abap | 751 | |
| sap | netweaver_application_server_abap | 752 | |
| sap | netweaver_application_server_abap | 753 | |
| sap | netweaver_application_server_abap | 754 | |
| sap | netweaver_application_server_abap | 755 | |
| sap | netweaver_application_server_abap | 756 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "E0DA7CC6-A0F6-4839-965D-C60F691496AD", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "6497854E-9C7B-4DAF-ADC6-F26523BB7D47", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "FFC58754-3A9D-4320-AB4F-385FB72608E7", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:710:*:*:*:*:*:*:*", matchCriteriaId: "FFE9B3CD-097D-4B66-8070-A46170736A0F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:730:*:*:*:*:*:*:*", matchCriteriaId: "6D46B6A9-C9F3-4270-AA6D-9988D6D4E608", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5B8A73A5-4526-40E1-A540-0A6C3F93DA05", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "09A38B6E-03DC-4086-A307-542B35814E0E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "4651257F-7BFC-41AE-8E37-8C96F822CE58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "EECB438D-D5CD-4483-934F-4C814A725A35", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "14A1CD95-14E1-438A-92FB-A0E47A88C59F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "4148303B-133A-4FD2-B546-DD86C5D0E7C1", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "E51EF6BC-4C1C-4F1B-9873-D571BE3788F5", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "424A3D68-0825-4A2C-BEB1-DC9A212A5E42", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "5F4A410E-6276-4DD2-8C84-8B7DD06AD8FD", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:710:*:*:*:*:*:*:*", matchCriteriaId: "9B5BF1EC-C2A6-486B-8E63-0A7ED431C1F0", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:*", matchCriteriaId: "2F1B47E4-C4E3-4D79-9048-EF6A82B8085E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The software logistics system of SAP NetWeaver AS ABAP and ABAP Platform versions - 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, enables a malicious user to transfer ABAP code artifacts or content, by-passing the established quality gates. By this vulnerability malicious code can reach quality and production, and can compromise the confidentiality, integrity, and availability of the system and its data.", }, { lang: "es", value: "El sistema de logística de software de SAP NetWeaver AS ABAP y ABAP Platform versiones - 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, permite a un usuario malicioso transferir artefactos o contenido de código ABAP, omitiendo las puertas de calidad establecidas. Mediante esta vulnerabilidad el código malicioso puede llegar a calidad y producción, y puede comprometer la confidencialidad, integridad y disponibilidad del sistema y sus datos", }, ], id: "CVE-2021-38178", lastModified: "2024-11-21T06:16:34.560", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-10-12T15:15:08.477", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3097887", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3097887", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-Other", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-12-09 17:15
Modified
2024-11-21 05:20
Severity ?
Summary
SAP NetWeaver AS ABAP, versions - 740, 750, 751, 752, 753, 754 , does not sufficiently encode URL which allows an attacker to input malicious java script in the URL which could be executed in the browser resulting in Reflected Cross-Site Scripting (XSS) vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2996479 | Permissions Required | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2996479 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | 740 | |
| sap | netweaver_application_server_abap | 750 | |
| sap | netweaver_application_server_abap | 751 | |
| sap | netweaver_application_server_abap | 752 | |
| sap | netweaver_application_server_abap | 753 | |
| sap | netweaver_application_server_abap | 754 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP, versions - 740, 750, 751, 752, 753, 754 , does not sufficiently encode URL which allows an attacker to input malicious java script in the URL which could be executed in the browser resulting in Reflected Cross-Site Scripting (XSS) vulnerability.", }, { lang: "es", value: "SAP NetWeaver AS ABAP, versiones - 740, 750, 751, 752, 753, 754, no codifica suficientemente la URL, lo que permite a un atacante ingresar un script java malicioso en la URL que podría ser ejecutado en el navegador, resultando en una vulnerabilidad de tipo Cross-Site Scripting (XSS)", }, ], id: "CVE-2020-26835", lastModified: "2024-11-21T05:20:22.130", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-12-09T17:15:31.417", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/2996479", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/2996479", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-11-08 22:15
Modified
2024-11-21 07:22
Severity ?
Summary
Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to read a file which is otherwise restricted. On successful exploitation an attacker can completely compromise the confidentiality of the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3256571 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3256571 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | 700 | |
| sap | netweaver_application_server_abap | 731 | |
| sap | netweaver_application_server_abap | 740 | |
| sap | netweaver_application_server_abap | 750 | |
| sap | netweaver_application_server_abap | 789 | |
| sap | netweaver_application_server_abap | 804 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:789:*:*:*:*:*:*:*", matchCriteriaId: "8F57219A-C89A-4E49-B933-25ACE71BC884", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:804:*:*:*:*:*:*:*", matchCriteriaId: "2132C1C0-AD61-4C85-BA07-523206815A4D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to read a file which is otherwise restricted. On successful exploitation an attacker can completely compromise the confidentiality of the application.", }, { lang: "es", value: "Debido a una validación de entrada insuficiente, SAP NetWeaver Application Server ABAP y ABAP Platform permiten a un atacante con privilegios de alto nivel utilizar una función remota habilitada para leer un archivo que de otro modo estaría restringido. Si la explotación tiene éxito, un atacante puede comprometer completamente la confidencialidad de la aplicación.", }, ], id: "CVE-2022-41212", lastModified: "2024-11-21T07:22:50.457", metrics: { cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, exploitabilityScore: 1.2, impactScore: 3.6, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 1.2, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-11-08T22:15:19.050", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3256571", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3256571", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-11-08 22:15
Modified
2024-11-21 07:22
Severity ?
8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
Summary
Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to delete a file which is otherwise restricted. On successful exploitation an attacker can completely compromise the integrity and availability of the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3256571 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3256571 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | 700 | |
| sap | netweaver_application_server_abap | 731 | |
| sap | netweaver_application_server_abap | 740 | |
| sap | netweaver_application_server_abap | 750 | |
| sap | netweaver_application_server_abap | 789 | |
| sap | netweaver_application_server_abap | 804 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:789:*:*:*:*:*:*:*", matchCriteriaId: "8F57219A-C89A-4E49-B933-25ACE71BC884", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:804:*:*:*:*:*:*:*", matchCriteriaId: "2132C1C0-AD61-4C85-BA07-523206815A4D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to delete a file which is otherwise restricted. On successful exploitation an attacker can completely compromise the integrity and availability of the application.\n\n", }, { lang: "es", value: "Debido a una validación de entrada insuficiente, SAP NetWeaver Application Server ABAP y ABAP Platform permiten a un atacante con privilegios de alto nivel utilizar una función remota habilitada para eliminar un archivo que de otro modo estaría restringido. Si se explota con éxito, un atacante puede comprometer completamente la integridad y disponibilidad de la aplicación.", }, ], id: "CVE-2022-41214", lastModified: "2024-11-21T07:22:50.617", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.7, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 5.8, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.7, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 5.8, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-11-08T22:15:19.243", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3256571", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3256571", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "cna@sap.com", type: "Primary", }, { description: [ { lang: "en", value: "CWE-20", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2024-06-11 03:15
Modified
2024-11-21 09:16
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
SAP NetWeaver and ABAP platform allows an
attacker to impede performance for legitimate users by crashing or flooding the
service.
An
impact of this Denial of Service vulnerability might be long response delays
and service interruptions, thus degrading the service quality experienced by
legitimate users causing high impact on availability of the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3453170 | Permissions Required | |
| cna@sap.com | https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://me.sap.com/notes/3453170 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | 740 | |
| sap | netweaver_application_server_abap | 2008_1_710 | |
| sap | netweaver_application_server_abap | st-pi_2008_1_700 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2008_1_710:*:*:*:*:*:*:*", matchCriteriaId: "B73EF71D-B02D-494D-9FCA-E8B45B8126C4", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:st-pi_2008_1_700:*:*:*:*:*:*:*", matchCriteriaId: "40A30E2E-8FE7-4866-A3A5-9DE9D407FCBB", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver and ABAP platform allows an\nattacker to impede performance for legitimate users by crashing or flooding the\nservice.\n\n\n\nAn\nimpact of this Denial of Service vulnerability might be long response delays\nand service interruptions, thus degrading the service quality experienced by\nlegitimate users causing high impact on availability of the application.", }, { lang: "es", value: "La plataforma SAP NetWeaver y ABAP permite a un atacante impedir el rendimiento de usuarios legítimos bloqueando o inundando el servicio. Un impacto de esta vulnerabilidad de denegación de servicio podría ser largas demoras en la respuesta e interrupciones del servicio, degradando así la calidad del servicio experimentada por los usuarios legítimos y causando un alto impacto en la disponibilidad de la aplicación.", }, ], id: "CVE-2024-33001", lastModified: "2024-11-21T09:16:12.457", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-06-11T03:15:10.393", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3453170", }, { source: "cna@sap.com", tags: [ "Patch", "Vendor Advisory", ], url: "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3453170", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-400", }, ], source: "cna@sap.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-11-14 01:15
Modified
2024-11-21 08:21
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Under certain condition SAP NetWeaver Application Server ABAP - versions KERNEL 722, KERNEL 7.53, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.91, KERNEL 7.92, KERNEL 7.93, KERNEL 7.94, KERNEL64UC 7.22, KERNEL64UC 7.22EXT, KERNEL64UC 7.53, KERNEL64NUC 7.22, KERNEL64NUC 7.22EXT, allows an unauthenticated attacker to access the unintended data due to the lack of restrictions applied which may lead to low impact in confidentiality and no impact on the integrity and availability of the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3362849 | Permissions Required | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://me.sap.com/notes/3362849 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | kernel_7.22 | |
| sap | netweaver_application_server_abap | kernel_7.53 | |
| sap | netweaver_application_server_abap | kernel_7.54 | |
| sap | netweaver_application_server_abap | kernel_7.77 | |
| sap | netweaver_application_server_abap | kernel_7.85 | |
| sap | netweaver_application_server_abap | kernel_7.89 | |
| sap | netweaver_application_server_abap | kernel_7.91 | |
| sap | netweaver_application_server_abap | kernel_7.92 | |
| sap | netweaver_application_server_abap | kernel_7.93 | |
| sap | netweaver_application_server_abap | kernel_7.94 | |
| sap | netweaver_application_server_abap | kernel64nuc_7.22 | |
| sap | netweaver_application_server_abap | kernel64nuc_7.22ext | |
| sap | netweaver_application_server_abap | kernel64uc_7.22 | |
| sap | netweaver_application_server_abap | kernel64uc_7.22ext | |
| sap | netweaver_application_server_abap | kernel64uc_7.53 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.22:*:*:*:*:*:*:*", matchCriteriaId: "6C07042F-C47F-441E-AB32-B58A066909E2", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.53:*:*:*:*:*:*:*", matchCriteriaId: "DBC44C62-0BFD-4170-B094-C82DEA473938", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.54:*:*:*:*:*:*:*", matchCriteriaId: "D99F18BB-B44E-48B5-BD7C-D20E40915268", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.77:*:*:*:*:*:*:*", matchCriteriaId: "208F59B2-7D79-4E0E-97DA-AEB9976C8EEA", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.85:*:*:*:*:*:*:*", matchCriteriaId: "A120BC2E-92B2-404A-ADF6-F1AF512631E6", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.89:*:*:*:*:*:*:*", matchCriteriaId: "56F63498-DAC3-40EE-9625-51FA522BA0DB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.91:*:*:*:*:*:*:*", matchCriteriaId: "06155DA1-7EDD-4EBA-8EBB-F7352F4EC7D2", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.92:*:*:*:*:*:*:*", matchCriteriaId: "104EE65A-202C-4F4E-B725-791A73687167", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.93:*:*:*:*:*:*:*", matchCriteriaId: "0269C487-81F8-4240-BEF8-1A7C33864519", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.94:*:*:*:*:*:*:*", matchCriteriaId: "32300EC9-E892-427B-A78A-55B3E5129EC4", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel64nuc_7.22:*:*:*:*:*:*:*", matchCriteriaId: "7184F3A2-3408-4B7E-BEA6-BBF55909969F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel64nuc_7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "BB2D30A5-DB16-4CB7-8135-3CE106FA5477", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.22:*:*:*:*:*:*:*", matchCriteriaId: "D1657980-CBAC-41AC-A20E-18D7199EA244", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "771ED2D0-3BC5-4C36-BCEB-1A1C46667363", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.53:*:*:*:*:*:*:*", matchCriteriaId: "0F05534F-3D2B-4983-9CC1-3A8BC7D421C8", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Under certain condition SAP NetWeaver Application Server ABAP - versions KERNEL 722, KERNEL 7.53, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.91, KERNEL 7.92, KERNEL 7.93, KERNEL 7.94, KERNEL64UC 7.22, KERNEL64UC 7.22EXT, KERNEL64UC 7.53, KERNEL64NUC 7.22, KERNEL64NUC 7.22EXT, allows an unauthenticated attacker to access the unintended data due to the lack of restrictions applied which may lead to low impact in confidentiality and no impact on the integrity and availability of the application.\n\n", }, { lang: "es", value: "Bajo ciertas condiciones SAP NetWeaver Application Server ABAP - versiones KERNEL 722, KERNEL 7.53, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.91, KERNEL 7.92, KERNEL 7.93, KERNEL 7.94, KERNEL64UC 7.22, KERNEL64UC 7.22EXT, KERNEL64UC 7.53, KERNEL64NUC 7.22, KERNEL64NUC 7.22EXT, permite que un atacante no autenticado acceda a datos no deseados debido a la falta de restricciones aplicadas, lo que puede generar un bajo impacto en la confidencialidad y ningún impacto en la integridad y disponibilidad de la aplicación.", }, ], id: "CVE-2023-41366", lastModified: "2024-11-21T08:21:10.033", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-11-14T01:15:07.637", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3362849", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3362849", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-497", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-10-15 02:15
Modified
2024-11-21 05:35
Severity ?
Summary
User enumeration vulnerability can be exploited to get a list of user accounts and personal user information can be exposed in SAP NetWeaver Application Server ABAP (POWL test application) versions - 710, 711, 730, 731, 740, 750, leading to Information Disclosure.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2963137 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2963137 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | 710 | |
| sap | netweaver_application_server_abap | 711 | |
| sap | netweaver_application_server_abap | 730 | |
| sap | netweaver_application_server_abap | 731 | |
| sap | netweaver_application_server_abap | 740 | |
| sap | netweaver_application_server_abap | 750 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:710:*:*:*:*:*:*:*", matchCriteriaId: "9B5BF1EC-C2A6-486B-8E63-0A7ED431C1F0", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:711:*:*:*:*:*:*:*", matchCriteriaId: "17847B21-8BE6-4359-913B-B6592D37C655", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:*", matchCriteriaId: "2F1B47E4-C4E3-4D79-9048-EF6A82B8085E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "User enumeration vulnerability can be exploited to get a list of user accounts and personal user information can be exposed in SAP NetWeaver Application Server ABAP (POWL test application) versions - 710, 711, 730, 731, 740, 750, leading to Information Disclosure.", }, { lang: "es", value: "Una vulnerabilidad de enumeración de usuarios puede ser explotada para obtener una lista de cuentas de usuario y la información personal del usuario puede ser expuesta en SAP NetWeaver Application Server ABAP (aplicación de prueba POWL): versiones 710, 711, 730, 731, 740, 750, conllevando a una Divulgación de Información", }, ], id: "CVE-2020-6371", lastModified: "2024-11-21T05:35:35.817", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-10-15T02:15:12.953", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/2963137", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/2963137", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2019-02-15 18:29
Modified
2024-11-21 04:16
Severity ?
Summary
Customizing functionality of SAP NetWeaver AS ABAP Platform (fixed in versions from 7.0 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.53, from 7.74 to 7.75) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | http://www.securityfocus.com/bid/106999 | Third Party Advisory, VDB Entry | |
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2728839 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943 | Broken Link, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/106999 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2728839 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943 | Broken Link, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | * | |
| sap | netweaver_application_server_abap | * | |
| sap | netweaver_application_server_abap | 7.30 | |
| sap | netweaver_application_server_abap | 7.31 | |
| sap | netweaver_application_server_abap | 7.40 | |
| sap | netweaver_as_abap | * | |
| sap | netweaver_as_abap | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:*:*:*:*:*:*:*:*", matchCriteriaId: "4998F531-ED39-46D4-BA62-466BD37C8873", versionEndIncluding: "7.02", versionStartIncluding: "7.0", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:*:*:*:*:*:*:*:*", matchCriteriaId: "C31EF66D-DB32-4352-8824-6630B8C61D47", versionEndIncluding: "7.53", versionStartIncluding: "7.50", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.30:*:*:*:*:*:*:*", matchCriteriaId: "FB5E17A3-C1F1-4FB9-8AB2-347C0429E29A", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.31:*:*:*:*:*:*:*", matchCriteriaId: "6F65C175-29C0-4AC0-887F-46A222FAAF10", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.40:*:*:*:*:*:*:*", matchCriteriaId: "C0C8BB3C-64ED-456B-93A8-B18F30338BD6", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_as_abap:*:*:*:*:*:*:*:*", matchCriteriaId: "01C3F7F6-3B1D-40C8-B305-8CEC6DEFA851", versionEndIncluding: "7.11", versionStartIncluding: "7.10", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_as_abap:*:*:*:*:*:*:*:*", matchCriteriaId: "341EDF6B-976B-46C4-BF35-CFB341C844F0", versionEndIncluding: "7.75", versionStartIncluding: "7.74", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Customizing functionality of SAP NetWeaver AS ABAP Platform (fixed in versions from 7.0 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.53, from 7.74 to 7.75) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.", }, { lang: "es", value: "La funcionalidad de personalización de SAP NetWeaver AS ABAP Platform (solucionado en versiones desde la 7.0 hasta la 7.02, desde la 7.10 hasta la 7.11, la 7.30, 7.31, 7.40, desde la 7.50 hasta la 7.53 y desde la 7.74 hasta la 7.75) no realiza las comprobaciones necesarias de autorización para un usuario autenticado, lo que resulta en un escalado de privilegios.", }, ], id: "CVE-2019-0257", lastModified: "2024-11-21T04:16:35.483", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-02-15T18:29:01.037", references: [ { source: "cna@sap.com", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/106999", }, { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/2728839", }, { source: "cna@sap.com", tags: [ "Broken Link", "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/106999", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/2728839", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-862", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-11-10 17:15
Modified
2024-11-21 05:20
Severity ?
Summary
SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, which reveals sensitive system information that would otherwise be restricted to highly privileged users because of missing authorization, resulting in Information Disclosure.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2971954 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2971954 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571 | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:782:*:*:*:*:*:*:*", matchCriteriaId: "E1803AAD-76A3-47EB-859B-D84C23AF4C18", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, which reveals sensitive system information that would otherwise be restricted to highly privileged users because of missing authorization, resulting in Information Disclosure.", }, { lang: "es", value: "SAP NetWeaver AS ABAP (Web Dynpro), versiones: 731, 740, 750, 751, 752, 753, 754, 755, 782, permite a un usuario autenticado acceder a los componentes de Web Dynpro, lo que revela información confidencial del sistema que podría de otro modo estar restringido a usuarios altamente privilegiados debido a una falta de autorización, resultando en una Divulgación de Información", }, ], id: "CVE-2020-26818", lastModified: "2024-11-21T05:20:20.307", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-11-10T17:15:13.983", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/2971954", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/2971954", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-862", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-03-14 05:15
Modified
2024-11-21 07:51
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Summary
Due to improper input controls In SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, an attacker authenticated as a non-administrative user can craft a request which will trigger the application server to send a request to an arbitrary URL which can reveal, modify or make unavailable non-sensitive information, leading to low impact on Confidentiality, Integrity and Availability.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:*:*:*:*", matchCriteriaId: "421A5354-F764-402B-A3A4-2D746EACEB46", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:791:*:*:*:*:*:*:*", matchCriteriaId: "312DBCA5-D3F6-4F42-B632-34759D799856", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Due to improper input controls In SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, an attacker authenticated as a non-administrative user can craft a request which will trigger the application server to send a request to an arbitrary URL which can reveal, modify or make unavailable non-sensitive information, leading to low impact on Confidentiality, Integrity and Availability.\n\n", }, ], id: "CVE-2023-26459", lastModified: "2024-11-21T07:51:31.410", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 3.7, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 3.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-03-14T05:15:30.160", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3296346", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3296346", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-918", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-06-09 14:15
Modified
2024-11-21 05:48
Severity ?
Summary
SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3004043 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3004043 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:75a:*:*:*:*:*:*:*", matchCriteriaId: "BF4998F3-74DB-4E8C-BBEA-DFE0246D9C49", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:75f:*:*:*:*:*:*:*", matchCriteriaId: "5177A906-AEBD-47B7-A793-B74C88038C2E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:710:*:*:*:*:*:*:*", matchCriteriaId: "9B5BF1EC-C2A6-486B-8E63-0A7ED431C1F0", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:711:*:*:*:*:*:*:*", matchCriteriaId: "17847B21-8BE6-4359-913B-B6592D37C655", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:*", matchCriteriaId: "2F1B47E4-C4E3-4D79-9048-EF6A82B8085E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user.", }, { lang: "es", value: "SAP NetWeaver AS para ABAP (Web Survey), versiones: 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, no codifica suficientemente los parámetros input y output, lo que resulta en una vulnerabilidad de tipo cross site scripting reflejado, mediante el cual un usuario malicioso puede acceder a los datos relacionados con la sesión actual y usarlos para hacerse pasar por un usuario y acceder a toda la información con los mismos derechos que el usuario objetivo", }, ], id: "CVE-2021-21490", lastModified: "2024-11-21T05:48:28.693", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-06-09T14:15:08.010", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3004043", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3004043", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-05-11 15:15
Modified
2024-11-21 06:59
Severity ?
Summary
SAP NetWeaver Application Server for ABAP and ABAP Platform do not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3165801 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3165801 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:710:*:*:*:*:*:*:*", matchCriteriaId: "9B5BF1EC-C2A6-486B-8E63-0A7ED431C1F0", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:711:*:*:*:*:*:*:*", matchCriteriaId: "17847B21-8BE6-4359-913B-B6592D37C655", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:*", matchCriteriaId: "2F1B47E4-C4E3-4D79-9048-EF6A82B8085E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:787:*:*:*:*:*:*:*", matchCriteriaId: "204DBA8B-9C40-4D5D-8BEB-4D05DE962A02", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:788:*:*:*:*:*:*:*", matchCriteriaId: "E54BF27F-93D4-4544-959E-3A642C1BC53F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver Application Server for ABAP and ABAP Platform do not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.", }, { lang: "es", value: "SAP NetWeaver Application Server for ABAP y ABAP Platform no llevan a cabo las comprobaciones de autorización necesarias para un usuario autenticado, resultando en una escalada de privilegios", }, ], id: "CVE-2022-29611", lastModified: "2024-11-21T06:59:25.690", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-05-11T15:15:09.890", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3165801", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3165801", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-862", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-05-11 15:15
Modified
2024-11-21 05:58
Severity ?
Summary
SAP NetWeaver AS ABAP, versions - 700, 701, 702, 730, 731, allow a high privileged attacker to inject malicious code by executing an ABAP report when the attacker has access to the local SAP system. The attacker could then get access to data, overwrite them, or execute a denial of service.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3046610 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=576094655 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3046610 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=576094655 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | 700 | |
| sap | netweaver_application_server_abap | 701 | |
| sap | netweaver_application_server_abap | 702 | |
| sap | netweaver_application_server_abap | 730 | |
| sap | netweaver_application_server_abap | 731 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:*", matchCriteriaId: "2F1B47E4-C4E3-4D79-9048-EF6A82B8085E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP, versions - 700, 701, 702, 730, 731, allow a high privileged attacker to inject malicious code by executing an ABAP report when the attacker has access to the local SAP system. The attacker could then get access to data, overwrite them, or execute a denial of service.", }, { lang: "es", value: "SAP NetWeaver AS ABAP, versiones - 700, 701, 702, 730, 731, permiten a un atacante muy privilegiado inyectar código malicioso al ejecutar un reporte ABAP cuando el atacante tiene acceso al sistema SAP local. El atacante puede entonces conseguir acceso a los datos, sobrescribirlos o ejecutar una denegación de servicio", }, ], id: "CVE-2021-27611", lastModified: "2024-11-21T05:58:17.673", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.6, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:L/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 3.9, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 1.5, impactScore: 6, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 6.7, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 0.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-05-11T15:15:08.223", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3046610", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=576094655", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3046610", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=576094655", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-94", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-02-14 04:15
Modified
2024-11-21 07:46
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
An unauthenticated attacker in AP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, can craft a link which when clicked by an unsuspecting user can be used to redirect a user to a malicious site which could read or modify some sensitive information or expose the victim to a phishing attack. Vulnerability has no direct impact on availability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3271227 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3271227 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:*:*:*:*", matchCriteriaId: "421A5354-F764-402B-A3A4-2D746EACEB46", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:789:*:*:*:*:*:*:*", matchCriteriaId: "8F57219A-C89A-4E49-B933-25ACE71BC884", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:790:*:*:*:*:*:*:*", matchCriteriaId: "E6787B03-7C79-4E13-B681-145AF37A99ED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An unauthenticated attacker in AP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, can craft a link which when clicked by an unsuspecting user can be used to redirect a user to a malicious site which could read or modify some sensitive information or expose the victim to a phishing attack. Vulnerability has no direct impact on availability.\n\n", }, ], id: "CVE-2023-23853", lastModified: "2024-11-21T07:46:57.600", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-02-14T04:15:11.490", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3271227", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3271227", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-601", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-06-10 13:15
Modified
2024-11-21 05:35
Severity ?
Summary
SAP NetWeaver AS ABAP (Banking Services), versions - 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, does not perform necessary authorization checks for an authenticated user due to Missing Authorization Check, allowing wrong and unexpected change of individual conditions by a malicious user leading to wrong prices.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2916562 | Permissions Required | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2916562 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775 | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:75a:*:*:*:*:*:*:*", matchCriteriaId: "BF4998F3-74DB-4E8C-BBEA-DFE0246D9C49", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:75b:*:*:*:*:*:*:*", matchCriteriaId: "2C81F522-B48C-4FF1-BABF-1BD32D6E950F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:75c:*:*:*:*:*:*:*", matchCriteriaId: "D40BB558-1858-4EE4-8569-94C210AAC5DE", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:75d:*:*:*:*:*:*:*", matchCriteriaId: "51091237-042F-4056-8A49-178CDB486AF3", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:75e:*:*:*:*:*:*:*", matchCriteriaId: "FD164F9E-A9FA-4DCD-82EC-2C6C79F4D79D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:710:*:*:*:*:*:*:*", matchCriteriaId: "9B5BF1EC-C2A6-486B-8E63-0A7ED431C1F0", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:711:*:*:*:*:*:*:*", matchCriteriaId: "17847B21-8BE6-4359-913B-B6592D37C655", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP (Banking Services), versions - 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, does not perform necessary authorization checks for an authenticated user due to Missing Authorization Check, allowing wrong and unexpected change of individual conditions by a malicious user leading to wrong prices.", }, { lang: "es", value: "SAP NetWeaver AS ABAP (Banking Services), versiones: 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, no realiza las comprobaciones de autorización necesarias para un usuario autenticado debido a la Falta de Comprobación de Autorización, permitiendo un cambio incorrecto e inesperado de condiciones individuales por un usuario malicioso conllevando a precios incorrectos", }, ], id: "CVE-2020-6270", lastModified: "2024-11-21T05:35:24.910", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-06-10T13:15:18.477", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/2916562", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/2916562", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-862", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-04-11 03:15
Modified
2024-11-21 07:55
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker authenticated as a non-administrative user to craft a request with certain parameters which can consume the server's resources sufficiently to make it unavailable over the network without any user interaction.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:*:*:*:*", matchCriteriaId: "421A5354-F764-402B-A3A4-2D746EACEB46", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:791:*:*:*:*:*:*:*", matchCriteriaId: "312DBCA5-D3F6-4F42-B632-34759D799856", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker authenticated as a non-administrative user to craft a request with certain parameters which can consume the server's resources sufficiently to make it unavailable over the network without any user interaction.\n\n", }, ], id: "CVE-2023-28763", lastModified: "2024-11-21T07:55:57.433", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-04-11T03:15:07.733", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3296378", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3296378", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-400", }, ], source: "cna@sap.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-01-09 02:15
Modified
2024-11-21 08:54
Severity ?
4.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to confidentiality of the application data after successful exploitation.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3387737 | Permissions Required | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://me.sap.com/notes/3387737 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:79:*:*:*:sap_basis:*:*:*", matchCriteriaId: "7E795D39-9D29-4CFC-BDB7-5E990A386647", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:sap_basis:*:*:*", matchCriteriaId: "6F048ED9-2DDF-4EB9-8571-73832AFABF6A", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:sap_basis:*:*:*", matchCriteriaId: "C37DC475-6B9A-493C-9A6F-28CDD65D2A5B", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:sap_basis:*:*:*", matchCriteriaId: "2BD9FE51-F76C-439A-A3C0-5279EC1059F7", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:sap_basis:*:*:*", matchCriteriaId: "4EB54432-0E1A-45F2-BEE1-8DC28FAADA9F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:sap_basis:*:*:*", matchCriteriaId: "8E96C58C-ED44-487B-A67E-FDAE3C29023A", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:sap_basis:*:*:*", matchCriteriaId: "A14DF5EB-B8CE-4A47-9959-2F65A5DCEF5F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:sap_basis:*:*:*", matchCriteriaId: "3E0CA53D-4335-4872-B527-30802E31B893", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:sap_basis:*:*:*", matchCriteriaId: "419BA423-0803-4F51-8889-014A521F02CE", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:sap_basis:*:*:*", matchCriteriaId: "DA20ECDC-8807-462C-A0F0-70DF6F5A119B", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:sap_basis:*:*:*", matchCriteriaId: "800AAC21-325C-4F16-AE5A-9F89327E5356", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:sap_basis:*:*:*", matchCriteriaId: "BDC15DB7-A95B-475F-AAA6-60A801F65690", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:sap_basis:*:*:*", matchCriteriaId: "55A2FECF-A32E-4188-9563-E8BA0E952261", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:sap_basis:*:*:*", matchCriteriaId: "9CBF2E53-17F0-4BF0-9C38-749C7E611BF4", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:758:*:*:*:sap_basis:*:*:*", matchCriteriaId: "5160572B-E3AB-4B96-8950-07DDAFA0E4A6", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:793:*:*:*:sap_basis:*:*:*", matchCriteriaId: "AB104F44-D209-41D3-AE25-A5A4A8CE3323", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to confidentiality of the application data after successful exploitation.\n\n", }, { lang: "es", value: "SAP NetWeaver ABAP Application Server y ABAP Platform no codifican suficientemente las entradas controladas por el usuario, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS). Un atacante con pocos privilegios puede causar un impacto limitado en la confidencialidad de los datos de la aplicación después de una explotación exitosa.", }, ], id: "CVE-2024-21738", lastModified: "2024-11-21T08:54:54.690", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 1.4, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-01-09T02:15:46.020", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3387737", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3387737", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-11-10 16:15
Modified
2024-11-21 06:24
Severity ?
Summary
A certain template role in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, contains transport authorizations, which exceed expected display only permissions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3105728 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3105728 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864 | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:710:*:*:*:*:*:*:*", matchCriteriaId: "9B5BF1EC-C2A6-486B-8E63-0A7ED431C1F0", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:711:*:*:*:*:*:*:*", matchCriteriaId: "17847B21-8BE6-4359-913B-B6592D37C655", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:*", matchCriteriaId: "2F1B47E4-C4E3-4D79-9048-EF6A82B8085E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A certain template role in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, contains transport authorizations, which exceed expected display only permissions.", }, { lang: "es", value: "Un determinado rol de plantilla en SAP NetWeaver Application Server para ABAP y ABAP Platform - versiones 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, contiene autorizaciones de transporte, que exceden los permisos esperados de sólo visualización", }, ], id: "CVE-2021-40504", lastModified: "2024-11-21T06:24:16.830", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 1.2, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-11-10T16:15:08.833", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3105728", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3105728", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-863", }, ], source: "cna@sap.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-863", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-07-14 12:15
Modified
2024-11-21 06:09
Severity ?
Summary
A function module of SAP NetWeaver AS ABAP (Reconciliation Framework), versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F, allows a high privileged attacker to inject code that can be executed by the application. An attacker could thereby delete some critical information and could make the SAP system completely unavailable.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:75a:*:*:*:*:*:*:*", matchCriteriaId: "BF4998F3-74DB-4E8C-BBEA-DFE0246D9C49", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:75b:*:*:*:*:*:*:*", matchCriteriaId: "2C81F522-B48C-4FF1-BABF-1BD32D6E950F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:75c:*:*:*:*:*:*:*", matchCriteriaId: "D40BB558-1858-4EE4-8569-94C210AAC5DE", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:75d:*:*:*:*:*:*:*", matchCriteriaId: "51091237-042F-4056-8A49-178CDB486AF3", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:75e:*:*:*:*:*:*:*", matchCriteriaId: "FD164F9E-A9FA-4DCD-82EC-2C6C79F4D79D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:75f:*:*:*:*:*:*:*", matchCriteriaId: "5177A906-AEBD-47B7-A793-B74C88038C2E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:710:*:*:*:*:*:*:*", matchCriteriaId: "9B5BF1EC-C2A6-486B-8E63-0A7ED431C1F0", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:711:*:*:*:*:*:*:*", matchCriteriaId: "17847B21-8BE6-4359-913B-B6592D37C655", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:*", matchCriteriaId: "2F1B47E4-C4E3-4D79-9048-EF6A82B8085E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A function module of SAP NetWeaver AS ABAP (Reconciliation Framework), versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F, allows a high privileged attacker to inject code that can be executed by the application. An attacker could thereby delete some critical information and could make the SAP system completely unavailable.", }, { lang: "es", value: "Un módulo de funciones de SAP NetWeaver AS ABAP (Reconciliation Framework), versiones - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, 75F, permite a un atacante con altos privilegios inyectar código que puede ser ejecutado por la aplicación. De este modo, un atacante podría eliminar información crítica y hacer que el sistema SAP no esté disponible completamente", }, ], id: "CVE-2021-33678", lastModified: "2024-11-21T06:09:20.760", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "COMPLETE", baseScore: 7.5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:N/I:P/A:C", version: "2.0", }, exploitabilityScore: 8, impactScore: 7.8, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", version: "3.0", }, exploitabilityScore: 1.2, impactScore: 5.2, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.2, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-07-14T12:15:08.377", references: [ { source: "cna@sap.com", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", }, { source: "cna@sap.com", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2022/May/42", }, { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3048657", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2022/May/42", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3048657", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-95", }, ], source: "cna@sap.com", type: "Primary", }, { description: [ { lang: "en", value: "CWE-94", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2023-02-14 04:15
Modified
2024-11-21 07:46
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to craft a link, which when clicked by an unsuspecting user can be used to redirect a user to a malicious site which could read or modify some sensitive information or expose the victim to a phishing attack.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3268959 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3268959 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:*:*:*:*", matchCriteriaId: "421A5354-F764-402B-A3A4-2D746EACEB46", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:789:*:*:*:*:*:*:*", matchCriteriaId: "8F57219A-C89A-4E49-B933-25ACE71BC884", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:790:*:*:*:*:*:*:*", matchCriteriaId: "E6787B03-7C79-4E13-B681-145AF37A99ED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to craft a link, which when clicked by an unsuspecting user can be used to redirect a user to a malicious site which could read or modify some sensitive information or expose the victim to a phishing attack.\n\n", }, ], id: "CVE-2023-23860", lastModified: "2024-11-21T07:46:59.353", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-02-14T04:15:12.213", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3268959", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3268959", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-601", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-08-12 14:15
Modified
2024-11-21 05:35
Severity ?
Summary
SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755, allows an attacker to inject code that can be executed by the application, leading to Code Injection. An attacker could thereby control the behavior of the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2941667 | Permissions Required | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2941667 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | abap_platform | 7.31 | |
| sap | abap_platform | 700 | |
| sap | abap_platform | 701 | |
| sap | abap_platform | 702 | |
| sap | abap_platform | 710 | |
| sap | abap_platform | 711 | |
| sap | abap_platform | 740 | |
| sap | abap_platform | 750 | |
| sap | abap_platform | 751 | |
| sap | abap_platform | 753 | |
| sap | abap_platform | 755 | |
| sap | netweaver_application_server_abap | 700 | |
| sap | netweaver_application_server_abap | 701 | |
| sap | netweaver_application_server_abap | 702 | |
| sap | netweaver_application_server_abap | 710 | |
| sap | netweaver_application_server_abap | 711 | |
| sap | netweaver_application_server_abap | 731 | |
| sap | netweaver_application_server_abap | 740 | |
| sap | netweaver_application_server_abap | 750 | |
| sap | netweaver_application_server_abap | 751 | |
| sap | netweaver_application_server_abap | 753 | |
| sap | netweaver_application_server_abap | 755 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:abap_platform:7.31:*:*:*:*:*:*:*", matchCriteriaId: "D7E7672B-1021-4592-AA5F-2B51B63627BA", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:700:*:*:*:*:*:*:*", matchCriteriaId: "9AA5D36E-BE80-422B-8A6B-0ABDDE274146", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:701:*:*:*:*:*:*:*", matchCriteriaId: "C04D8608-83F0-4D7F-A7A9-59B616240F14", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:702:*:*:*:*:*:*:*", matchCriteriaId: "E4DF5956-1396-41FA-B101-E24F7898D135", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:710:*:*:*:*:*:*:*", matchCriteriaId: "ADE0E878-BE4E-4CFD-907D-7ABB745A4CE8", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:711:*:*:*:*:*:*:*", matchCriteriaId: "D14E8DCD-B365-4FC0-B08C-1A89787111C9", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:740:*:*:*:*:*:*:*", matchCriteriaId: "07710B18-BF01-4316-A258-4F1CB6269C5E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:750:*:*:*:*:*:*:*", matchCriteriaId: "A3A631DA-1279-49AC-922E-7D7216DACC8D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:751:*:*:*:*:*:*:*", matchCriteriaId: "65320F25-669B-40D8-A246-07B0202C00A9", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:753:*:*:*:*:*:*:*", matchCriteriaId: "E1C86F45-445E-4970-A378-199A35B23F4B", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:755:*:*:*:*:*:*:*", matchCriteriaId: "5B48E0FF-814F-4F9C-B5B1-87D978E1B4A4", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:710:*:*:*:*:*:*:*", matchCriteriaId: "9B5BF1EC-C2A6-486B-8E63-0A7ED431C1F0", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:711:*:*:*:*:*:*:*", matchCriteriaId: "17847B21-8BE6-4359-913B-B6592D37C655", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755, allows an attacker to inject code that can be executed by the application, leading to Code Injection. An attacker could thereby control the behavior of the application.", }, { lang: "es", value: "SAP NetWeaver (ABAP Server) y plataforma ABAP, versiones: 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755, permiten a un atacante inyectar código que puede ser ejecutado por la aplicación conllevando a una Inyección de Código. Un atacante podría de ese modo, controlar el comportamiento de la aplicación", }, ], id: "CVE-2020-6296", lastModified: "2024-11-21T05:35:27.473", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.3, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 5.5, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-08-12T14:15:14.207", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/2941667", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/2941667", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-02-14 04:15
Modified
2024-11-21 07:48
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Due to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3269118 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3269118 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | 700 | |
| sap | netweaver_application_server_abap | 701 | |
| sap | netweaver_application_server_abap | 702 | |
| sap | netweaver_application_server_abap | 731 | |
| sap | netweaver_application_server_abap | 740 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Due to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.\n\n", }, ], id: "CVE-2023-24522", lastModified: "2024-11-21T07:48:02.843", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-02-14T04:15:12.423", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3269118", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3269118", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-06-09 14:15
Modified
2024-11-21 05:48
Severity ?
Summary
SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:710:*:*:*:*:*:*:*", matchCriteriaId: "9B5BF1EC-C2A6-486B-8E63-0A7ED431C1F0", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:711:*:*:*:*:*:*:*", matchCriteriaId: "17847B21-8BE6-4359-913B-B6592D37C655", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:*", matchCriteriaId: "2F1B47E4-C4E3-4D79-9048-EF6A82B8085E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform.", }, { lang: "es", value: "SAP NetWeaver AS ABAP y ABAP Platform, versiones - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contiene el módulo de función SRM_RFC_SUBMIT_REPORT que no comprueba la autorización de un usuario autenticado por lo tanto permitir a un usuario no autorizado ejecutar reportes en la plataforma SAP NetWeaver ABAP", }, ], id: "CVE-2021-21473", lastModified: "2024-11-21T05:48:26.590", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 3.4, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-06-09T14:15:07.977", references: [ { source: "cna@sap.com", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", }, { source: "cna@sap.com", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2022/May/42", }, { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3002517", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2022/May/42", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3002517", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-862", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-03-14 05:15
Modified
2024-11-21 07:52
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in a class for test purposes in which an attacker authenticated as a non-administrative user can craft a request with certain parameters, which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:*:*:*:*", matchCriteriaId: "421A5354-F764-402B-A3A4-2D746EACEB46", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:791:*:*:*:*:*:*:*", matchCriteriaId: "312DBCA5-D3F6-4F42-B632-34759D799856", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in a class for test purposes in which an attacker authenticated as a non-administrative user can craft a request with certain parameters, which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information.\n\n", }, ], id: "CVE-2023-27270", lastModified: "2024-11-21T07:52:34.367", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-03-14T05:15:30.593", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3296328", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3296328", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-400", }, ], source: "cna@sap.com", type: "Primary", }, { description: [ { lang: "en", value: "CWE-400", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2024-08-13 05:15
Modified
2024-09-12 13:28
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Due to missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, an authenticated attacker could call an underlying transaction, which leads to disclosure of user related information. There is no impact on integrity or availability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3494349 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | sap_basis_700 | |
| sap | netweaver_application_server_abap | sap_basis_701 | |
| sap | netweaver_application_server_abap | sap_basis_702 | |
| sap | netweaver_application_server_abap | sap_basis_731 | |
| sap | netweaver_application_server_abap | sap_basis_740 | |
| sap | netweaver_application_server_abap | sap_basis_750 | |
| sap | netweaver_application_server_abap | sap_basis_751 | |
| sap | netweaver_application_server_abap | sap_basis_752 | |
| sap | netweaver_application_server_abap | sap_basis_753 | |
| sap | netweaver_application_server_abap | sap_basis_754 | |
| sap | netweaver_application_server_abap | sap_basis_755 | |
| sap | netweaver_application_server_abap | sap_basis_756 | |
| sap | netweaver_application_server_abap | sap_basis_757 | |
| sap | netweaver_application_server_abap | sap_basis_758 | |
| sap | netweaver_application_server_abap | sap_basis_912 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:sap_basis_700:*:*:*:*:*:*:*", matchCriteriaId: "AB7909F4-1D66-4C4F-95F3-34ACB0190DB8", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:sap_basis_701:*:*:*:*:*:*:*", matchCriteriaId: "F8310EBA-2438-427F-80C2-BE151E35D97D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:sap_basis_702:*:*:*:*:*:*:*", matchCriteriaId: "732E155D-C866-4F0E-BC86-037B94308B7D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:sap_basis_731:*:*:*:*:*:*:*", matchCriteriaId: "035EDBAC-C29B-49DB-ACEE-CA64750E7290", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:sap_basis_740:*:*:*:*:*:*:*", matchCriteriaId: "CFD1A272-9FD0-426F-AF7D-5A8D7CF4A4BE", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:sap_basis_750:*:*:*:*:*:*:*", matchCriteriaId: "05BE37AE-1CC3-4A84-BC9A-B353747B9151", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:sap_basis_751:*:*:*:*:*:*:*", matchCriteriaId: "78B1673C-7EF7-4658-91EE-A5BFFDD068B6", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:sap_basis_752:*:*:*:*:*:*:*", matchCriteriaId: "1A69E6E2-46AD-4973-8F39-500D34D50570", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:sap_basis_753:*:*:*:*:*:*:*", matchCriteriaId: "15141B2A-8186-454F-BC4D-6BF07420C899", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:sap_basis_754:*:*:*:*:*:*:*", matchCriteriaId: "50137ED8-017E-4D0C-ADB4-8FD227301371", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:sap_basis_755:*:*:*:*:*:*:*", matchCriteriaId: "021DE052-25C3-49DF-B2AD-BF9D28B1CAD4", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:sap_basis_756:*:*:*:*:*:*:*", matchCriteriaId: "FFAA63CF-0FD5-4568-A88C-82AD97A14EFF", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:sap_basis_757:*:*:*:*:*:*:*", matchCriteriaId: "17767460-94A3-443D-8D60-3607D3A894D6", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:sap_basis_758:*:*:*:*:*:*:*", matchCriteriaId: "63B654DB-8E10-422A-94B5-42F9D4EAB10F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:sap_basis_912:*:*:*:*:*:*:*", matchCriteriaId: "1CC51692-5E94-4678-99B0-4EC1D633DDF8", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Due to missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, an authenticated attacker could call an underlying transaction, which leads to disclosure of user related information. There is no impact on integrity or availability.", }, { lang: "es", value: "Debido a la falta de verificación de autorización en SAP NetWeaver Application Server ABAP y ABAP Platform, un atacante autenticado podría llamar a una transacción subyacente, lo que conduce a la divulgación de información relacionada con el usuario. No hay ningún impacto en la integridad o la disponibilidad.", }, ], id: "CVE-2024-41734", lastModified: "2024-09-12T13:28:03.450", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-08-13T05:15:13.587", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3494349", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://url.sap/sapsecuritypatchday", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-862", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-03-14 05:15
Modified
2024-11-21 07:52
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
Summary
SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker with non-administrative authorizations to exploit a directory traversal flaw in an available service to overwrite the system files. In this attack, no data can be read but potentially critical OS files can be overwritten making the system unavailable.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:*:*:*:*", matchCriteriaId: "421A5354-F764-402B-A3A4-2D746EACEB46", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:791:*:*:*:*:*:*:*", matchCriteriaId: "312DBCA5-D3F6-4F42-B632-34759D799856", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker with non-administrative authorizations to exploit a directory traversal flaw in an available service to overwrite the system files. In this attack, no data can be read but potentially critical OS files can be overwritten making the system unavailable.\n\n", }, ], id: "CVE-2023-27269", lastModified: "2024-11-21T07:52:34.227", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 5.8, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 5.8, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-03-14T05:15:30.507", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3294595", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3294595", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "cna@sap.com", type: "Primary", }, { description: [ { lang: "en", value: "CWE-22", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2021-06-09 14:15
Modified
2024-11-21 06:09
Severity ?
Summary
SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), versions - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53, KERNEL - 7.49,7.53,7.77,7.81,7.84, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3028370 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3028370 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | kernel_7.49 | |
| sap | netweaver_application_server_abap | kernel_7.53 | |
| sap | netweaver_application_server_abap | kernel_7.77 | |
| sap | netweaver_application_server_abap | kernel_7.81 | |
| sap | netweaver_application_server_abap | kernel_7.84 | |
| sap | netweaver_application_server_abap | krnl64nuc_7.49 | |
| sap | netweaver_application_server_abap | krnl64uc_7.49 | |
| sap | netweaver_application_server_abap | krnl64uc_7.53 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.49:*:*:*:*:*:*:*", matchCriteriaId: "5370493B-8917-4ACC-9C4B-043BEF7CCCA8", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.53:*:*:*:*:*:*:*", matchCriteriaId: "DBC44C62-0BFD-4170-B094-C82DEA473938", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.77:*:*:*:*:*:*:*", matchCriteriaId: "208F59B2-7D79-4E0E-97DA-AEB9976C8EEA", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.81:*:*:*:*:*:*:*", matchCriteriaId: "F39863DC-8CF3-4FB9-8FBF-1776791D701F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.84:*:*:*:*:*:*:*", matchCriteriaId: "8FB964D8-83B6-4DCE-B51D-CBD8766A8FBE", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.49:*:*:*:*:*:*:*", matchCriteriaId: "AB478A3C-4DD5-4F42-B2F1-9B7CCBA1B995", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.49:*:*:*:*:*:*:*", matchCriteriaId: "6D5F8B53-ECAD-4CD2-8F91-25112569C056", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.53:*:*:*:*:*:*:*", matchCriteriaId: "ADE160BD-659F-4517-B625-61CFB2FBD456", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), versions - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53, KERNEL - 7.49,7.53,7.77,7.81,7.84, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.", }, { lang: "es", value: "SAP NetWeaver Application Server ABAP (Aplicaciones basadas en SAP GUI para HTML), versiones - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53, KERNEL - 7.49,7.53,7.77,7.81,7.84, no codifica suficientemente las entradas controladas por el usuario, resultando en una vulnerabilidad de tipo cross-site scripting (XSS)", }, ], id: "CVE-2021-33665", lastModified: "2024-11-21T06:09:18.870", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-06-09T14:15:10.077", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3028370", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3028370", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-11-10 17:15
Modified
2024-11-21 05:20
Severity ?
Summary
SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, that allows them to read and delete database logfiles because of Improper Access Control.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2971954 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2971954 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571 | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:782:*:*:*:*:*:*:*", matchCriteriaId: "E1803AAD-76A3-47EB-859B-D84C23AF4C18", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, that allows them to read and delete database logfiles because of Improper Access Control.", }, { lang: "es", value: "SAP NetWeaver AS ABAP (Web Dynpro), versiones - 731, 740, 750, 751, 752, 753, 754, 755, 782, permite a un usuario autenticado acceder a los componentes de Web Dynpro, lo que luego permite leer y eliminar archivos de registro de la base de datos debido a un Control de Acceso Inapropiado", }, ], id: "CVE-2020-26819", lastModified: "2024-11-21T05:20:20.420", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 2.5, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-11-10T17:15:14.077", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/2971954", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/2971954", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-01-10 04:15
Modified
2024-11-21 07:36
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
SAP NetWeaver ABAP Server and ABAP Platform - versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, KERNEL 7.22, 7.53, 7.77, 7.81, 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22, 7.22EXT, creates information about system identity in an ambiguous format. This could lead to capture-replay vulnerability and may be exploited by malicious users to obtain illegitimate access to the system.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3089413 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3089413 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:sap_basis:*:*:*", matchCriteriaId: "6F048ED9-2DDF-4EB9-8571-73832AFABF6A", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:sap_basis:*:*:*", matchCriteriaId: "C37DC475-6B9A-493C-9A6F-28CDD65D2A5B", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:sap_basis:*:*:*", matchCriteriaId: "2BD9FE51-F76C-439A-A3C0-5279EC1059F7", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:710:*:*:*:sap_basis:*:*:*", matchCriteriaId: "9A8726A6-2AC2-4282-951F-A71AD03572F0", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:711:*:*:*:sap_basis:*:*:*", matchCriteriaId: "6E783E21-1F2A-44A2-BE1C-770370A6739B", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:730:*:*:*:sap_basis:*:*:*", matchCriteriaId: "1E8E6E23-EA96-45D5-BC81-3E5990701AD4", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:sap_basis:*:*:*", matchCriteriaId: "4EB54432-0E1A-45F2-BEE1-8DC28FAADA9F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:sap_basis:*:*:*", matchCriteriaId: "8E96C58C-ED44-487B-A67E-FDAE3C29023A", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:sap_basis:*:*:*", matchCriteriaId: "A14DF5EB-B8CE-4A47-9959-2F65A5DCEF5F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:sap_basis:*:*:*", matchCriteriaId: "3E0CA53D-4335-4872-B527-30802E31B893", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:sap_basis:*:*:*", matchCriteriaId: "419BA423-0803-4F51-8889-014A521F02CE", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:sap_basis:*:*:*", matchCriteriaId: "DA20ECDC-8807-462C-A0F0-70DF6F5A119B", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:sap_basis:*:*:*", matchCriteriaId: "800AAC21-325C-4F16-AE5A-9F89327E5356", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:sap_basis:*:*:*", matchCriteriaId: "BDC15DB7-A95B-475F-AAA6-60A801F65690", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:sap_basis:*:*:*", matchCriteriaId: "55A2FECF-A32E-4188-9563-E8BA0E952261", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:sap_basis:*:*:*", matchCriteriaId: "9CBF2E53-17F0-4BF0-9C38-749C7E611BF4", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.22:*:*:*:*:*:*:*", matchCriteriaId: "A145BFD2-92C8-46B1-8F72-53F6C37018C2", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.53:*:*:*:*:*:*:*", matchCriteriaId: "1A5F121E-49BF-4F08-8623-79DDE0A37B63", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.77:*:*:*:*:*:*:*", matchCriteriaId: "2BF066A7-91C2-4B36-9A1B-80B1BC8A3E8D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.81:*:*:*:*:*:*:*", matchCriteriaId: "A677338F-5955-435C-91FD-CC5C1A387024", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.85:*:*:*:*:*:*:*", matchCriteriaId: "A13006BE-0874-48D6-B8F6-47A117A2AE29", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap_kernel:7.89:*:*:*:*:*:*:*", matchCriteriaId: "65C7E312-AC74-4997-995F-74AB2E53B24B", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap_krnl64nuc:7.22:*:*:*:*:*:*:*", matchCriteriaId: "6A4DCE73-B47A-4FDA-A96D-C251891C8E07", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap_krnl64nuc:7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "9AC795F5-1AE7-4B4C-B1DD-DEF46BB4122F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap_krnl64uc:7.22:*:*:*:*:*:*:*", matchCriteriaId: "14757DC0-6CAC-4082-B726-719098C2216C", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap_krnl64uc:7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "5D24E493-7256-4881-9761-D84918EC1D78", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap_krnl64uc:7.53:*:*:*:*:*:*:*", matchCriteriaId: "C060979B-38D0-40FD-B1A1-571F5F7C5E8D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver ABAP Server and ABAP Platform - versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, KERNEL 7.22, 7.53, 7.77, 7.81, 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22, 7.22EXT, creates information about system identity in an ambiguous format. This could lead to capture-replay vulnerability and may be exploited by malicious users to obtain illegitimate access to the system.\n\n\n", }, { lang: "es", value: "SAP Netweaver ABAP Server y ABAP Platform - Versiones SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, Kernel 7.22, 7.53, 7.77, 7.81 , 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22, 7.22EXT, crea información sobre la identidad del sistema en un formato ambiguo. Esto podría generar una vulnerabilidad de captura-reproducción y podría ser aprovechado por usuarios malintencionados para obtener acceso ilegítimo al sistema.", }, ], id: "CVE-2023-0014", lastModified: "2024-11-21T07:36:23.730", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 6, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-01-10T04:15:09.550", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3089413", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3089413", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-294", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-08-12 14:15
Modified
2024-11-21 05:35
Severity ?
Summary
SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 740, 750, 751, 752, 753, 754, 755, allows a business user to access the list of users in the given system using value help, leading to Information Disclosure.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2941510 | Permissions Required | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2941510 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | abap_platform | 740 | |
| sap | abap_platform | 750 | |
| sap | abap_platform | 751 | |
| sap | abap_platform | 753 | |
| sap | abap_platform | 754 | |
| sap | abap_platform | 755 | |
| sap | netweaver_application_server_abap | 740 | |
| sap | netweaver_application_server_abap | 750 | |
| sap | netweaver_application_server_abap | 751 | |
| sap | netweaver_application_server_abap | 753 | |
| sap | netweaver_application_server_abap | 754 | |
| sap | netweaver_application_server_abap | 755 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:abap_platform:740:*:*:*:*:*:*:*", matchCriteriaId: "07710B18-BF01-4316-A258-4F1CB6269C5E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:750:*:*:*:*:*:*:*", matchCriteriaId: "A3A631DA-1279-49AC-922E-7D7216DACC8D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:751:*:*:*:*:*:*:*", matchCriteriaId: "65320F25-669B-40D8-A246-07B0202C00A9", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:753:*:*:*:*:*:*:*", matchCriteriaId: "E1C86F45-445E-4970-A378-199A35B23F4B", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:754:*:*:*:*:*:*:*", matchCriteriaId: "74901A8A-A556-478F-ABCD-7DCFD471210A", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:755:*:*:*:*:*:*:*", matchCriteriaId: "5B48E0FF-814F-4F9C-B5B1-87D978E1B4A4", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 740, 750, 751, 752, 753, 754, 755, allows a business user to access the list of users in the given system using value help, leading to Information Disclosure.", }, { lang: "es", value: "SAP NetWeaver (ABAP Server) y la plataforma ABAP, versiones - 740, 750, 751, 752, 753, 754, 755, permiten a un usuario empresarial acceder a la lista de usuarios en el sistema dado usando la ayuda de valor, conllevando a una Divulgación de Información", }, ], id: "CVE-2020-6299", lastModified: "2024-11-21T05:35:27.797", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-08-12T14:15:14.423", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/2941510", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/2941510", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-01-14 20:15
Modified
2024-11-21 06:27
Severity ?
Summary
In SAP NetWeaver AS for ABAP and ABAP Platform - versions 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, an attacker authenticated as a regular user can use the S/4 Hana dashboard to reveal systems and services which they would not normally be allowed to see. No information alteration or denial of service is possible.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3112710 | Permissions Required | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3112710 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_abap | 701 | |
| sap | netweaver_abap | 702 | |
| sap | netweaver_abap | 711 | |
| sap | netweaver_abap | 730 | |
| sap | netweaver_abap | 731 | |
| sap | netweaver_abap | 740 | |
| sap | netweaver_abap | 750 | |
| sap | netweaver_abap | 751 | |
| sap | netweaver_abap | 752 | |
| sap | netweaver_abap | 753 | |
| sap | netweaver_abap | 754 | |
| sap | netweaver_abap | 755 | |
| sap | netweaver_abap | 756 | |
| sap | netweaver_abap | 786 | |
| sap | netweaver_application_server_abap | 701 | |
| sap | netweaver_application_server_abap | 702 | |
| sap | netweaver_application_server_abap | 711 | |
| sap | netweaver_application_server_abap | 730 | |
| sap | netweaver_application_server_abap | 731 | |
| sap | netweaver_application_server_abap | 740 | |
| sap | netweaver_application_server_abap | 750 | |
| sap | netweaver_application_server_abap | 751 | |
| sap | netweaver_application_server_abap | 752 | |
| sap | netweaver_application_server_abap | 753 | |
| sap | netweaver_application_server_abap | 754 | |
| sap | netweaver_application_server_abap | 755 | |
| sap | netweaver_application_server_abap | 756 | |
| sap | netweaver_application_server_abap | 786 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "6497854E-9C7B-4DAF-ADC6-F26523BB7D47", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "FFC58754-3A9D-4320-AB4F-385FB72608E7", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:711:*:*:*:*:*:*:*", matchCriteriaId: "0AD9BF3E-56CB-4387-AE46-6BCBCE2F5DE7", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:730:*:*:*:*:*:*:*", matchCriteriaId: "6D46B6A9-C9F3-4270-AA6D-9988D6D4E608", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5B8A73A5-4526-40E1-A540-0A6C3F93DA05", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "09A38B6E-03DC-4086-A307-542B35814E0E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "4651257F-7BFC-41AE-8E37-8C96F822CE58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "EECB438D-D5CD-4483-934F-4C814A725A35", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "14A1CD95-14E1-438A-92FB-A0E47A88C59F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "4148303B-133A-4FD2-B546-DD86C5D0E7C1", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "E51EF6BC-4C1C-4F1B-9873-D571BE3788F5", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "424A3D68-0825-4A2C-BEB1-DC9A212A5E42", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "5F4A410E-6276-4DD2-8C84-8B7DD06AD8FD", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:786:*:*:*:*:*:*:*", matchCriteriaId: "1D34F34D-222B-4B1F-804C-87EB54642F72", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:711:*:*:*:*:*:*:*", matchCriteriaId: "17847B21-8BE6-4359-913B-B6592D37C655", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:*", matchCriteriaId: "2F1B47E4-C4E3-4D79-9048-EF6A82B8085E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:786:*:*:*:*:*:*:*", matchCriteriaId: "9282EF83-AB34-452F-A270-A0C8090AF2AF", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In SAP NetWeaver AS for ABAP and ABAP Platform - versions 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, an attacker authenticated as a regular user can use the S/4 Hana dashboard to reveal systems and services which they would not normally be allowed to see. No information alteration or denial of service is possible.", }, { lang: "es", value: "En SAP NetWeaver AS for ABAP y ABAP Platform - versiones 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, un atacante autenticado como usuario normal puede usar el cuadro de mandos de S/4 Hana para revelar sistemas y servicios que normalmente no se le permitiría ver. No es posible la alteración de la información ni la denegación de servicio", }, ], id: "CVE-2021-42067", lastModified: "2024-11-21T06:27:10.777", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-01-14T20:15:11.813", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3112710", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3112710", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-09-13 16:15
Modified
2024-11-21 07:11
Severity ?
Summary
An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3218177 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3218177 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | 7.22ext | |
| sap | netweaver_application_server_abap | 7.49 | |
| sap | netweaver_application_server_abap | 7.53 | |
| sap | netweaver_application_server_abap | 7.54 | |
| sap | netweaver_application_server_abap | 7.77 | |
| sap | netweaver_application_server_abap | 7.81 | |
| sap | netweaver_application_server_abap | 7.85 | |
| sap | netweaver_application_server_abap | 7.89 | |
| sap | netweaver_application_server_abap | kernel_7.22 | |
| sap | netweaver_application_server_abap | krnl64nuc_7.22 | |
| sap | netweaver_application_server_abap | krnl64uc_7.22 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "AF64539B-0DE2-4076-91B9-F03F4DDFAE2F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.49:*:*:*:*:*:*:*", matchCriteriaId: "9FBC5614-7C3F-4AD8-8640-0499B8B03C64", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.53:*:*:*:*:*:*:*", matchCriteriaId: "9E8CB869-C342-4362-9A4A-298F0B5F4003", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.54:*:*:*:*:*:*:*", matchCriteriaId: "92EBF7BA-BB05-4946-9CA8-E170AB80ECA3", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.77:*:*:*:*:*:*:*", matchCriteriaId: "89E7439E-F4D6-45EA-99FC-C9B34D4D590E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.81:*:*:*:*:*:*:*", matchCriteriaId: "252DCEF2-8DDF-467F-8869-B69A0A3426F8", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.85:*:*:*:*:*:*:*", matchCriteriaId: "9BC578BE-2308-491E-9D56-6B45AFF0FCFA", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.89:*:*:*:*:*:*:*", matchCriteriaId: "4C5C5010-9631-4C70-AD90-A0D16B03BFA5", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.22:*:*:*:*:*:*:*", matchCriteriaId: "6C07042F-C47F-441E-AB32-B58A066909E2", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.22:*:*:*:*:*:*:*", matchCriteriaId: "C2D5BECF-C4BA-44C7-9AD7-56865DD9AD60", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.22:*:*:*:*:*:*:*", matchCriteriaId: "23257C18-B75C-471C-9EAF-1E86DEE845FA", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user.", }, { lang: "es", value: "Un atacante con privilegios básicos de usuario de negocio podría diseñar y cargar un archivo malicioso en SAP NetWeaver Application Server ABAP, que luego es descargado y visualizado por otros usuarios, dando lugar a un ataque de tipo Cross-Site-Scripting almacenado. Esto podría conllevar a una divulgación de información, incluyendo el robo de información de autenticación y una suplantación del usuario afectado", }, ], id: "CVE-2022-35294", lastModified: "2024-11-21T07:11:03.857", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-09-13T16:15:08.877", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3218177", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3218177", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "cna@sap.com", type: "Primary", }, { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2023-07-11 03:15
Modified
2024-11-21 08:08
Severity ?
6.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Summary
SAP NetWeaver Application Server ABAP and ABAP Platform - version KRNL64NUC, 7.22, KRNL64NUC 7.22EXT, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KERNEL 7.22, KERNEL, 7.53, KERNEL 7.77, KERNEL 7.81, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.92, KERNEL 7.93, under some conditions, performs improper authentication checks for functionalities that require user identity. An attacker can perform malicious actions over the network, extending the scope of impact, causing a limited impact on confidentiality, integrity and availability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3318850 | Permissions Required | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://me.sap.com/notes/3318850 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | kernel_7.22 | |
| sap | netweaver_application_server_abap | kernel_7.53 | |
| sap | netweaver_application_server_abap | kernel_7.54 | |
| sap | netweaver_application_server_abap | kernel_7.77 | |
| sap | netweaver_application_server_abap | kernel_7.81 | |
| sap | netweaver_application_server_abap | kernel_7.85 | |
| sap | netweaver_application_server_abap | kernel_7.89 | |
| sap | netweaver_application_server_abap | kernel_7.92 | |
| sap | netweaver_application_server_abap | kernel_7.93 | |
| sap | netweaver_application_server_abap | krnl64nuc_7.22 | |
| sap | netweaver_application_server_abap | krnl64nuc_7.22ext | |
| sap | netweaver_application_server_abap | krnl64uc_7.22 | |
| sap | netweaver_application_server_abap | krnl64uc_7.22ext | |
| sap | netweaver_application_server_abap | krnl64uc_7.53 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.22:*:*:*:*:*:*:*", matchCriteriaId: "6C07042F-C47F-441E-AB32-B58A066909E2", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.53:*:*:*:*:*:*:*", matchCriteriaId: "DBC44C62-0BFD-4170-B094-C82DEA473938", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.54:*:*:*:*:*:*:*", matchCriteriaId: "D99F18BB-B44E-48B5-BD7C-D20E40915268", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.77:*:*:*:*:*:*:*", matchCriteriaId: "208F59B2-7D79-4E0E-97DA-AEB9976C8EEA", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.81:*:*:*:*:*:*:*", matchCriteriaId: "F39863DC-8CF3-4FB9-8FBF-1776791D701F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.85:*:*:*:*:*:*:*", matchCriteriaId: "A120BC2E-92B2-404A-ADF6-F1AF512631E6", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.89:*:*:*:*:*:*:*", matchCriteriaId: "56F63498-DAC3-40EE-9625-51FA522BA0DB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.92:*:*:*:*:*:*:*", matchCriteriaId: "104EE65A-202C-4F4E-B725-791A73687167", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.93:*:*:*:*:*:*:*", matchCriteriaId: "0269C487-81F8-4240-BEF8-1A7C33864519", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.22:*:*:*:*:*:*:*", matchCriteriaId: "C2D5BECF-C4BA-44C7-9AD7-56865DD9AD60", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "AB7E91DE-A52F-4E57-8397-7670E30C8B5C", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.22:*:*:*:*:*:*:*", matchCriteriaId: "23257C18-B75C-471C-9EAF-1E86DEE845FA", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "A01290A1-3C1B-4AF7-9284-C164BDEC85A2", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.53:*:*:*:*:*:*:*", matchCriteriaId: "ADE160BD-659F-4517-B625-61CFB2FBD456", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver Application Server ABAP and ABAP Platform - version KRNL64NUC, 7.22, KRNL64NUC 7.22EXT, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KERNEL 7.22, KERNEL, 7.53, KERNEL 7.77, KERNEL 7.81, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.92, KERNEL 7.93, under some conditions, performs improper authentication checks for functionalities that require user identity. An attacker can perform malicious actions over the network, extending the scope of impact, causing a limited impact on confidentiality, integrity and availability.", }, ], id: "CVE-2023-35874", lastModified: "2024-11-21T08:08:53.180", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 3.7, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 3.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-07-11T03:15:10.050", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3318850", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3318850", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-306", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2019-07-10 19:15
Modified
2024-11-21 04:16
Severity ?
Summary
ABAP Server and ABAP Platform (SAP Basis), versions, 7.31, 7.4, 7.5, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | http://www.securityfocus.com/bid/109078 | Third Party Advisory, VDB Entry | |
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2773888 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/109078 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2773888 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | 7.31 | |
| sap | netweaver_as_abap | 7.4 | |
| sap | netweaver_as_abap | 7.5 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.31:*:*:*:*:*:*:*", matchCriteriaId: "6F65C175-29C0-4AC0-887F-46A222FAAF10", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_as_abap:7.4:*:*:*:*:*:*:*", matchCriteriaId: "29E542B2-7A01-48CE-953C-35796FEB77FC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_as_abap:7.5:*:*:*:*:*:*:*", matchCriteriaId: "310F88C0-37C1-4E8B-BC8A-948964E6B674", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "ABAP Server and ABAP Platform (SAP Basis), versions, 7.31, 7.4, 7.5, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.", }, { lang: "es", value: "ABAP Server y ABAP Platform (SAP Basis), versiones 7.31, 7.4, 7.5, no codifican de manera suficiente las entradas controladas por el usuario, resultando en una vulnerabilidad de tipo cross-site scripting (XSS).", }, ], id: "CVE-2019-0321", lastModified: "2024-11-21T04:16:40.830", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-07-10T19:15:10.297", references: [ { source: "cna@sap.com", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/109078", }, { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/2773888", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/109078", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/2773888", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-02-14 04:15
Modified
2024-11-21 07:46
Severity ?
3.8 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Summary
SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3287291 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3287291 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.\n\n", }, ], id: "CVE-2023-23854", lastModified: "2024-11-21T07:46:57.837", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 3.8, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L", version: "3.1", }, exploitabilityScore: 1.2, impactScore: 2.5, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.5, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-02-14T04:15:11.627", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3287291", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3287291", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-862", }, ], source: "cna@sap.com", type: "Primary", }, { description: [ { lang: "en", value: "CWE-862", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2021-10-12 15:15
Modified
2024-11-21 06:24
Severity ?
Summary
SAP Internet Communication framework (ICM) - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785, allows an attacker with logon functionality, to exploit the authentication function by using POST and form field to repeat executions of the initial command by a GET request and exposing sensitive data. This vulnerability is normally exposed over the network and successful exploitation can lead to exposure of data like system details.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3087254 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3087254 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_abap | 700 | |
| sap | netweaver_abap | 701 | |
| sap | netweaver_abap | 702 | |
| sap | netweaver_abap | 730 | |
| sap | netweaver_abap | 731 | |
| sap | netweaver_abap | 740 | |
| sap | netweaver_abap | 750 | |
| sap | netweaver_abap | 751 | |
| sap | netweaver_abap | 752 | |
| sap | netweaver_abap | 753 | |
| sap | netweaver_abap | 754 | |
| sap | netweaver_abap | 755 | |
| sap | netweaver_abap | 756 | |
| sap | netweaver_abap | 785 | |
| sap | netweaver_application_server_abap | 700 | |
| sap | netweaver_application_server_abap | 701 | |
| sap | netweaver_application_server_abap | 702 | |
| sap | netweaver_application_server_abap | 730 | |
| sap | netweaver_application_server_abap | 731 | |
| sap | netweaver_application_server_abap | 740 | |
| sap | netweaver_application_server_abap | 750 | |
| sap | netweaver_application_server_abap | 751 | |
| sap | netweaver_application_server_abap | 752 | |
| sap | netweaver_application_server_abap | 753 | |
| sap | netweaver_application_server_abap | 754 | |
| sap | netweaver_application_server_abap | 755 | |
| sap | netweaver_application_server_abap | 756 | |
| sap | netweaver_application_server_abap | 785 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "E0DA7CC6-A0F6-4839-965D-C60F691496AD", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "6497854E-9C7B-4DAF-ADC6-F26523BB7D47", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "FFC58754-3A9D-4320-AB4F-385FB72608E7", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:730:*:*:*:*:*:*:*", matchCriteriaId: "6D46B6A9-C9F3-4270-AA6D-9988D6D4E608", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5B8A73A5-4526-40E1-A540-0A6C3F93DA05", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "09A38B6E-03DC-4086-A307-542B35814E0E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "4651257F-7BFC-41AE-8E37-8C96F822CE58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "EECB438D-D5CD-4483-934F-4C814A725A35", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "14A1CD95-14E1-438A-92FB-A0E47A88C59F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "4148303B-133A-4FD2-B546-DD86C5D0E7C1", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "E51EF6BC-4C1C-4F1B-9873-D571BE3788F5", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "424A3D68-0825-4A2C-BEB1-DC9A212A5E42", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "5F4A410E-6276-4DD2-8C84-8B7DD06AD8FD", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_abap:785:*:*:*:*:*:*:*", matchCriteriaId: "76FF2082-3D69-41D9-AB86-F5E49D2485C9", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:*", matchCriteriaId: "2F1B47E4-C4E3-4D79-9048-EF6A82B8085E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:785:*:*:*:*:*:*:*", matchCriteriaId: "EC94057A-D02A-4111-BC35-4CD49C68B73B", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP Internet Communication framework (ICM) - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785, allows an attacker with logon functionality, to exploit the authentication function by using POST and form field to repeat executions of the initial command by a GET request and exposing sensitive data. This vulnerability is normally exposed over the network and successful exploitation can lead to exposure of data like system details.", }, { lang: "es", value: "SAP Internet Communication framework (ICM) - versiones 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785, permite a un atacante con la funcionalidad logon, explotar la función de autenticación mediante el uso de POST y el campo form para repetir las ejecuciones del comando inicial mediante una petición GET y exponer datos confidenciales. Esta vulnerabilidad es normalmente expuesta a través de la red y su explotación con éxito puede conllevar a una exposición de datos como detalles del sistema", }, ], id: "CVE-2021-40496", lastModified: "2024-11-21T06:24:15.753", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-10-12T15:15:09.267", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3087254", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3087254", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-668", }, ], source: "cna@sap.com", type: "Primary", }, { description: [ { lang: "en", value: "CWE-668", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2023-01-10 03:15
Modified
2024-11-21 07:36
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
The ABAP Keyword Documentation of SAP NetWeaver Application Server - versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, for ABAP and ABAP Platform does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an attacker can cause limited impact on confidentiality and integrity of the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3283283 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3283283 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:*:*:*:*", matchCriteriaId: "421A5354-F764-402B-A3A4-2D746EACEB46", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The ABAP Keyword Documentation of SAP NetWeaver Application Server - versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, for ABAP and ABAP Platform does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an attacker can cause limited impact on confidentiality and integrity of the application.", }, { lang: "es", value: "ABAP Keyword Documentation de SAP NetWeaver Application Server (versiones 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757) para ABAP y la plataforma ABAP no codifica suficientemente las entradas controladas por el usuario, lo que genera una vulnerabilidad de cross-site scripting (XSS). Si se explota con éxito, un atacante puede causar un impacto limitado en la confidencialidad y la integridad de la aplicación.", }, ], id: "CVE-2023-0013", lastModified: "2024-11-21T07:36:23.607", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-01-10T03:15:10.173", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3283283", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3283283", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-09-10 03:15
Modified
2024-09-16 14:09
Severity ?
2.0 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Summary
SAP NetWeaver Application Server for ABAP and ABAP Platform allow users with high privileges to execute a program that reveals data over the network. This results in a minimal impact on confidentiality of the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3507252 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Patch |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:*:*:*:*", matchCriteriaId: "421A5354-F764-402B-A3A4-2D746EACEB46", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:758:*:*:*:*:*:*:*", matchCriteriaId: "48DFFD36-0A4A-417F-9BC5-77FD4152B637", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:912:*:*:*:*:*:*:*", matchCriteriaId: "D2F8173D-96E8-4194-9927-681AFF56B3F0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver Application Server for ABAP and ABAP Platform allow users with high privileges to execute a program that reveals data over the network. This results in a minimal impact on confidentiality of the application.", }, { lang: "es", value: "SAP NetWeaver Application Server para ABAP y la plataforma ABAP permiten a los usuarios con privilegios elevados ejecutar un programa que revela datos a través de la red. Esto tiene un impacto mínimo en la confidencialidad de la aplicación.", }, ], id: "CVE-2024-44114", lastModified: "2024-09-16T14:09:10.170", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 2, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 0.5, impactScore: 1.4, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 2.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 1.2, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-09-10T03:15:03.077", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3507252", }, { source: "cna@sap.com", tags: [ "Patch", ], url: "https://url.sap/sapsecuritypatchday", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-863", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-09-12 03:15
Modified
2024-11-21 08:19
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3340576 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://me.sap.com/notes/3340576 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:commoncryptolib:8.0.0:*:*:*:*:*:*:*", matchCriteriaId: "92E07A81-F35C-4BF4-8AB4-E5B3C3D09487", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:content_server:6.50:*:*:*:*:*:*:*", matchCriteriaId: "85520864-E99A-4576-847C-5E0EA1E6CEC5", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:content_server:7.53:*:*:*:*:*:*:*", matchCriteriaId: "A02FB973-7FA0-4881-B912-27F4CFBDC673", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:content_server:7.54:*:*:*:*:*:*:*", matchCriteriaId: "ED7FD33E-6870-48EB-8695-67B9169D1808", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:extended_application_services_and_runtime:1.0:*:*:*:*:*:*:*", matchCriteriaId: "FF475F4D-11D8-401A-BAB8-8A31E81CEEEB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:hana_database:2.0:*:*:*:*:*:*:*", matchCriteriaId: "30B0858F-6AE9-4163-B001-1481FD3AFF9F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:host_agent:722:*:*:*:*:*:*:*", matchCriteriaId: "6A56308E-B097-49F3-8963-1F34E8716CD9", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "AF64539B-0DE2-4076-91B9-F03F4DDFAE2F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.22:*:*:*:*:*:*:*", matchCriteriaId: "6C07042F-C47F-441E-AB32-B58A066909E2", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.53:*:*:*:*:*:*:*", matchCriteriaId: "DBC44C62-0BFD-4170-B094-C82DEA473938", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.54:*:*:*:*:*:*:*", matchCriteriaId: "D99F18BB-B44E-48B5-BD7C-D20E40915268", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.77:*:*:*:*:*:*:*", matchCriteriaId: "208F59B2-7D79-4E0E-97DA-AEB9976C8EEA", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.85:*:*:*:*:*:*:*", matchCriteriaId: "A120BC2E-92B2-404A-ADF6-F1AF512631E6", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.89:*:*:*:*:*:*:*", matchCriteriaId: "56F63498-DAC3-40EE-9625-51FA522BA0DB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.91:*:*:*:*:*:*:*", matchCriteriaId: "06155DA1-7EDD-4EBA-8EBB-F7352F4EC7D2", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.92:*:*:*:*:*:*:*", matchCriteriaId: "104EE65A-202C-4F4E-B725-791A73687167", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.93:*:*:*:*:*:*:*", matchCriteriaId: "0269C487-81F8-4240-BEF8-1A7C33864519", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_8.04:*:*:*:*:*:*:*", matchCriteriaId: "379FDFC8-947E-4D09-A9DD-4B3F7481F648", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel64nuc_7.22:*:*:*:*:*:*:*", matchCriteriaId: "7184F3A2-3408-4B7E-BEA6-BBF55909969F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel64nuc_7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "BB2D30A5-DB16-4CB7-8135-3CE106FA5477", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.22:*:*:*:*:*:*:*", matchCriteriaId: "D1657980-CBAC-41AC-A20E-18D7199EA244", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "771ED2D0-3BC5-4C36-BCEB-1A1C46667363", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_7.53:*:*:*:*:*:*:*", matchCriteriaId: "0F05534F-3D2B-4983-9CC1-3A8BC7D421C8", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel64uc_8.04:*:*:*:*:*:*:*", matchCriteriaId: "AE19A598-2F90-4014-AC5B-352FBC154907", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.22:*:*:*:*:*:*:*", matchCriteriaId: "97EDAAC4-4885-46CE-860A-DDF92FF205C4", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.53:*:*:*:*:*:*:*", matchCriteriaId: "4E53E262-A23E-4D99-B2D8-DDCBEED85EA2", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.54:*:*:*:*:*:*:*", matchCriteriaId: "F7E61257-B187-4A83-96BD-D53CE11061D7", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.77:*:*:*:*:*:*:*", matchCriteriaId: "34E0B493-0860-4074-A383-F9C2A06EA8E9", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.85:*:*:*:*:*:*:*", matchCriteriaId: "D338B951-5C8F-4C14-931C-5F8AEA7F5924", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.89:*:*:*:*:*:*:*", matchCriteriaId: "525603B5-ADDC-4F58-B730-FC748A56D6E1", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.91:*:*:*:*:*:*:*", matchCriteriaId: "CA2270AE-437E-4FDE-9F53-690C0BCF9C2E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.92:*:*:*:*:*:*:*", matchCriteriaId: "BD374580-7D80-4D7F-8D89-8F52F2DEA8D4", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel_7.93:*:*:*:*:*:*:*", matchCriteriaId: "59253D09-D58D-4013-8F29-2172C1B83AA8", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel_8.04:*:*:*:*:*:*:*", matchCriteriaId: "21316691-9A18-4B41-915E-491225CEF966", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel64nuc_7.22:*:*:*:*:*:*:*", matchCriteriaId: "2BB08C06-0E07-4317-B1AC-C1ECCF931E7A", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel64nuc_7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "8692B960-38A9-4035-88F5-C33D15B6A018", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.22:*:*:*:*:*:*:*", matchCriteriaId: "1D9E47FB-D39A-40C3-AEEE-D6A5AE27F063", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "80C5A218-C623-41C5-A001-304046608CF9", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_7.53:*:*:*:*:*:*:*", matchCriteriaId: "92E7B426-D50F-4AEE-B6F3-5D00C8A195F5", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_java:kernel64uc_8.04:*:*:*:*:*:*:*", matchCriteriaId: "039A11C9-D9D1-42BC-8DD4-2BCDAAF464CD", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:sapssoext:17.0:*:*:*:*:*:*:*", matchCriteriaId: "784CA842-6657-4A02-96B0-76A66AC469C9", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:web_dispatcher:7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "D3F76E6A-2F27-450C-AAB5-E49A64079CAC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:web_dispatcher:7.53:*:*:*:*:*:*:*", matchCriteriaId: "47D4D542-2EC2-490B-B4E9-3E7BB8D59B77", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:web_dispatcher:7.54:*:*:*:*:*:*:*", matchCriteriaId: "950DF1E2-990E-41EF-8779-CEC54C7CDC60", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:web_dispatcher:7.77:*:*:*:*:*:*:*", matchCriteriaId: "E33D9481-3CF6-4AA3-B115-7903AC6DAE25", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:web_dispatcher:7.85:*:*:*:*:*:*:*", matchCriteriaId: "F74EE4D5-E968-4851-89E6-4152F64930F2", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:web_dispatcher:7.89:*:*:*:*:*:*:*", matchCriteriaId: "097ED3E8-49B1-497E-BD43-28C397FBEAE8", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.", }, { lang: "es", value: "SAP CommonCryptoLib no realiza las comprobaciones de autenticación necesarias, lo que puede dar como resultado comprobaciones de autorización faltantes o incorrectas para un usuario autenticado, lo que resulta en una escalada de privilegios. Según la aplicación y el nivel de privilegios adquiridos, un atacante podría abusar de la funcionalidad restringida a un grupo de usuarios concreto, así como leer, modificar o eliminar datos restringidos.", }, ], id: "CVE-2023-40309", lastModified: "2024-11-21T08:19:12.560", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-09-12T03:15:12.073", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://me.sap.com/notes/3340576", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://me.sap.com/notes/3340576", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-863", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-12-09 17:15
Modified
2024-11-21 05:20
Severity ?
Summary
SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | 2011_1_620 | |
| sap | netweaver_application_server_abap | 2011_1_640 | |
| sap | netweaver_application_server_abap | 2011_1_700 | |
| sap | netweaver_application_server_abap | 2011_1_710 | |
| sap | netweaver_application_server_abap | 2011_1_730 | |
| sap | netweaver_application_server_abap | 2011_1_731 | |
| sap | netweaver_application_server_abap | 2011_1_752 | |
| sap | netweaver_application_server_abap | 2020 | |
| sap | s\/4_hana | 101 | |
| sap | s\/4_hana | 102 | |
| sap | s\/4_hana | 103 | |
| sap | s\/4_hana | 104 | |
| sap | s\/4_hana | 105 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_620:*:*:*:*:*:*:*", matchCriteriaId: "81582DC5-7D38-4E36-80D1-70F68E72ACA2", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_640:*:*:*:*:*:*:*", matchCriteriaId: "6CBC1FEB-12A4-404D-B48B-31A5E79832C3", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_700:*:*:*:*:*:*:*", matchCriteriaId: "6C062334-A441-489F-A75D-28B42607FE0C", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_710:*:*:*:*:*:*:*", matchCriteriaId: "6EB166D4-5807-4808-B9BA-12A0EE106C3A", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_730:*:*:*:*:*:*:*", matchCriteriaId: "50FAC71E-03BA-4A90-80FB-A78F958C172E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_731:*:*:*:*:*:*:*", matchCriteriaId: "EC8602D8-0EF3-452D-B993-8FC39C54E04E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_752:*:*:*:*:*:*:*", matchCriteriaId: "063830D7-CFDF-426B-868E-B6E4FE629220", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2020:*:*:*:*:*:*:*", matchCriteriaId: "BFE1EFA9-6E58-4508-9A7D-4F25D8F8E57B", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:101:*:*:*:*:*:*:*", matchCriteriaId: "7A800EB9-BD11-46B8-9866-31088F01D433", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:102:*:*:*:*:*:*:*", matchCriteriaId: "7EE80980-12A5-40D7-8992-5C81FC82935E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:103:*:*:*:*:*:*:*", matchCriteriaId: "82AAE66A-7112-4E83-9094-2AA571144F64", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:104:*:*:*:*:*:*:*", matchCriteriaId: "CFF0FD31-F4F3-470A-9CB5-DE339D7334FF", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:105:*:*:*:*:*:*:*", matchCriteriaId: "A52E5AE7-D16E-4122-A39E-20A2CAB9A146", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.", }, { lang: "es", value: "SAP AS ABAP (SAP Landscape Transformation), versiones - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 y SAP S4 HANA (SAP Landscape Transformation), versiones - 101, 102, 103, 104, 105, permite a un usuario muy privilegiado ejecutar un módulo de función RFC al que debe estar restringido el acceso; sin embargo, debido a una falta de autorización, un atacante puede obtener acceso a información interna confidencial del sistema SAP vulnerable o hacer a sistemas SAP vulnerables no disponibles completamente", }, ], id: "CVE-2020-26832", lastModified: "2024-11-21T05:20:21.883", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "COMPLETE", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:C", version: "2.0", }, exploitabilityScore: 8, impactScore: 7.8, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H", version: "3.0", }, exploitabilityScore: 2.3, impactScore: 4.7, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 4.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-12-09T17:15:31.260", references: [ { source: "cna@sap.com", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", }, { source: "cna@sap.com", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2022/May/42", }, { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/2993132", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2022/May/42", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/2993132", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-862", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-06-09 14:15
Modified
2024-11-21 06:09
Severity ?
Summary
SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), versions - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3025604 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3025604 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | 31 | |
| sap | netweaver_application_server_abap | 702 | |
| sap | netweaver_application_server_abap | 750 | |
| sap | netweaver_application_server_abap | 752 | |
| sap | netweaver_application_server_abap | 753 | |
| sap | netweaver_application_server_abap | 754 | |
| sap | netweaver_application_server_abap | 755 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:31:*:*:*:sap_basis:*:*:*", matchCriteriaId: "6DA5AA60-9965-464A-B7F0-26A980CB5D71", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:sap_basis:*:*:*", matchCriteriaId: "2BD9FE51-F76C-439A-A3C0-5279EC1059F7", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:sap_ui:*:*:*", matchCriteriaId: "4E9DEEAD-268E-4FF8-BE8A-C54D514A338E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:sap_ui:*:*:*", matchCriteriaId: "B972B526-A44F-44B4-88E2-D3A98EE16B8C", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:sap_ui:*:*:*", matchCriteriaId: "226798B5-341A-410F-B944-C9771EDFC43B", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:sap_ui:*:*:*", matchCriteriaId: "E46A16E9-567E-4E24-B6A5-197EE62B4055", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:sap_ui:*:*:*", matchCriteriaId: "27F238D5-561C-4E52-B679-D9E72860AE78", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), versions - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.", }, { lang: "es", value: "SAP NetWeaver Application Server ABAP (Aplicaciones basadas en Web Dynpro ABAP), versiones - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731, no codifica suficientemente las entradas controladas por el usuario, resultando una vulnerabilidad de tipo cross-site scripting (XSS)", }, ], id: "CVE-2021-33664", lastModified: "2024-11-21T06:09:18.720", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-06-09T14:15:10.040", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3025604", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3025604", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-12-14 16:15
Modified
2024-11-21 06:30
Severity ?
Summary
Two methods of a utility class in SAP NetWeaver AS ABAP - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allow an attacker with high privileges and has direct access to SAP System, to inject code when executing with a certain transaction class builder. This could allow execution of arbitrary commands on the operating system, that could highly impact the Confidentiality, Integrity and Availability of the system.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", matchCriteriaId: "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", matchCriteriaId: "706FEB9E-3EE9-405E-A8C9-733DAF68AC6D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:710:*:*:*:*:*:*:*", matchCriteriaId: "9B5BF1EC-C2A6-486B-8E63-0A7ED431C1F0", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:711:*:*:*:*:*:*:*", matchCriteriaId: "17847B21-8BE6-4359-913B-B6592D37C655", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:*", matchCriteriaId: "2F1B47E4-C4E3-4D79-9048-EF6A82B8085E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", matchCriteriaId: "5CC29738-CF17-4E6B-9C9E-879B17F7E001", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Two methods of a utility class in SAP NetWeaver AS ABAP - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allow an attacker with high privileges and has direct access to SAP System, to inject code when executing with a certain transaction class builder. This could allow execution of arbitrary commands on the operating system, that could highly impact the Confidentiality, Integrity and Availability of the system.", }, { lang: "es", value: "Dos métodos de una clase de utilidad en SAP NetWeaver AS ABAP - versiones 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, permiten a un atacante con altos privilegios y que tenga acceso directo al sistema SAP, inyectar código cuando es ejecutado con un determinado constructor de clases de transacción. Esto podría permitir la ejecución de comandos arbitrarios en el sistema operativo, que podrían impactar altamente la Confidencialidad, Integridad y Disponibilidad del sistema", }, ], id: "CVE-2021-44235", lastModified: "2024-11-21T06:30:39.247", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 7.2, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:L/Au:N/C:C/I:C/A:C", version: "2.0", }, exploitabilityScore: 3.9, impactScore: 10, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 6.7, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 0.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-12-14T16:15:09.713", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3123196", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3123196", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-78", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-02-13 03:15
Modified
2024-11-21 08:59
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, under certain conditions, allows an attacker to access information which could otherwise be restricted with low impact on confidentiality of the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3360827 | Permissions Required | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://me.sap.com/notes/3360827 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | kernel_7.53 | |
| sap | netweaver_application_server_abap | kernel_7.54 | |
| sap | netweaver_application_server_abap | kernel_7.77 | |
| sap | netweaver_application_server_abap | kernel_7.85 | |
| sap | netweaver_application_server_abap | kernel_7.89 | |
| sap | netweaver_application_server_abap | kernel_7.93 | |
| sap | netweaver_application_server_abap | kernel_7.94 | |
| sap | netweaver_application_server_abap | krnl64uc_7.53 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.53:*:*:*:*:*:*:*", matchCriteriaId: "DBC44C62-0BFD-4170-B094-C82DEA473938", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.54:*:*:*:*:*:*:*", matchCriteriaId: "D99F18BB-B44E-48B5-BD7C-D20E40915268", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.77:*:*:*:*:*:*:*", matchCriteriaId: "208F59B2-7D79-4E0E-97DA-AEB9976C8EEA", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.85:*:*:*:*:*:*:*", matchCriteriaId: "A120BC2E-92B2-404A-ADF6-F1AF512631E6", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.89:*:*:*:*:*:*:*", matchCriteriaId: "56F63498-DAC3-40EE-9625-51FA522BA0DB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.93:*:*:*:*:*:*:*", matchCriteriaId: "0269C487-81F8-4240-BEF8-1A7C33864519", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.94:*:*:*:*:*:*:*", matchCriteriaId: "32300EC9-E892-427B-A78A-55B3E5129EC4", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.53:*:*:*:*:*:*:*", matchCriteriaId: "ADE160BD-659F-4517-B625-61CFB2FBD456", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, under certain conditions, allows an attacker to access information which could otherwise be restricted with low impact on confidentiality of the application.", }, { lang: "es", value: "SAP NetWeaver Application Server (ABAP): versiones KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, bajo ciertas condiciones, permite a un atacante acceder a información que de otro modo podría estar restringida con baja impacto en la confidencialidad de la solicitud.", }, ], id: "CVE-2024-24740", lastModified: "2024-11-21T08:59:36.023", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-02-13T03:15:08.987", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3360827", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3360827", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-732", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-12-14 16:15
Modified
2024-11-21 06:30
Severity ?
Summary
Internally used text extraction reports allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3119365 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3119365 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | abap_platform | 701 | |
| sap | abap_platform | 740 | |
| sap | abap_platform | 750 | |
| sap | abap_platform | 751 | |
| sap | abap_platform | 752 | |
| sap | abap_platform | 753 | |
| sap | abap_platform | 754 | |
| sap | abap_platform | 755 | |
| sap | abap_platform | 756 | |
| sap | abap_platform | 804 | |
| sap | netweaver_application_server_abap | 701 | |
| sap | netweaver_application_server_abap | 740 | |
| sap | netweaver_application_server_abap | 750 | |
| sap | netweaver_application_server_abap | 751 | |
| sap | netweaver_application_server_abap | 752 | |
| sap | netweaver_application_server_abap | 753 | |
| sap | netweaver_application_server_abap | 754 | |
| sap | netweaver_application_server_abap | 755 | |
| sap | netweaver_application_server_abap | 756 | |
| sap | netweaver_application_server_abap | 804 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:abap_platform:701:*:*:*:*:*:*:*", matchCriteriaId: "C04D8608-83F0-4D7F-A7A9-59B616240F14", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:740:*:*:*:*:*:*:*", matchCriteriaId: "07710B18-BF01-4316-A258-4F1CB6269C5E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:750:*:*:*:*:*:*:*", matchCriteriaId: "A3A631DA-1279-49AC-922E-7D7216DACC8D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:751:*:*:*:*:*:*:*", matchCriteriaId: "65320F25-669B-40D8-A246-07B0202C00A9", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:752:*:*:*:*:*:*:*", matchCriteriaId: "DD5559B1-08ED-4F5C-A61D-0EA13597DBE9", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:753:*:*:*:*:*:*:*", matchCriteriaId: "E1C86F45-445E-4970-A378-199A35B23F4B", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:754:*:*:*:*:*:*:*", matchCriteriaId: "74901A8A-A556-478F-ABCD-7DCFD471210A", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:755:*:*:*:*:*:*:*", matchCriteriaId: "5B48E0FF-814F-4F9C-B5B1-87D978E1B4A4", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:756:*:*:*:*:*:*:*", matchCriteriaId: "623B6391-B1E3-4C2A-93C9-AB264377BACB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform:804:*:*:*:*:*:*:*", matchCriteriaId: "F31DD4B7-2020-47BD-B1F7-DF5AFD9E635A", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", matchCriteriaId: "98B2522A-B850-4EC2-B2F2-5EBF36801B39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:804:*:*:*:*:*:*:*", matchCriteriaId: "2132C1C0-AD61-4C85-BA07-523206815A4D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Internally used text extraction reports allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.", }, { lang: "es", value: "Los informes de extracción de texto usados internamente permiten a un atacante inyectar código que puede ser ejecutado por la aplicación. Un atacante podría así controlar el comportamiento de la aplicación", }, ], id: "CVE-2021-44231", lastModified: "2024-11-21T06:30:38.730", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-12-14T16:15:09.583", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3119365", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3119365", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-94", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-02-14 04:15
Modified
2024-11-21 07:46
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to craft a malicious link, which when clicked by an unsuspecting user, can be used to read or modify some sensitive information.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3268959 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3268959 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", matchCriteriaId: "72491771-4492-4902-9F0C-CE6A60BAA705", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:*:*:*:*", matchCriteriaId: "421A5354-F764-402B-A3A4-2D746EACEB46", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:789:*:*:*:*:*:*:*", matchCriteriaId: "8F57219A-C89A-4E49-B933-25ACE71BC884", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:790:*:*:*:*:*:*:*", matchCriteriaId: "E6787B03-7C79-4E13-B681-145AF37A99ED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to craft a malicious link, which when clicked by an unsuspecting user, can be used to read or modify some sensitive information.\n\n", }, ], id: "CVE-2023-23859", lastModified: "2024-11-21T07:46:59.227", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-02-14T04:15:12.093", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3268959", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3268959", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-01-12 15:15
Modified
2024-11-21 05:48
Severity ?
Summary
SAP NetWeaver AS ABAP, versions 740, 750, 751, 752, 753, 754, 755, allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, this has a high impact on the availability of the service.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3000306 | Permissions Required | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3000306 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | netweaver_application_server_abap | 740 | |
| sap | netweaver_application_server_abap | 750 | |
| sap | netweaver_application_server_abap | 751 | |
| sap | netweaver_application_server_abap | 752 | |
| sap | netweaver_application_server_abap | 753 | |
| sap | netweaver_application_server_abap | 754 | |
| sap | netweaver_application_server_abap | 755 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", matchCriteriaId: "127E508F-6CC1-41C8-96DF-8D14FFDD4020", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", matchCriteriaId: "7777AA80-1608-420E-B7D5-09ABECD51728", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", matchCriteriaId: "0539618A-1C4D-463F-B2BB-DD1C239C23EB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", matchCriteriaId: "62828DCD-F80E-4C7C-A988-EFEA06A5223E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", matchCriteriaId: "D9F38585-73AE-4DBB-A978-F0272DF8FB58", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", matchCriteriaId: "D416C064-BB8A-4230-A761-84A93E017F79", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", matchCriteriaId: "6B8D3EA0-28E6-4333-8C67-B9D3775EB9BC", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP, versions 740, 750, 751, 752, 753, 754, 755, allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, this has a high impact on the availability of the service.", }, { lang: "es", value: "SAP NetWeaver AS ABAP, versiones 740, 750, 751, 752, 753, 754, 755, permite a un atacante no autenticado impedir que usuarios legítimos accedan a un servicio, ya sea bloqueando o inundando el servicio, esto presenta un alto impacto en la disponibilidad de el servicio", }, ], id: "CVE-2021-21446", lastModified: "2024-11-21T05:48:23.437", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-01-12T15:15:14.470", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3000306", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3000306", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-06-09 14:15
Modified
2024-11-21 06:09
Severity ?
Summary
SAP NetWeaver AS ABAP, versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84, allows an unauthorized attacker to insert cleartext commands due to improper restriction of I/O buffering into encrypted SMTP sessions over the network which can partially impact the integrity of the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3030604 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3030604 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.22:*:*:*:*:*:*:*", matchCriteriaId: "6C07042F-C47F-441E-AB32-B58A066909E2", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.49:*:*:*:*:*:*:*", matchCriteriaId: "5370493B-8917-4ACC-9C4B-043BEF7CCCA8", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.53:*:*:*:*:*:*:*", matchCriteriaId: "DBC44C62-0BFD-4170-B094-C82DEA473938", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.73:*:*:*:*:*:*:*", matchCriteriaId: "0AE96595-DED1-447A-BD93-2D448356B479", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.77:*:*:*:*:*:*:*", matchCriteriaId: "208F59B2-7D79-4E0E-97DA-AEB9976C8EEA", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.81:*:*:*:*:*:*:*", matchCriteriaId: "F39863DC-8CF3-4FB9-8FBF-1776791D701F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.82:*:*:*:*:*:*:*", matchCriteriaId: "CAA2FFEC-D7AE-4F3E-8CCF-29ECB9D38107", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.83:*:*:*:*:*:*:*", matchCriteriaId: "45DF564C-F6DB-4DDD-A196-09FAD239F159", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_7.84:*:*:*:*:*:*:*", matchCriteriaId: "8FB964D8-83B6-4DCE-B51D-CBD8766A8FBE", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:kernel_8.04:*:*:*:*:*:*:*", matchCriteriaId: "379FDFC8-947E-4D09-A9DD-4B3F7481F648", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl32nuc_7.22:*:*:*:*:*:*:*", matchCriteriaId: "79281E01-F573-4296-BC08-C26BC1D28619", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl32nuc_7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "9E12EF81-509D-4BC5-8503-2522AA550C46", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl32uc_7.22:*:*:*:*:*:*:*", matchCriteriaId: "A1E9A9E7-8866-4BAF-841B-D4DF142C25DF", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl32uc_7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "FF946307-728B-44D6-85D8-0CE8005E5D35", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.22:*:*:*:*:*:*:*", matchCriteriaId: "C2D5BECF-C4BA-44C7-9AD7-56865DD9AD60", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "AB7E91DE-A52F-4E57-8397-7670E30C8B5C", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.49:*:*:*:*:*:*:*", matchCriteriaId: "AB478A3C-4DD5-4F42-B2F1-9B7CCBA1B995", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.22:*:*:*:*:*:*:*", matchCriteriaId: "23257C18-B75C-471C-9EAF-1E86DEE845FA", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "A01290A1-3C1B-4AF7-9284-C164BDEC85A2", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.49:*:*:*:*:*:*:*", matchCriteriaId: "6D5F8B53-ECAD-4CD2-8F91-25112569C056", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.53:*:*:*:*:*:*:*", matchCriteriaId: "ADE160BD-659F-4517-B625-61CFB2FBD456", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.73:*:*:*:*:*:*:*", matchCriteriaId: "DD525F35-6130-45EC-85ED-7ED8E4B37BDA", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_8.04:*:*:*:*:*:*:*", matchCriteriaId: "88CD861F-08FB-4CE1-923C-79D1480A2259", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP, versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84, allows an unauthorized attacker to insert cleartext commands due to improper restriction of I/O buffering into encrypted SMTP sessions over the network which can partially impact the integrity of the application.", }, { lang: "es", value: "SAP NetWeaver AS ABAP, versiones - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT, 7.49, KRNL64UC - 8.04,7.22,7.22EXT, 7.49,7.53,7.73, KERNEL - 7.22,8.04 , 7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84, permite a un atacante no autorizado insertar comandos de texto sin cifrar debido a una restricción inapropiada del almacenamiento en búfer de E/S en sesiones SMTP cifradas a través de la red, lo que puede impactar parcialmente la integridad de la aplicación", }, ], id: "CVE-2021-33663", lastModified: "2024-11-21T06:09:18.563", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.8, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-06-09T14:15:10.010", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3030604", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3030604", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-02-09 23:15
Modified
2025-03-13 16:36
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3123396 | Permissions Required | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Not Applicable, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3123396 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Not Applicable, Vendor Advisory |
Impacted products
{ cisaActionDue: "2022-09-08", cisaExploitAdd: "2022-08-18", cisaRequiredAction: "Apply updates per vendor instructions.", cisaVulnerabilityName: "SAP Multiple Products HTTP Request Smuggling Vulnerability", configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:content_server:7.53:*:*:*:*:*:*:*", matchCriteriaId: "A02FB973-7FA0-4881-B912-27F4CFBDC673", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.22:*:*:*:*:*:*:*", matchCriteriaId: "16B3C589-DF11-459D-8A3F-1A1FD2265022", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.49:*:*:*:*:*:*:*", matchCriteriaId: "9FBC5614-7C3F-4AD8-8640-0499B8B03C64", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.53:*:*:*:*:*:*:*", matchCriteriaId: "9E8CB869-C342-4362-9A4A-298F0B5F4003", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.77:*:*:*:*:*:*:*", matchCriteriaId: "89E7439E-F4D6-45EA-99FC-C9B34D4D590E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.81:*:*:*:*:*:*:*", matchCriteriaId: "252DCEF2-8DDF-467F-8869-B69A0A3426F8", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.85:*:*:*:*:*:*:*", matchCriteriaId: "9BC578BE-2308-491E-9D56-6B45AFF0FCFA", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.86:*:*:*:*:*:*:*", matchCriteriaId: "7C0E10A3-591A-4FA7-9B98-D54C3D6C63FA", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:7.87:*:*:*:*:*:*:*", matchCriteriaId: "150B6370-F18A-4657-95ED-D969BF7C39CE", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:8.04:*:*:*:*:*:*:*", matchCriteriaId: "12974FFA-3168-4A80-ACFB-D5E065A89383", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.22:*:*:*:*:*:*:*", matchCriteriaId: "C2D5BECF-C4BA-44C7-9AD7-56865DD9AD60", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "AB7E91DE-A52F-4E57-8397-7670E30C8B5C", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.49:*:*:*:*:*:*:*", matchCriteriaId: "AB478A3C-4DD5-4F42-B2F1-9B7CCBA1B995", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.22:*:*:*:*:*:*:*", matchCriteriaId: "23257C18-B75C-471C-9EAF-1E86DEE845FA", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "A01290A1-3C1B-4AF7-9284-C164BDEC85A2", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.49:*:*:*:*:*:*:*", matchCriteriaId: "6D5F8B53-ECAD-4CD2-8F91-25112569C056", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.53:*:*:*:*:*:*:*", matchCriteriaId: "ADE160BD-659F-4517-B625-61CFB2FBD456", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_8.04:*:*:*:*:*:*:*", matchCriteriaId: "88CD861F-08FB-4CE1-923C-79D1480A2259", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:web_dispatcher:7.22ext:*:*:*:*:*:*:*", matchCriteriaId: "D3F76E6A-2F27-450C-AAB5-E49A64079CAC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:web_dispatcher:7.49:*:*:*:*:*:*:*", matchCriteriaId: "0B4A7850-377C-4463-A5D7-07F516FBD74A", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:web_dispatcher:7.53:*:*:*:*:*:*:*", matchCriteriaId: "47D4D542-2EC2-490B-B4E9-3E7BB8D59B77", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:web_dispatcher:7.77:*:*:*:*:*:*:*", matchCriteriaId: "E33D9481-3CF6-4AA3-B115-7903AC6DAE25", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:web_dispatcher:7.81:*:*:*:*:*:*:*", matchCriteriaId: "49FF2A5B-E5F0-4991-9AA3-7CB3B8C62941", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:web_dispatcher:7.85:*:*:*:*:*:*:*", matchCriteriaId: "F74EE4D5-E968-4851-89E6-4152F64930F2", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:web_dispatcher:7.86:*:*:*:*:*:*:*", matchCriteriaId: "327A87AD-6635-4511-8505-F4418CD9D49C", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:web_dispatcher:7.87:*:*:*:*:*:*:*", matchCriteriaId: "324C32FF-6F89-401F-9ADD-57A68320E06D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.\n\n", }, { lang: "es", value: "SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 y SAP Web Dispatcher son vulnerables para el contrabando de peticiones y la concatenación de peticiones. Un atacante no autenticado puede añadir datos arbitrarios a la petición de la víctima. De este modo, el atacante puede ejecutar funciones suplantando a la víctima o envenenar las cachés web intermediarias. Un ataque con éxito podría resultar en el compromiso completo de la Confidencialidad, Integridad y Disponibilidad del sistema", }, ], id: "CVE-2022-22536", lastModified: "2025-03-13T16:36:39.573", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 10, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:N/AC:L/Au:N/C:C/I:C/A:C", version: "2.0", }, exploitabilityScore: 10, impactScore: 10, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 10, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 6, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2022-02-09T23:15:18.620", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3123396", }, { source: "cna@sap.com", tags: [ "Not Applicable", "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3123396", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Not Applicable", "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-444", }, ], source: "cna@sap.com", type: "Primary", }, ], }
CVE-2023-26459 (GCVE-0-2023-26459)
Vulnerability from cvelistv5
Published
2023-03-14 04:45
Modified
2025-02-27 18:05
Severity ?
EPSS score ?
Summary
Due to improper input controls In SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, an attacker authenticated as a non-administrative user can craft a request which will trigger the application server to send a request to an arbitrary URL which can reveal, modify or make unavailable non-sensitive information, leading to low impact on Confidentiality, Integrity and Availability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver AS for ABAP and ABAP Platform |
Version: 700 Version: 701 Version: 702 Version: 731 Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 757 Version: 791 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T11:53:52.946Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3296346", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-26459", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-27T18:05:40.414592Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-27T18:05:47.515Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver AS for ABAP and ABAP Platform", vendor: "SAP", versions: [ { status: "affected", version: "700", }, { status: "affected", version: "701", }, { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, { status: "affected", version: "791", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Due to improper input controls In SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, an attacker authenticated as a non-administrative user can craft a request which will trigger the application server to send a request to an arbitrary URL which can reveal, modify or make unavailable non-sensitive information, leading to low impact on Confidentiality, Integrity and Availability.</p>", }, ], value: "Due to improper input controls In SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, an attacker authenticated as a non-administrative user can craft a request which will trigger the application server to send a request to an arbitrary URL which can reveal, modify or make unavailable non-sensitive information, leading to low impact on Confidentiality, Integrity and Availability.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-918", description: "CWE-918: Server-Side Request Forgery (SSRF)", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T20:26:13.940Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3296346", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Server Side Request Forgery (SSRF) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-26459", datePublished: "2023-03-14T04:45:51.958Z", dateReserved: "2023-02-22T21:38:25.764Z", dateUpdated: "2025-02-27T18:05:47.515Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-27501 (GCVE-0-2023-27501)
Vulnerability from cvelistv5
Published
2023-03-14 05:06
Modified
2025-02-27 18:02
Severity ?
EPSS score ?
Summary
SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker to exploit insufficient validation of path information provided by users, thus exploiting a directory traversal flaw in an available service to delete system files. In this attack, no data can be read but potentially critical OS files can be deleted making the system unavailable, causing significant impact on both availability and integrity
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver AS for ABAP and ABAP Platform |
Version: 700 Version: 701 Version: 702 Version: 731 Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 757 Version: 791 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T12:16:35.453Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3294954", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-27501", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-02-27T18:02:02.344373Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-27T18:02:25.893Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver AS for ABAP and ABAP Platform", vendor: "SAP", versions: [ { status: "affected", version: "700", }, { status: "affected", version: "701", }, { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, { status: "affected", version: "791", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker to exploit insufficient validation of path information provided by users, thus exploiting a directory traversal flaw in an available service to delete system files. In this attack, no data can be read but potentially critical OS files can be deleted making the system unavailable, causing significant impact on both availability and integrity</p>", }, ], value: "SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker to exploit insufficient validation of path information provided by users, thus exploiting a directory traversal flaw in an available service to delete system files. In this attack, no data can be read but potentially critical OS files can be deleted making the system unavailable, causing significant impact on both availability and integrity\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.7, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T20:23:33.289Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3294954", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform\t", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-27501", datePublished: "2023-03-14T05:06:17.678Z", dateReserved: "2023-03-02T03:37:32.234Z", dateUpdated: "2025-02-27T18:02:25.893Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-23858 (GCVE-0-2023-23858)
Vulnerability from cvelistv5
Published
2023-02-14 03:15
Modified
2025-03-20 18:47
Severity ?
EPSS score ?
Summary
Due to insufficient input validation, SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to send a crafted URL to a user, and by clicking the URL, the tricked user accesses SAP and might be directed with the response to somewhere out-side SAP and enter sensitive data. This could cause a limited impact on confidentiality and integrity of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver AS for ABAP and ABAP Platform |
Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 757 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:42:27.147Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3293786", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-23858", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-20T18:47:31.068165Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-20T18:47:35.413Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP NetWeaver AS for ABAP and ABAP Platform", vendor: "SAP_SE", versions: [ { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Due to insufficient input validation, SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to send a crafted URL to a user, and by clicking the URL, the tricked user accesses SAP and might be directed with the response to somewhere out-side SAP and enter sensitive data. This could cause a limited impact on confidentiality and integrity of the application.</p>", }, ], value: "Due to insufficient input validation, SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to send a crafted URL to a user, and by clicking the URL, the tricked user accesses SAP and might be directed with the response to somewhere out-side SAP and enter sensitive data. This could cause a limited impact on confidentiality and integrity of the application.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-02-14T03:15:27.883Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3293786", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-23858", datePublished: "2023-02-14T03:15:27.883Z", dateReserved: "2023-01-19T00:05:29.415Z", dateUpdated: "2025-03-20T18:47:35.413Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-26102 (GCVE-0-2022-26102)
Vulnerability from cvelistv5
Published
2022-03-08 13:35
Modified
2024-08-03 04:56
Severity ?
EPSS score ?
Summary
Due to missing authorization check, SAP NetWeaver Application Server for ABAP - versions 700, 701, 702, 731, allows an authenticated attacker, to access content on the start screen of any transaction that is available with in the same SAP system even if he/she isn't authorized for that transaction. A successful exploitation could expose information and in worst case manipulate data before the start screen is executed, resulting in limited impact on confidentiality and integrity of the application.
References
| ▼ | URL | Tags |
|---|---|---|
| https://launchpad.support.sap.com/#/notes/3145997 | x_refsource_MISC | |
| https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver Application Server for ABAP |
Version: < 700 Version: < 701 Version: < 702 Version: < 731 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T04:56:37.601Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3145997", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver Application Server for ABAP", vendor: "SAP SE", versions: [ { status: "affected", version: "< 700", }, { status: "affected", version: "< 701", }, { status: "affected", version: "< 702", }, { status: "affected", version: "< 731", }, ], }, ], descriptions: [ { lang: "en", value: "Due to missing authorization check, SAP NetWeaver Application Server for ABAP - versions 700, 701, 702, 731, allows an authenticated attacker, to access content on the start screen of any transaction that is available with in the same SAP system even if he/she isn't authorized for that transaction. A successful exploitation could expose information and in worst case manipulate data before the start screen is executed, resulting in limited impact on confidentiality and integrity of the application.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-862", description: "CWE-862", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-03-08T13:35:51", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3145997", }, { tags: [ "x_refsource_MISC", ], url: "https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2022-26102", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver Application Server for ABAP", version: { version_data: [ { version_name: "<", version_value: "700", }, { version_name: "<", version_value: "701", }, { version_name: "<", version_value: "702", }, { version_name: "<", version_value: "731", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Due to missing authorization check, SAP NetWeaver Application Server for ABAP - versions 700, 701, 702, 731, allows an authenticated attacker, to access content on the start screen of any transaction that is available with in the same SAP system even if he/she isn't authorized for that transaction. A successful exploitation could expose information and in worst case manipulate data before the start screen is executed, resulting in limited impact on confidentiality and integrity of the application.", }, ], }, impact: { cvss: { baseScore: "null", vectorString: "null", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-862", }, ], }, ], }, references: { reference_data: [ { name: "https://launchpad.support.sap.com/#/notes/3145997", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3145997", }, { name: "https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10", refsource: "MISC", url: "https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2022-26102", datePublished: "2022-03-08T13:35:51", dateReserved: "2022-02-25T00:00:00", dateUpdated: "2024-08-03T04:56:37.601Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2024-21738 (GCVE-0-2024-21738)
Vulnerability from cvelistv5
Published
2024-01-09 01:19
Modified
2024-08-01 22:27
Severity ?
EPSS score ?
Summary
SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to confidentiality of the application data after successful exploitation.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver ABAP Application Server and ABAP Platform |
Version: SAP_BASIS 700 Version: SAP_BASIS 701 Version: SAP_BASIS 702 Version: SAP_BASIS 731 Version: SAP_BASIS 740 Version: SAP_BASIS 750 Version: SAP_BASIS 751 Version: SAP_BASIS 752 Version: SAP_BASIS 753 Version: SAP_BASIS 754 Version: SAP_BASIS 755 Version: SAP_BASIS 756 Version: SAP_BASIS 757 Version: SAP_BASIS 758 Version: SAP_BASIS 793 Version: SAP_BASIS 794 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T22:27:35.894Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3387737", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP NetWeaver ABAP Application Server and ABAP Platform", vendor: "SAP_SE", versions: [ { status: "affected", version: "SAP_BASIS 700", }, { status: "affected", version: "SAP_BASIS 701", }, { status: "affected", version: "SAP_BASIS 702", }, { status: "affected", version: "SAP_BASIS 731", }, { status: "affected", version: "SAP_BASIS 740", }, { status: "affected", version: "SAP_BASIS 750", }, { status: "affected", version: "SAP_BASIS 751", }, { status: "affected", version: "SAP_BASIS 752", }, { status: "affected", version: "SAP_BASIS 753", }, { status: "affected", version: "SAP_BASIS 754", }, { status: "affected", version: "SAP_BASIS 755", }, { status: "affected", version: "SAP_BASIS 756", }, { status: "affected", version: "SAP_BASIS 757", }, { status: "affected", version: "SAP_BASIS 758", }, { status: "affected", version: "SAP_BASIS 793", }, { status: "affected", version: "SAP_BASIS 794", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to confidentiality of the application data after successful exploitation.</p>", }, ], value: "SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to confidentiality of the application data after successful exploitation.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-09T01:19:29.437Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3387737", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Application Server and ABAP Platform", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-21738", datePublished: "2024-01-09T01:19:29.437Z", dateReserved: "2024-01-01T10:54:59.645Z", dateUpdated: "2024-08-01T22:27:35.894Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-23860 (GCVE-0-2023-23860)
Vulnerability from cvelistv5
Published
2023-02-14 03:16
Modified
2025-03-20 18:46
Severity ?
EPSS score ?
Summary
SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to craft a link, which when clicked by an unsuspecting user can be used to redirect a user to a malicious site which could read or modify some sensitive information or expose the victim to a phishing attack.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver AS for ABAP and ABAP Platform |
Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 757 Version: 789 Version: 790 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:42:27.121Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3268959", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-23860", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-20T18:46:08.765941Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-20T18:46:16.391Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver AS for ABAP and ABAP Platform", vendor: "SAP", versions: [ { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, { status: "affected", version: "789", }, { status: "affected", version: "790", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to craft a link, which when clicked by an unsuspecting user can be used to redirect a user to a malicious site which could read or modify some sensitive information or expose the victim to a phishing attack.</p>", }, ], value: "SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to craft a link, which when clicked by an unsuspecting user can be used to redirect a user to a malicious site which could read or modify some sensitive information or expose the victim to a phishing attack.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-601", description: "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:23:01.734Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3268959", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-23860", datePublished: "2023-02-14T03:16:18.411Z", dateReserved: "2023-01-19T00:05:29.416Z", dateUpdated: "2025-03-20T18:46:16.391Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-0014 (GCVE-0-2023-0014)
Vulnerability from cvelistv5
Published
2023-01-10 03:02
Modified
2025-04-09 13:59
Severity ?
EPSS score ?
Summary
SAP NetWeaver ABAP Server and ABAP Platform - versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, KERNEL 7.22, 7.53, 7.77, 7.81, 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22, 7.22EXT, creates information about system identity in an ambiguous format. This could lead to capture-replay vulnerability and may be exploited by malicious users to obtain illegitimate access to the system.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver ABAP Server and ABAP Platform |
Version: SAP_BASIS 701 Version: SAP_BASIS 702 Version: SAP_BASIS 710 Version: SAP_BASIS 711 Version: SAP_BASIS 730 Version: SAP_BASIS 731 Version: SAP_BASIS 740 Version: SAP_BASIS 750 Version: SAP_BASIS 751 Version: SAP_BASIS 752 Version: SAP_BASIS 753 Version: SAP_BASIS 754 Version: SAP_BASIS 755 Version: SAP_BASIS 756 Version: SAP_BASIS 757 Version: KERNEL 7.22 Version: KERNEL 7.53 Version: KERNEL 7.77 Version: KERNEL 7.81 Version: KERNEL 7.85 Version: KERNEL 7.89 Version: KRNL64UC 7.22 Version: KRNL64UC 7.22EXT Version: KRNL64UC 7.53 Version: KRNL64NUC 7.22 Version: KRNL64NUC 7.22EXT |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:54:32.596Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3089413", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-0014", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-04-09T13:58:48.577709Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-09T13:59:20.601Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver ABAP Server and ABAP Platform", vendor: "SAP", versions: [ { status: "affected", version: "SAP_BASIS 701", }, { status: "affected", version: "SAP_BASIS 702", }, { status: "affected", version: "SAP_BASIS 710", }, { status: "affected", version: "SAP_BASIS 711", }, { status: "affected", version: "SAP_BASIS 730", }, { status: "affected", version: "SAP_BASIS 731", }, { status: "affected", version: "SAP_BASIS 740", }, { status: "affected", version: "SAP_BASIS 750", }, { status: "affected", version: "SAP_BASIS 751", }, { status: "affected", version: "SAP_BASIS 752", }, { status: "affected", version: "SAP_BASIS 753", }, { status: "affected", version: "SAP_BASIS 754", }, { status: "affected", version: "SAP_BASIS 755", }, { status: "affected", version: "SAP_BASIS 756", }, { status: "affected", version: "SAP_BASIS 757", }, { status: "affected", version: "KERNEL 7.22", }, { status: "affected", version: "KERNEL 7.53", }, { status: "affected", version: "KERNEL 7.77", }, { status: "affected", version: "KERNEL 7.81", }, { status: "affected", version: "KERNEL 7.85", }, { status: "affected", version: "KERNEL 7.89", }, { status: "affected", version: "KRNL64UC 7.22", }, { status: "affected", version: "KRNL64UC 7.22EXT", }, { status: "affected", version: "KRNL64UC 7.53", }, { status: "affected", version: "KRNL64NUC 7.22", }, { status: "affected", version: "KRNL64NUC 7.22EXT", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<table><tbody><tr><td><p>SAP NetWeaver ABAP Server and ABAP Platform - versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, KERNEL 7.22, 7.53, 7.77, 7.81, 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22, 7.22EXT, creates information about system identity in an ambiguous format. This could lead to capture-replay vulnerability and may be exploited by malicious users to obtain illegitimate access to the system.</p></td></tr></tbody></table><br>", }, ], value: "SAP NetWeaver ABAP Server and ABAP Platform - versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, KERNEL 7.22, 7.53, 7.77, 7.81, 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22, 7.22EXT, creates information about system identity in an ambiguous format. This could lead to capture-replay vulnerability and may be exploited by malicious users to obtain illegitimate access to the system.\n\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-294", description: "CWE-294 Authentication Bypass by Capture-replay", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-10T03:02:39.962Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3089413", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-0014", datePublished: "2023-01-10T03:02:39.962Z", dateReserved: "2022-12-16T03:13:43.141Z", dateUpdated: "2025-04-09T13:59:20.601Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-23853 (GCVE-0-2023-23853)
Vulnerability from cvelistv5
Published
2023-02-14 03:13
Modified
2025-03-20 18:49
Severity ?
EPSS score ?
Summary
An unauthenticated attacker in AP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, can craft a link which when clicked by an unsuspecting user can be used to redirect a user to a malicious site which could read or modify some sensitive information or expose the victim to a phishing attack. Vulnerability has no direct impact on availability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver Application Server for ABAP and ABAP Platform |
Version: 700 Version: 702 Version: 731 Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 757 Version: 789 Version: 790 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:42:27.066Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3271227", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-23853", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-20T18:49:25.546555Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-20T18:49:33.080Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver Application Server for ABAP and ABAP Platform", vendor: "SAP", versions: [ { status: "affected", version: "700", }, { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, { status: "affected", version: "789", }, { status: "affected", version: "790", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>An unauthenticated attacker in AP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, can craft a link which when clicked by an unsuspecting user can be used to redirect a user to a malicious site which could read or modify some sensitive information or expose the victim to a phishing attack. Vulnerability has no direct impact on availability.</p>", }, ], value: "An unauthenticated attacker in AP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, can craft a link which when clicked by an unsuspecting user can be used to redirect a user to a malicious site which could read or modify some sensitive information or expose the victim to a phishing attack. Vulnerability has no direct impact on availability.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-601", description: "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:22:01.425Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3271227", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-23853", datePublished: "2023-02-14T03:13:28.319Z", dateReserved: "2023-01-19T00:05:29.415Z", dateUpdated: "2025-03-20T18:49:33.080Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-40308 (GCVE-0-2023-40308)
Vulnerability from cvelistv5
Published
2023-09-12 01:21
Modified
2024-09-26 18:22
Severity ?
EPSS score ?
Summary
SAP CommonCryptoLib allows an unauthenticated attacker to craft a request, which when submitted to an open port causes a memory corruption error in a library which in turn causes the target component to crash making it unavailable. There is no ability to view or modify any information.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | SAP_SE | SAP CommonCryptoLib |
Version: 8 |
||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T18:31:53.082Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3327896", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-40308", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-26T14:46:05.348783Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-26T14:46:15.846Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP CommonCryptoLib", vendor: "SAP_SE", versions: [ { status: "affected", version: "8", }, ], }, { defaultStatus: "unaffected", packageName: "KERNEL", product: "SAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premise", vendor: "SAP_SE", versions: [ { status: "affected", version: "KERNEL 7.22", }, { status: "affected", version: "KERNEL 7.53", }, { status: "affected", version: "KERNEL 7.54", }, { status: "affected", version: "KERNEL 7.77", }, { status: "affected", version: "KERNEL 7.85", }, { status: "affected", version: "KERNEL 7.89", }, { status: "affected", version: "KERNEL 7.91", }, { status: "affected", version: "KERNEL 7.92", }, { status: "affected", version: "KERNEL 7.93", }, { status: "affected", version: "KERNEL 8.04", }, { status: "affected", version: "KERNEL64UC 7.22", }, { status: "affected", version: "KERNEL64UC 7.22EXT", }, { status: "affected", version: "KERNEL64UC 7.53", }, { status: "affected", version: "KERNEL64UC 8.04", }, { status: "affected", version: "KERNEL64NUC 7.22", }, { status: "affected", version: "KERNEL64NUC 7.22EXT", }, ], }, { defaultStatus: "unaffected", product: "SAP Web Dispatcher", vendor: "SAP_SE", versions: [ { status: "affected", version: "7.22EXT", }, { status: "affected", version: "7.53", }, { status: "affected", version: "7.54", }, { status: "affected", version: "7.77", }, { status: "affected", version: "7.85", }, { status: "affected", version: "7.89", }, ], }, { defaultStatus: "unaffected", product: "SAP Content Server", vendor: "SAP_SE", versions: [ { status: "affected", version: "6.50", }, { status: "affected", version: "7.53", }, { status: "affected", version: "7.54", }, ], }, { defaultStatus: "unaffected", product: "SAP HANA Database", vendor: "SAP_SE", versions: [ { status: "affected", version: "2.00", }, ], }, { defaultStatus: "unaffected", product: "SAP Host Agent", vendor: "SAP_SE", versions: [ { status: "affected", version: "722", }, ], }, { defaultStatus: "unaffected", product: "SAP Extended Application Services and Runtime (XSA)", vendor: "SAP_SE", versions: [ { status: "affected", version: "SAP_EXTENDED_APP_SERVICES 1", }, { status: "affected", version: "XS_ADVANCED_RUNTIME 1.00", }, ], }, { defaultStatus: "unaffected", product: "SAPSSOEXT", vendor: "SAP_SE", versions: [ { status: "affected", version: "17", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP CommonCryptoLib allows an unauthenticated attacker to craft a request, which when submitted to an open port causes a memory corruption error in a library which in turn causes the target component to crash making it unavailable. There is no ability to view or modify any information.</p>", }, ], value: "SAP CommonCryptoLib allows an unauthenticated attacker to craft a request, which when submitted to an open port causes a memory corruption error in a library which in turn causes the target component to crash making it unavailable. There is no ability to view or modify any information.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-787", description: "CWE-787 Out-of-bounds Write", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-09-26T18:22:53.534Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3327896", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Memory Corruption vulnerability in SAP CommonCryptoLib", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-40308", datePublished: "2023-09-12T01:21:15.083Z", dateReserved: "2023-08-14T07:36:04.796Z", dateUpdated: "2024-09-26T18:22:53.534Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2024-24740 (GCVE-0-2024-24740)
Vulnerability from cvelistv5
Published
2024-02-13 02:35
Modified
2024-09-28 22:22
Severity ?
EPSS score ?
Summary
SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, under certain conditions, allows an attacker to access information which could otherwise be restricted with low impact on confidentiality of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver Application Server ABAP (SAP Kernel) |
Version: KERNEL 7.53 Version: KERNEL 7.54 Version: KERNEL 7.77 Version: KERNEL 7.85 Version: KERNEL 7.89 Version: KERNEL 7.93 Version: KERNEL 7.94 Version: KRNL64UC 7.53 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T23:28:11.763Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3360827", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP NetWeaver Application Server ABAP (SAP Kernel)", vendor: "SAP_SE", versions: [ { status: "affected", version: "KERNEL 7.53", }, { status: "affected", version: "KERNEL 7.54", }, { status: "affected", version: "KERNEL 7.77", }, { status: "affected", version: "KERNEL 7.85", }, { status: "affected", version: "KERNEL 7.89", }, { status: "affected", version: "KERNEL 7.93", }, { status: "affected", version: "KERNEL 7.94", }, { status: "affected", version: "KRNL64UC 7.53", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, under certain conditions, allows an attacker to access information which could otherwise be restricted with low impact on confidentiality of the application.</p>", }, ], value: "SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, under certain conditions, allows an attacker to access information which could otherwise be restricted with low impact on confidentiality of the application.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-732", description: "CWE-732: Incorrect Permission Assignment for Critical Resource", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-09-28T22:22:42.214Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3360827", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (SAP Kernel)", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-24740", datePublished: "2024-02-13T02:35:21.224Z", dateReserved: "2024-01-29T05:13:46.617Z", dateUpdated: "2024-09-28T22:22:42.214Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2019-0257 (GCVE-0-2019-0257)
Vulnerability from cvelistv5
Published
2019-02-15 18:00
Modified
2024-08-04 17:44
Severity ?
EPSS score ?
Summary
Customizing functionality of SAP NetWeaver AS ABAP Platform (fixed in versions from 7.0 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.53, from 7.74 to 7.75) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/2728839 | x_refsource_MISC | |
| http://www.securityfocus.com/bid/106999 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | ABAP Platform(SAP Basis) |
Version: < from 7.0 to 7.02 Version: < from 7.10 to 7.11 Version: < 7.30 Version: < 7.31 Version: < 7.40 Version: < from 7.50 to 7.53 Version: < from 7.74 to 7.75 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T17:44:16.190Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/2728839", }, { name: "106999", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/106999", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "ABAP Platform(SAP Basis)", vendor: "SAP SE", versions: [ { status: "affected", version: "< from 7.0 to 7.02", }, { status: "affected", version: "< from 7.10 to 7.11", }, { status: "affected", version: "< 7.30", }, { status: "affected", version: "< 7.31", }, { status: "affected", version: "< 7.40", }, { status: "affected", version: "< from 7.50 to 7.53", }, { status: "affected", version: "< from 7.74 to 7.75", }, ], }, ], datePublic: "2019-02-12T00:00:00", descriptions: [ { lang: "en", value: "Customizing functionality of SAP NetWeaver AS ABAP Platform (fixed in versions from 7.0 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.53, from 7.74 to 7.75) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.", }, ], problemTypes: [ { descriptions: [ { description: "Missing Authorization Check", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-02-16T10:57:01", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/2728839", }, { name: "106999", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/106999", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2019-0257", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "ABAP Platform(SAP Basis)", version: { version_data: [ { version_name: "<", version_value: "from 7.0 to 7.02", }, { version_name: "<", version_value: "from 7.10 to 7.11", }, { version_name: "<", version_value: "7.30", }, { version_name: "<", version_value: "7.31", }, { version_name: "<", version_value: "7.40", }, { version_name: "<", version_value: "from 7.50 to 7.53", }, { version_name: "<", version_value: "from 7.74 to 7.75", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Customizing functionality of SAP NetWeaver AS ABAP Platform (fixed in versions from 7.0 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.53, from 7.74 to 7.75) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Missing Authorization Check", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943", }, { name: "https://launchpad.support.sap.com/#/notes/2728839", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/2728839", }, { name: "106999", refsource: "BID", url: "http://www.securityfocus.com/bid/106999", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2019-0257", datePublished: "2019-02-15T18:00:00", dateReserved: "2018-11-26T00:00:00", dateUpdated: "2024-08-04T17:44:16.190Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-41215 (GCVE-0-2022-41215)
Vulnerability from cvelistv5
Published
2022-11-08 00:00
Modified
2024-08-03 12:35
Severity ?
EPSS score ?
Summary
SAP NetWeaver ABAP Server and ABAP Platform allows an unauthenticated attacker to redirect users to a malicious site due to insufficient URL validation. This could lead to the user being tricked to disclose personal information.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver ABAP Server and ABAP Platform |
Version: = 700 Version: = 731 Version: = 740 Version: = 750 Version: = 789 Version: = 701 Version: = 702 Version: = 751 Version: = 752 Version: = 753 Version: = 754 Version: = 755 Version: = 756 Version: = 757 Version: = 790 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T12:35:49.613Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3251202", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP NetWeaver ABAP Server and ABAP Platform", vendor: "SAP SE", versions: [ { status: "affected", version: "= 700", }, { status: "affected", version: "= 731", }, { status: "affected", version: "= 740", }, { status: "affected", version: "= 750", }, { status: "affected", version: "= 789", }, { status: "affected", version: "= 701", }, { status: "affected", version: "= 702", }, { status: "affected", version: "= 751", }, { status: "affected", version: "= 752", }, { status: "affected", version: "= 753", }, { status: "affected", version: "= 754", }, { status: "affected", version: "= 755", }, { status: "affected", version: "= 756", }, { status: "affected", version: "= 757", }, { status: "affected", version: "= 790", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver ABAP Server and ABAP Platform allows an unauthenticated attacker to redirect users to a malicious site due to insufficient URL validation. This could lead to the user being tricked to disclose personal information.</p>", }, ], value: "SAP NetWeaver ABAP Server and ABAP Platform allows an unauthenticated attacker to redirect users to a malicious site due to insufficient URL validation. This could lead to the user being tricked to disclose personal information.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-601", description: "CWE-601", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-12-12T19:41:02.080Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { url: "https://launchpad.support.sap.com/#/notes/3251202", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2022-41215", datePublished: "2022-11-08T00:00:00", dateReserved: "2022-09-21T00:00:00", dateUpdated: "2024-08-03T12:35:49.613Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-27499 (GCVE-0-2023-27499)
Vulnerability from cvelistv5
Published
2023-04-11 02:48
Modified
2025-02-07 19:32
Severity ?
EPSS score ?
Summary
SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC, 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could craft a malicious URL and lure the victim to click, the script supplied by the attacker will execute in the victim user's browser. The information from the victim's web browser can either be modified or read and sent to the attacker.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | GUI for HTML |
Version: KERNEL 7.22 Version: KERNEL 7.53 Version: KERNEL 7.54 Version: KERNEL 7.77 Version: KERNEL 7.81 Version: KERNEL 7.85 Version: KERNEL 7.89 Version: KERNEL 7.91 Version: KRNL64UC 7.22 Version: KRNL64UC 7.22EXT Version: KRNL64UC 7.53 Version: KRNL64NUC 7.22 Version: KRNL64NUC 7.22EXT |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T12:16:35.477Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3275458", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-27499", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-07T19:31:59.613500Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-07T19:32:04.550Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "GUI for HTML", vendor: "SAP_SE", versions: [ { status: "affected", version: "KERNEL 7.22", }, { status: "affected", version: "KERNEL 7.53", }, { status: "affected", version: "KERNEL 7.54", }, { status: "affected", version: "KERNEL 7.77", }, { status: "affected", version: "KERNEL 7.81", }, { status: "affected", version: "KERNEL 7.85", }, { status: "affected", version: "KERNEL 7.89", }, { status: "affected", version: "KERNEL 7.91", }, { status: "affected", version: "KRNL64UC 7.22", }, { status: "affected", version: "KRNL64UC 7.22EXT", }, { status: "affected", version: "KRNL64UC 7.53", }, { status: "affected", version: "KRNL64NUC 7.22", }, { status: "affected", version: "KRNL64NUC 7.22EXT", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC, 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could craft a malicious URL and lure the victim to click, the script supplied by the attacker will execute in the victim user's browser. The information from the victim's web browser can either be modified or read and sent to the attacker.</p>", }, ], value: "SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC, 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could craft a malicious URL and lure the victim to click, the script supplied by the attacker will execute in the victim user's browser. The information from the victim's web browser can either be modified or read and sent to the attacker.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-05-03T03:20:34.384Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3275458", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Cross-Site Scripting (XSS) vulnerability in SAP GUI for HTML", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-27499", datePublished: "2023-04-11T02:48:52.677Z", dateReserved: "2023-03-02T03:37:32.233Z", dateUpdated: "2025-02-07T19:32:04.550Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-41366 (GCVE-0-2023-41366)
Vulnerability from cvelistv5
Published
2023-11-14 01:01
Modified
2024-09-03 14:30
Severity ?
EPSS score ?
Summary
Under certain condition SAP NetWeaver Application Server ABAP - versions KERNEL 722, KERNEL 7.53, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.91, KERNEL 7.92, KERNEL 7.93, KERNEL 7.94, KERNEL64UC 7.22, KERNEL64UC 7.22EXT, KERNEL64UC 7.53, KERNEL64NUC 7.22, KERNEL64NUC 7.22EXT, allows an unauthenticated attacker to access the unintended data due to the lack of restrictions applied which may lead to low impact in confidentiality and no impact on the integrity and availability of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver Application Server ABAP and ABAP Platform |
Version: KERNEL 722 Version: KERNEL 7.53 Version: KERNEL 7.77 Version: KERNEL 7.85 Version: KERNEL 7.89 Version: KERNEL 7.54 Version: KERNEL 7.91 Version: KERNEL 7.92 Version: KERNEL 7.93 Version: KERNEL 7.94 Version: KERNEL64UC 7.22 Version: KERNEL64UC 7.22EXT Version: KERNEL64UC 7.53 Version: KERNEL64NUC 7.22 Version: KERNEL64NUC 7.22EXT |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T19:01:35.309Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3362849", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-41366", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-03T14:30:14.112710Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-03T14:30:54.957Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP NetWeaver Application Server ABAP and ABAP Platform", vendor: "SAP_SE", versions: [ { status: "affected", version: "KERNEL 722", }, { status: "affected", version: "KERNEL 7.53", }, { status: "affected", version: "KERNEL 7.77", }, { status: "affected", version: "KERNEL 7.85", }, { status: "affected", version: "KERNEL 7.89", }, { status: "affected", version: "KERNEL 7.54", }, { status: "affected", version: "KERNEL 7.91", }, { status: "affected", version: "KERNEL 7.92", }, { status: "affected", version: "KERNEL 7.93", }, { status: "affected", version: "KERNEL 7.94", }, { status: "affected", version: "KERNEL64UC 7.22", }, { status: "affected", version: "KERNEL64UC 7.22EXT", }, { status: "affected", version: "KERNEL64UC 7.53", }, { status: "affected", version: "KERNEL64NUC 7.22", }, { status: "affected", version: "KERNEL64NUC 7.22EXT", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Under certain condition SAP NetWeaver Application Server ABAP - versions KERNEL 722, KERNEL 7.53, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.91, KERNEL 7.92, KERNEL 7.93, KERNEL 7.94, KERNEL64UC 7.22, KERNEL64UC 7.22EXT, KERNEL64UC 7.53, KERNEL64NUC 7.22, KERNEL64NUC 7.22EXT, allows an unauthenticated attacker to access the unintended data due to the lack of restrictions applied which may lead to low impact in confidentiality and no impact on the integrity and availability of the application.</p>", }, ], value: "Under certain condition SAP NetWeaver Application Server ABAP - versions KERNEL 722, KERNEL 7.53, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.91, KERNEL 7.92, KERNEL 7.93, KERNEL 7.94, KERNEL64UC 7.22, KERNEL64UC 7.22EXT, KERNEL64UC 7.53, KERNEL64NUC 7.22, KERNEL64NUC 7.22EXT, allows an unauthenticated attacker to access the unintended data due to the lack of restrictions applied which may lead to low impact in confidentiality and no impact on the integrity and availability of the application.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-497", description: "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-11-14T01:01:07.759Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3362849", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-41366", datePublished: "2023-11-14T01:01:07.759Z", dateReserved: "2023-08-29T05:27:56.300Z", dateUpdated: "2024-09-03T14:30:54.957Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-0013 (GCVE-0-2023-0013)
Vulnerability from cvelistv5
Published
2023-01-10 02:50
Modified
2025-04-09 15:25
Severity ?
EPSS score ?
Summary
The ABAP Keyword Documentation of SAP NetWeaver Application Server - versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, for ABAP and ABAP Platform does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an attacker can cause limited impact on confidentiality and integrity of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver AS for ABAP and ABAP Platform |
Version: 702 Version: 731 Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 757 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:54:32.608Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3283283", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-0013", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-04-09T15:25:38.335011Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-09T15:25:48.857Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver AS for ABAP and ABAP Platform", vendor: "SAP", versions: [ { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The ABAP Keyword Documentation of SAP NetWeaver Application Server - versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, for ABAP and ABAP Platform does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an attacker can cause limited impact on confidentiality and integrity of the application.", }, ], value: "The ABAP Keyword Documentation of SAP NetWeaver Application Server - versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, for ABAP and ABAP Platform does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an attacker can cause limited impact on confidentiality and integrity of the application.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-10T02:50:52.294Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3283283", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-0013", datePublished: "2023-01-10T02:50:52.294Z", dateReserved: "2022-12-16T03:13:36.148Z", dateUpdated: "2025-04-09T15:25:48.857Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-21446 (GCVE-0-2021-21446)
Vulnerability from cvelistv5
Published
2021-01-12 14:40
Modified
2024-08-03 18:16
Severity ?
EPSS score ?
Summary
SAP NetWeaver AS ABAP, versions 740, 750, 751, 752, 753, 754, 755, allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, this has a high impact on the availability of the service.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3000306 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS ABAP |
Version: < 740 Version: < 750 Version: < 751 Version: < 752 Version: < 753 Version: < 754 Version: < 755 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T18:16:22.448Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3000306", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS ABAP", vendor: "SAP SE", versions: [ { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, { status: "affected", version: "< 751", }, { status: "affected", version: "< 752", }, { status: "affected", version: "< 753", }, { status: "affected", version: "< 754", }, { status: "affected", version: "< 755", }, ], }, ], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP, versions 740, 750, 751, 752, 753, 754, 755, allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, this has a high impact on the availability of the service.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Denial of Service", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-02-11T20:23:05", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3000306", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2021-21446", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS ABAP", version: { version_data: [ { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, { version_name: "<", version_value: "751", }, { version_name: "<", version_value: "752", }, { version_name: "<", version_value: "753", }, { version_name: "<", version_value: "754", }, { version_name: "<", version_value: "755", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP NetWeaver AS ABAP, versions 740, 750, 751, 752, 753, 754, 755, allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, this has a high impact on the availability of the service.", }, ], }, impact: { cvss: { baseScore: "7.5", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Denial of Service", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476", }, { name: "https://launchpad.support.sap.com/#/notes/3000306", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3000306", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2021-21446", datePublished: "2021-01-12T14:40:18", dateReserved: "2020-12-30T00:00:00", dateUpdated: "2024-08-03T18:16:22.448Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-40495 (GCVE-0-2021-40495)
Vulnerability from cvelistv5
Published
2021-10-12 14:03
Modified
2024-08-04 02:44
Severity ?
EPSS score ?
Summary
There are multiple Denial-of Service vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755. An unauthorized attacker can use the public SICF service /sap/public/bc/abap to reduce the performance of SAP NetWeaver Application Server ABAP and ABAP Platform.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3099011 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS ABAP and ABAP Platform |
Version: < 740 Version: < 750 Version: < 751 Version: < 752 Version: < 753 Version: < 754 Version: < 755 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T02:44:10.857Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3099011", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS ABAP and ABAP Platform", vendor: "SAP SE", versions: [ { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, { status: "affected", version: "< 751", }, { status: "affected", version: "< 752", }, { status: "affected", version: "< 753", }, { status: "affected", version: "< 754", }, { status: "affected", version: "< 755", }, ], }, ], descriptions: [ { lang: "en", value: "There are multiple Denial-of Service vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755. An unauthorized attacker can use the public SICF service /sap/public/bc/abap to reduce the performance of SAP NetWeaver Application Server ABAP and ABAP Platform.", }, ], problemTypes: [ { descriptions: [ { description: "Denial of Service", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-10-12T14:03:19", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3099011", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2021-40495", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS ABAP and ABAP Platform", version: { version_data: [ { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, { version_name: "<", version_value: "751", }, { version_name: "<", version_value: "752", }, { version_name: "<", version_value: "753", }, { version_name: "<", version_value: "754", }, { version_name: "<", version_value: "755", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "There are multiple Denial-of Service vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755. An unauthorized attacker can use the public SICF service /sap/public/bc/abap to reduce the performance of SAP NetWeaver Application Server ABAP and ABAP Platform.", }, ], }, impact: { cvss: { baseScore: "null", vectorString: "null", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Denial of Service", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, { name: "https://launchpad.support.sap.com/#/notes/3099011", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3099011", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2021-40495", datePublished: "2021-10-12T14:03:19", dateReserved: "2021-09-03T00:00:00", dateUpdated: "2024-08-04T02:44:10.857Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-40504 (GCVE-0-2021-40504)
Vulnerability from cvelistv5
Published
2021-11-10 15:29
Modified
2024-08-04 02:44
Severity ?
EPSS score ?
Summary
A certain template role in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, contains transport authorizations, which exceed expected display only permissions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3105728 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS for ABAP and ABAP Platform |
Version: < 700 Version: < 701 Version: < 702 Version: < 710 Version: < 711 Version: < 730 Version: < 731 Version: < 740 Version: < 750 Version: < 751 Version: < 752 Version: < 753 Version: < 754 Version: < 755 Version: < 756 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T02:44:10.769Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3105728", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS for ABAP and ABAP Platform", vendor: "SAP SE", versions: [ { status: "affected", version: "< 700", }, { status: "affected", version: "< 701", }, { status: "affected", version: "< 702", }, { status: "affected", version: "< 710", }, { status: "affected", version: "< 711", }, { status: "affected", version: "< 730", }, { status: "affected", version: "< 731", }, { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, { status: "affected", version: "< 751", }, { status: "affected", version: "< 752", }, { status: "affected", version: "< 753", }, { status: "affected", version: "< 754", }, { status: "affected", version: "< 755", }, { status: "affected", version: "< 756", }, ], }, ], descriptions: [ { lang: "en", value: "A certain template role in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, contains transport authorizations, which exceed expected display only permissions.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-863", description: "CWE-863", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-11-10T15:29:16", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3105728", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2021-40504", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS for ABAP and ABAP Platform", version: { version_data: [ { version_name: "<", version_value: "700", }, { version_name: "<", version_value: "701", }, { version_name: "<", version_value: "702", }, { version_name: "<", version_value: "710", }, { version_name: "<", version_value: "711", }, { version_name: "<", version_value: "730", }, { version_name: "<", version_value: "731", }, { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, { version_name: "<", version_value: "751", }, { version_name: "<", version_value: "752", }, { version_name: "<", version_value: "753", }, { version_name: "<", version_value: "754", }, { version_name: "<", version_value: "755", }, { version_name: "<", version_value: "756", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A certain template role in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, contains transport authorizations, which exceed expected display only permissions.", }, ], }, impact: { cvss: { baseScore: "null", vectorString: "null", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-863", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864", }, { name: "https://launchpad.support.sap.com/#/notes/3105728", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3105728", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2021-40504", datePublished: "2021-11-10T15:29:16", dateReserved: "2021-09-03T00:00:00", dateUpdated: "2024-08-04T02:44:10.769Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-44231 (GCVE-0-2021-44231)
Vulnerability from cvelistv5
Published
2021-12-14 15:44
Modified
2024-08-04 04:17
Severity ?
EPSS score ?
Summary
Internally used text extraction reports allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3119365 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP ABAP Server & ABAP Platform (Translation Tools) |
Version: < 701 Version: < 740 Version: < 750 Version: < 751 Version: < 752 Version: < 753 Version: < 754 Version: < 755 Version: < 756 Version: < 804 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T04:17:24.557Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3119365", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP ABAP Server & ABAP Platform (Translation Tools)", vendor: "SAP SE", versions: [ { status: "affected", version: "< 701", }, { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, { status: "affected", version: "< 751", }, { status: "affected", version: "< 752", }, { status: "affected", version: "< 753", }, { status: "affected", version: "< 754", }, { status: "affected", version: "< 755", }, { status: "affected", version: "< 756", }, { status: "affected", version: "< 804", }, ], }, ], descriptions: [ { lang: "en", value: "Internally used text extraction reports allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.", }, ], problemTypes: [ { descriptions: [ { description: "Code injection", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-12-14T15:44:08", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3119365", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2021-44231", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP ABAP Server & ABAP Platform (Translation Tools)", version: { version_data: [ { version_name: "<", version_value: "701", }, { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, { version_name: "<", version_value: "751", }, { version_name: "<", version_value: "752", }, { version_name: "<", version_value: "753", }, { version_name: "<", version_value: "754", }, { version_name: "<", version_value: "755", }, { version_name: "<", version_value: "756", }, { version_name: "<", version_value: "804", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Internally used text extraction reports allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.", }, ], }, impact: { cvss: { baseScore: "null", vectorString: "null", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Code injection", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021", }, { name: "https://launchpad.support.sap.com/#/notes/3119365", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3119365", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2021-44231", datePublished: "2021-12-14T15:44:08", dateReserved: "2021-11-26T00:00:00", dateUpdated: "2024-08-04T04:17:24.557Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2024-33001 (GCVE-0-2024-33001)
Vulnerability from cvelistv5
Published
2024-06-11 02:05
Modified
2024-08-02 02:27
Severity ?
EPSS score ?
Summary
SAP NetWeaver and ABAP platform allows an
attacker to impede performance for legitimate users by crashing or flooding the
service.
An
impact of this Denial of Service vulnerability might be long response delays
and service interruptions, thus degrading the service quality experienced by
legitimate users causing high impact on availability of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver and ABAP platform |
Version: ST-PI 2008_1_700 Version: 2008_1_710 Version: 740 |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:sap_se:sap_netweaver_and_abap_platform:740:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "sap_netweaver_and_abap_platform", vendor: "sap_se", versions: [ { status: "affected", version: "740", }, { status: "affected", version: "2008_1_710", }, { status: "affected", version: "ST-PI_2008_1_700", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-33001", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-07-18T19:53:26.938876Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-30T17:29:13.906Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T02:27:53.403Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3453170", }, { tags: [ "x_transferred", ], url: "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP NetWeaver and ABAP platform", vendor: "SAP_SE", versions: [ { status: "affected", version: "ST-PI 2008_1_700", }, { status: "affected", version: "2008_1_710", }, { status: "affected", version: "740", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver and ABAP platform allows an\nattacker to impede performance for legitimate users by crashing or flooding the\nservice.</p>\n\nAn\nimpact of this Denial of Service vulnerability might be long response delays\nand service interruptions, thus degrading the service quality experienced by\nlegitimate users causing high impact on availability of the application.\n\n\n\n", }, ], value: "SAP NetWeaver and ABAP platform allows an\nattacker to impede performance for legitimate users by crashing or flooding the\nservice.\n\n\n\nAn\nimpact of this Denial of Service vulnerability might be long response delays\nand service interruptions, thus degrading the service quality experienced by\nlegitimate users causing high impact on availability of the application.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400: Uncontrolled Resource Consumption", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-06-11T02:05:00.333Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3453170", }, { url: "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", }, ], source: { discovery: "UNKNOWN", }, title: "Denial of service (DOS) in SAP NetWeaver and ABAP platform", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-33001", datePublished: "2024-06-11T02:05:00.333Z", dateReserved: "2024-04-23T04:04:25.520Z", dateUpdated: "2024-08-02T02:27:53.403Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2020-26832 (GCVE-0-2020-26832)
Vulnerability from cvelistv5
Published
2020-12-09 16:31
Modified
2024-08-04 16:03
Severity ?
EPSS score ?
Summary
SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/2993132 | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2022/May/42 | mailing-list, x_refsource_FULLDISC | |
| http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | SAP SE | SAP NetWeaver AS ABAP (SAP Landscape Transformation) |
Version: < 2011_1_620 Version: < 2011_1_640 Version: < 2011_1_700 Version: < 2011_1_710 Version: < 2011_1_730 Version: < 2011_1_731 Version: < 2011_1_752 Version: < 2020 |
||||||
|
|||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T16:03:22.474Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/2993132", }, { name: "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)", tags: [ "mailing-list", "x_refsource_FULLDISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2022/May/42", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS ABAP (SAP Landscape Transformation)", vendor: "SAP SE", versions: [ { status: "affected", version: "< 2011_1_620", }, { status: "affected", version: "< 2011_1_640", }, { status: "affected", version: "< 2011_1_700", }, { status: "affected", version: "< 2011_1_710", }, { status: "affected", version: "< 2011_1_730", }, { status: "affected", version: "< 2011_1_731", }, { status: "affected", version: "< 2011_1_752", }, { status: "affected", version: "< 2020", }, ], }, { product: "SAP S4 HANA (SAP Landscape Transformation)", vendor: "SAP SE", versions: [ { status: "affected", version: "< 101", }, { status: "affected", version: "< 102", }, { status: "affected", version: "< 103", }, { status: "affected", version: "< 104", }, { status: "affected", version: "< 105", }, ], }, ], descriptions: [ { lang: "en", value: "SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Missing Authorization", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-05-19T17:06:20", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/2993132", }, { name: "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)", tags: [ "mailing-list", "x_refsource_FULLDISC", ], url: "http://seclists.org/fulldisclosure/2022/May/42", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2020-26832", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS ABAP (SAP Landscape Transformation)", version: { version_data: [ { version_name: "<", version_value: "2011_1_620", }, { version_name: "<", version_value: "2011_1_640", }, { version_name: "<", version_value: "2011_1_700", }, { version_name: "<", version_value: "2011_1_710", }, { version_name: "<", version_value: "2011_1_730", }, { version_name: "<", version_value: "2011_1_731", }, { version_name: "<", version_value: "2011_1_752", }, { version_name: "<", version_value: "2020", }, ], }, }, { product_name: "SAP S4 HANA (SAP Landscape Transformation)", version: { version_data: [ { version_name: "<", version_value: "101", }, { version_name: "<", version_value: "102", }, { version_name: "<", version_value: "103", }, { version_name: "<", version_value: "104", }, { version_name: "<", version_value: "105", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.", }, ], }, impact: { cvss: { baseScore: "7.6", vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Missing Authorization", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079", }, { name: "https://launchpad.support.sap.com/#/notes/2993132", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/2993132", }, { name: "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)", refsource: "FULLDISC", url: "http://seclists.org/fulldisclosure/2022/May/42", }, { name: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2020-26832", datePublished: "2020-12-09T16:31:03", dateReserved: "2020-10-07T00:00:00", dateUpdated: "2024-08-04T16:03:22.474Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2020-26818 (GCVE-0-2020-26818)
Vulnerability from cvelistv5
Published
2020-11-10 16:17
Modified
2024-08-04 16:03
Severity ?
EPSS score ?
Summary
SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, which reveals sensitive system information that would otherwise be restricted to highly privileged users because of missing authorization, resulting in Information Disclosure.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/2971954 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS ABAP (Web Dynpro) |
Version: < 731 Version: < 740 Version: < 750 Version: < 751 Version: < 752 Version: < 753 Version: < 754 Version: < 755 Version: < 782 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T16:03:22.370Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/2971954", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS ABAP (Web Dynpro)", vendor: "SAP SE", versions: [ { status: "affected", version: "< 731", }, { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, { status: "affected", version: "< 751", }, { status: "affected", version: "< 752", }, { status: "affected", version: "< 753", }, { status: "affected", version: "< 754", }, { status: "affected", version: "< 755", }, { status: "affected", version: "< 782", }, ], }, ], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, which reveals sensitive system information that would otherwise be restricted to highly privileged users because of missing authorization, resulting in Information Disclosure.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Information Disclosure", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-11-10T16:17:12", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/2971954", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2020-26818", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS ABAP (Web Dynpro)", version: { version_data: [ { version_name: "<", version_value: "731", }, { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, { version_name: "<", version_value: "751", }, { version_name: "<", version_value: "752", }, { version_name: "<", version_value: "753", }, { version_name: "<", version_value: "754", }, { version_name: "<", version_value: "755", }, { version_name: "<", version_value: "782", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, which reveals sensitive system information that would otherwise be restricted to highly privileged users because of missing authorization, resulting in Information Disclosure.", }, ], }, impact: { cvss: { baseScore: "6.5", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information Disclosure", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571", }, { name: "https://launchpad.support.sap.com/#/notes/2971954", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/2971954", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2020-26818", datePublished: "2020-11-10T16:17:12", dateReserved: "2020-10-07T00:00:00", dateUpdated: "2024-08-04T16:03:22.370Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-23859 (GCVE-0-2023-23859)
Vulnerability from cvelistv5
Published
2023-02-14 03:15
Modified
2025-03-20 18:47
Severity ?
EPSS score ?
Summary
SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to craft a malicious link, which when clicked by an unsuspecting user, can be used to read or modify some sensitive information.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver AS for ABAP and ABAP Platform |
Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 757 Version: 789 Version: 790 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:42:27.061Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3268959", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-23859", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-20T18:47:09.242964Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-20T18:47:11.697Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver AS for ABAP and ABAP Platform", vendor: "SAP", versions: [ { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, { status: "affected", version: "789", }, { status: "affected", version: "790", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to craft a malicious link, which when clicked by an unsuspecting user, can be used to read or modify some sensitive information.</p>", }, ], value: "SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to craft a malicious link, which when clicked by an unsuspecting user, can be used to read or modify some sensitive information.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:23:19.231Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3268959", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-23859", datePublished: "2023-02-14T03:15:54.117Z", dateReserved: "2023-01-19T00:05:29.416Z", dateUpdated: "2025-03-20T18:47:11.697Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-39799 (GCVE-0-2022-39799)
Vulnerability from cvelistv5
Published
2022-09-13 15:43
Modified
2024-08-03 12:07
Severity ?
EPSS score ?
Summary
An attacker with no prior authentication could craft and send malicious script to SAP GUI for HTML within Fiori Launchpad, resulting in reflected cross-site scripting attack. This could lead to stealing session information and impersonating the affected user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3229820 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS ABAP (SAP GUI for HTML within the Fiori Launchpad) |
Version: KERNEL 7.77 Version: 7.81 Version: 7.85 Version: 7.89 Version: 7.54 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T12:07:41.955Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3229820", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS ABAP (SAP GUI for HTML within the Fiori Launchpad)", vendor: "SAP SE", versions: [ { status: "affected", version: "KERNEL 7.77", }, { status: "affected", version: "7.81", }, { status: "affected", version: "7.85", }, { status: "affected", version: "7.89", }, { status: "affected", version: "7.54", }, ], }, ], descriptions: [ { lang: "en", value: "An attacker with no prior authentication could craft and send malicious script to SAP GUI for HTML within Fiori Launchpad, resulting in reflected cross-site scripting attack. This could lead to stealing session information and impersonating the affected user.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-09-21T18:48:24", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3229820", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2022-39799", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS ABAP (SAP GUI for HTML within the Fiori Launchpad)", version: { version_data: [ { version_affected: "=", version_value: "KERNEL 7.77", }, { version_affected: "=", version_value: "7.81", }, { version_affected: "=", version_value: "7.85", }, { version_affected: "=", version_value: "7.89", }, { version_affected: "=", version_value: "7.54", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "An attacker with no prior authentication could craft and send malicious script to SAP GUI for HTML within Fiori Launchpad, resulting in reflected cross-site scripting attack. This could lead to stealing session information and impersonating the affected user.", }, ], }, impact: { cvss: { baseScore: "null", vectorString: "null", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-79", }, ], }, ], }, references: { reference_data: [ { name: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", refsource: "MISC", url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { name: "https://launchpad.support.sap.com/#/notes/3229820", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3229820", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2022-39799", datePublished: "2022-09-13T15:43:40", dateReserved: "2022-09-02T00:00:00", dateUpdated: "2024-08-03T12:07:41.955Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-22536 (GCVE-0-2022-22536)
Vulnerability from cvelistv5
Published
2022-02-09 22:05
Modified
2025-01-29 20:21
Severity ?
EPSS score ?
Summary
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
References
| ▼ | URL | Tags |
|---|---|---|
| https://launchpad.support.sap.com/#/notes/3123396 | x_refsource_MISC | |
| https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | SAP SE | SAP NetWeaver and ABAP Platform |
Version: KERNEL 7.22 Version: 8.04 Version: 7.49 Version: 7.53 Version: 7.77 Version: 7.81 Version: 7.85 Version: 7.86 Version: 7.87 Version: KRNL64UC 8.04 Version: 7.22 Version: 7.22EXT Version: KRNL64NUC 7.22 |
|||||||||||
|
||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T03:14:55.457Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3123396", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2022-22536", options: [ { Exploitation: "active", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-01-29T20:20:36.420396Z", version: "2.0.3", }, type: "ssvc", }, }, { other: { content: { dateAdded: "2022-08-18", reference: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2022-22536", }, type: "kev", }, }, ], providerMetadata: { dateUpdated: "2025-01-29T20:21:03.971Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP NetWeaver and ABAP Platform", vendor: "SAP SE", versions: [ { status: "affected", version: "KERNEL 7.22", }, { status: "affected", version: "8.04", }, { status: "affected", version: "7.49", }, { status: "affected", version: "7.53", }, { status: "affected", version: "7.77", }, { status: "affected", version: "7.81", }, { status: "affected", version: "7.85", }, { status: "affected", version: "7.86", }, { status: "affected", version: "7.87", }, { status: "affected", version: "KRNL64UC 8.04", }, { status: "affected", version: "7.22", }, { status: "affected", version: "7.22EXT", }, { status: "affected", version: "KRNL64NUC 7.22", }, ], }, { defaultStatus: "unaffected", product: "SAP Web Dispatcher", vendor: "SAP SE", versions: [ { status: "affected", version: "7.49", }, { status: "affected", version: "7.53", }, { status: "affected", version: "7.77", }, { status: "affected", version: "7.81", }, { status: "affected", version: "7.85", }, { status: "affected", version: "7.22EXT", }, { status: "affected", version: "7.86", }, { status: "affected", version: "7.87", }, ], }, { defaultStatus: "unaffected", product: "SAP Content Server", vendor: "SAP SE", versions: [ { status: "affected", version: "7.53", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.</p>", }, ], value: "SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.\n\n", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-444", description: "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-09-26T03:11:25.429Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3123396", }, { tags: [ "x_refsource_MISC", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2022-22536", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver and ABAP Platform", version: { version_data: [ { version_affected: "=", version_value: "KERNEL 7.22", }, { version_affected: "=", version_value: "8.04", }, { version_affected: "=", version_value: "7.49", }, { version_affected: "=", version_value: "7.53", }, { version_affected: "=", version_value: "7.77", }, { version_affected: "=", version_value: "7.81", }, { version_affected: "=", version_value: "7.85", }, { version_affected: "=", version_value: "7.86", }, { version_affected: "=", version_value: "7.87", }, { version_affected: "=", version_value: "KRNL64UC 8.04", }, { version_affected: "=", version_value: "7.22", }, { version_affected: "=", version_value: "7.22EXT", }, { version_affected: "=", version_value: "7.49", }, { version_affected: "=", version_value: "7.53", }, { version_affected: "=", version_value: "KRNL64NUC 7.22", }, { version_affected: "=", version_value: "7.22EXT", }, { version_affected: "=", version_value: "7.49", }, ], }, }, { product_name: "SAP Web Dispatcher", version: { version_data: [ { version_affected: "=", version_value: "7.49", }, { version_affected: "=", version_value: "7.53", }, { version_affected: "=", version_value: "7.77", }, { version_affected: "=", version_value: "7.81", }, { version_affected: "=", version_value: "7.85", }, { version_affected: "=", version_value: "7.22EXT", }, { version_affected: "=", version_value: "7.86", }, { version_affected: "=", version_value: "7.87", }, ], }, }, { product_name: "SAP Content Server", version: { version_data: [ { version_affected: "=", version_value: "7.53", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.", }, ], }, impact: { cvss: { baseScore: "null", vectorString: "null", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-444", }, ], }, ], }, references: { reference_data: [ { name: "https://launchpad.support.sap.com/#/notes/3123396", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3123396", }, { name: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", refsource: "MISC", url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2022-22536", datePublished: "2022-02-09T22:05:24.000Z", dateReserved: "2022-01-04T00:00:00.000Z", dateUpdated: "2025-01-29T20:21:03.971Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-27603 (GCVE-0-2021-27603)
Vulnerability from cvelistv5
Published
2021-04-13 18:40
Modified
2024-08-03 21:26
Severity ?
EPSS score ?
Summary
An RFC enabled function module SPI_WAIT_MILLIS in SAP NetWeaver AS ABAP, versions - 731, 740, 750, allows to keep a work process busy for any length of time. An attacker could call this function module multiple times to block all work processes thereby causing Denial of Service and affecting the Availability of the SAP system.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3028729 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS for ABAP |
Version: < 731 Version: < 740 Version: < 750 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T21:26:10.122Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3028729", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS for ABAP", vendor: "SAP SE", versions: [ { status: "affected", version: "< 731", }, { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, ], }, ], descriptions: [ { lang: "en", value: "An RFC enabled function module SPI_WAIT_MILLIS in SAP NetWeaver AS ABAP, versions - 731, 740, 750, allows to keep a work process busy for any length of time. An attacker could call this function module multiple times to block all work processes thereby causing Denial of Service and affecting the Availability of the SAP system.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Denial of Service", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-04-13T18:40:46", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3028729", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2021-27603", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS for ABAP", version: { version_data: [ { version_name: "<", version_value: "731", }, { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "An RFC enabled function module SPI_WAIT_MILLIS in SAP NetWeaver AS ABAP, versions - 731, 740, 750, allows to keep a work process busy for any length of time. An attacker could call this function module multiple times to block all work processes thereby causing Denial of Service and affecting the Availability of the SAP system.", }, ], }, impact: { cvss: { baseScore: "6.5", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Denial of Service", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649", }, { name: "https://launchpad.support.sap.com/#/notes/3028729", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3028729", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2021-27603", datePublished: "2021-04-13T18:40:46", dateReserved: "2021-02-23T00:00:00", dateUpdated: "2024-08-03T21:26:10.122Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-41214 (GCVE-0-2022-41214)
Vulnerability from cvelistv5
Published
2022-11-08 00:00
Modified
2024-08-03 12:35
Severity ?
EPSS score ?
Summary
Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to delete a file which is otherwise restricted. On successful exploitation an attacker can completely compromise the integrity and availability of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver Application Server ABAP and ABAP Platform |
Version: = 700 Version: = 731 Version: = 804 Version: = 740 Version: = 750 Version: = 789 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T12:35:49.660Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3256571", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP NetWeaver Application Server ABAP and ABAP Platform", vendor: "SAP SE", versions: [ { status: "affected", version: "= 700", }, { status: "affected", version: "= 731", }, { status: "affected", version: "= 804", }, { status: "affected", version: "= 740", }, { status: "affected", version: "= 750", }, { status: "affected", version: "= 789", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to delete a file which is otherwise restricted. On successful exploitation an attacker can completely compromise the integrity and availability of the application.</p>", }, ], value: "Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to delete a file which is otherwise restricted. On successful exploitation an attacker can completely compromise the integrity and availability of the application.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.7, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-11-10T06:09:20.063Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { url: "https://launchpad.support.sap.com/#/notes/3256571", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2022-41214", datePublished: "2022-11-08T00:00:00", dateReserved: "2022-09-21T00:00:00", dateUpdated: "2024-08-03T12:35:49.660Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-29610 (GCVE-0-2022-29610)
Vulnerability from cvelistv5
Published
2022-05-11 14:56
Modified
2024-08-03 06:26
Severity ?
EPSS score ?
Summary
SAP NetWeaver Application Server ABAP allows an authenticated attacker to upload malicious files and delete (theme) data, which could result in Stored Cross-Site Scripting (XSS) attack.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3146336 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver Application Server ABAP |
Version: 753 Version: 754 Version: 755 Version: 756 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T06:26:06.616Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3146336", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver Application Server ABAP", vendor: "SAP SE", versions: [ { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, ], }, ], descriptions: [ { lang: "en", value: "SAP NetWeaver Application Server ABAP allows an authenticated attacker to upload malicious files and delete (theme) data, which could result in Stored Cross-Site Scripting (XSS) attack.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-05-11T14:56:23", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3146336", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2022-29610", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver Application Server ABAP", version: { version_data: [ { version_affected: "=", version_value: "753", }, { version_affected: "=", version_value: "754", }, { version_affected: "=", version_value: "755", }, { version_affected: "=", version_value: "756", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP NetWeaver Application Server ABAP allows an authenticated attacker to upload malicious files and delete (theme) data, which could result in Stored Cross-Site Scripting (XSS) attack.", }, ], }, impact: { cvss: { baseScore: "null", vectorString: "null", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-79", }, ], }, ], }, references: { reference_data: [ { name: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", refsource: "MISC", url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { name: "https://launchpad.support.sap.com/#/notes/3146336", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3146336", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2022-29610", datePublished: "2022-05-11T14:56:23", dateReserved: "2022-04-25T00:00:00", dateUpdated: "2024-08-03T06:26:06.616Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-38178 (GCVE-0-2021-38178)
Vulnerability from cvelistv5
Published
2021-10-12 14:03
Modified
2024-08-04 01:37
Severity ?
EPSS score ?
Summary
The software logistics system of SAP NetWeaver AS ABAP and ABAP Platform versions - 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, enables a malicious user to transfer ABAP code artifacts or content, by-passing the established quality gates. By this vulnerability malicious code can reach quality and production, and can compromise the confidentiality, integrity, and availability of the system and its data.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3097887 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS ABAP and ABAP Platform |
Version: < 700 Version: < 701 Version: < 702 Version: < 710 Version: < 730 Version: < 731 Version: < 740 Version: < 750 Version: < 751 Version: < 752 Version: < 753 Version: < 754 Version: < 755 Version: < 756 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T01:37:15.889Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3097887", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS ABAP and ABAP Platform", vendor: "SAP SE", versions: [ { status: "affected", version: "< 700", }, { status: "affected", version: "< 701", }, { status: "affected", version: "< 702", }, { status: "affected", version: "< 710", }, { status: "affected", version: "< 730", }, { status: "affected", version: "< 731", }, { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, { status: "affected", version: "< 751", }, { status: "affected", version: "< 752", }, { status: "affected", version: "< 753", }, { status: "affected", version: "< 754", }, { status: "affected", version: "< 755", }, { status: "affected", version: "< 756", }, ], }, ], descriptions: [ { lang: "en", value: "The software logistics system of SAP NetWeaver AS ABAP and ABAP Platform versions - 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, enables a malicious user to transfer ABAP code artifacts or content, by-passing the established quality gates. By this vulnerability malicious code can reach quality and production, and can compromise the confidentiality, integrity, and availability of the system and its data.", }, ], problemTypes: [ { descriptions: [ { description: "Improper Authorization", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-10-12T14:03:34", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3097887", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2021-38178", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS ABAP and ABAP Platform", version: { version_data: [ { version_name: "<", version_value: "700", }, { version_name: "<", version_value: "701", }, { version_name: "<", version_value: "702", }, { version_name: "<", version_value: "710", }, { version_name: "<", version_value: "730", }, { version_name: "<", version_value: "731", }, { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, { version_name: "<", version_value: "751", }, { version_name: "<", version_value: "752", }, { version_name: "<", version_value: "753", }, { version_name: "<", version_value: "754", }, { version_name: "<", version_value: "755", }, { version_name: "<", version_value: "756", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The software logistics system of SAP NetWeaver AS ABAP and ABAP Platform versions - 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, enables a malicious user to transfer ABAP code artifacts or content, by-passing the established quality gates. By this vulnerability malicious code can reach quality and production, and can compromise the confidentiality, integrity, and availability of the system and its data.", }, ], }, impact: { cvss: { baseScore: "null", vectorString: "null", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Improper Authorization", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, { name: "https://launchpad.support.sap.com/#/notes/3097887", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3097887", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2021-38178", datePublished: "2021-10-12T14:03:34", dateReserved: "2021-08-07T00:00:00", dateUpdated: "2024-08-04T01:37:15.889Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-21473 (GCVE-0-2021-21473)
Vulnerability from cvelistv5
Published
2021-06-09 13:23
Modified
2024-08-03 18:16
Severity ?
EPSS score ?
Summary
SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3002517 | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2022/May/42 | mailing-list, x_refsource_FULLDISC | |
| http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT) |
Version: < 700 Version: < 702 Version: < 710 Version: < 711 Version: < 730 Version: < 731 Version: < 740 Version: < 750 Version: < 751 Version: < 752 Version: < 753 Version: < 754 Version: < 755 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T18:16:22.654Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3002517", }, { name: "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)", tags: [ "mailing-list", "x_refsource_FULLDISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2022/May/42", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT)", vendor: "SAP SE", versions: [ { status: "affected", version: "< 700", }, { status: "affected", version: "< 702", }, { status: "affected", version: "< 710", }, { status: "affected", version: "< 711", }, { status: "affected", version: "< 730", }, { status: "affected", version: "< 731", }, { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, { status: "affected", version: "< 751", }, { status: "affected", version: "< 752", }, { status: "affected", version: "< 753", }, { status: "affected", version: "< 754", }, { status: "affected", version: "< 755", }, ], }, ], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Missing Authorization", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-05-19T17:06:25", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3002517", }, { name: "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)", tags: [ "mailing-list", "x_refsource_FULLDISC", ], url: "http://seclists.org/fulldisclosure/2022/May/42", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2021-21473", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT)", version: { version_data: [ { version_name: "<", version_value: "700", }, { version_name: "<", version_value: "702", }, { version_name: "<", version_value: "710", }, { version_name: "<", version_value: "711", }, { version_name: "<", version_value: "730", }, { version_name: "<", version_value: "731", }, { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, { version_name: "<", version_value: "751", }, { version_name: "<", version_value: "752", }, { version_name: "<", version_value: "753", }, { version_name: "<", version_value: "754", }, { version_name: "<", version_value: "755", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function module SRM_RFC_SUBMIT_REPORT which fails to validate authorization of an authenticated user thus allowing an unauthorized user to execute reports in SAP NetWeaver ABAP Platform.", }, ], }, impact: { cvss: { baseScore: "6.3", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Missing Authorization", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, { name: "https://launchpad.support.sap.com/#/notes/3002517", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3002517", }, { name: "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)", refsource: "FULLDISC", url: "http://seclists.org/fulldisclosure/2022/May/42", }, { name: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2021-21473", datePublished: "2021-06-09T13:23:48", dateReserved: "2020-12-30T00:00:00", dateUpdated: "2024-08-03T18:16:22.654Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-27269 (GCVE-0-2023-27269)
Vulnerability from cvelistv5
Published
2023-03-14 04:58
Modified
2025-02-27 15:03
Severity ?
EPSS score ?
Summary
SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker with non-administrative authorizations to exploit a directory traversal flaw in an available service to overwrite the system files. In this attack, no data can be read but potentially critical OS files can be overwritten making the system unavailable.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver Application Server for ABAP and ABAP Platform |
Version: 700 Version: 701 Version: 702 Version: 731 Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 757 Version: 791 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T12:09:41.843Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3294595", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-27269", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-27T15:02:52.836978Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-27T15:03:19.178Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver Application Server for ABAP and ABAP Platform", vendor: "SAP", versions: [ { status: "affected", version: "700", }, { status: "affected", version: "701", }, { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, { status: "affected", version: "791", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker with non-administrative authorizations to exploit a directory traversal flaw in an available service to overwrite the system files. In this attack, no data can be read but potentially critical OS files can be overwritten making the system unavailable.</p>", }, ], value: "SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker with non-administrative authorizations to exploit a directory traversal flaw in an available service to overwrite the system files. In this attack, no data can be read but potentially critical OS files can be overwritten making the system unavailable.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T20:24:27.214Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3294595", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-27269", datePublished: "2023-03-14T04:58:10.184Z", dateReserved: "2023-02-27T15:19:34.024Z", dateUpdated: "2025-02-27T15:03:19.178Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-33665 (GCVE-0-2021-33665)
Vulnerability from cvelistv5
Published
2021-06-09 13:33
Modified
2024-08-03 23:58
Severity ?
EPSS score ?
Summary
SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), versions - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53, KERNEL - 7.49,7.53,7.77,7.81,7.84, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3028370 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML) |
Version: < KRNL64NUC - 7.49 Version: < KRNL64UC - 7.49 Version: < 7.53 Version: < KERNEL - 7.49 Version: < 7.77 Version: < 7.81 Version: < 7.84 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T23:58:21.921Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3028370", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML)", vendor: "SAP SE", versions: [ { status: "affected", version: "< KRNL64NUC - 7.49", }, { status: "affected", version: "< KRNL64UC - 7.49", }, { status: "affected", version: "< 7.53", }, { status: "affected", version: "< KERNEL - 7.49", }, { status: "affected", version: "< 7.77", }, { status: "affected", version: "< 7.81", }, { status: "affected", version: "< 7.84", }, ], }, ], descriptions: [ { lang: "en", value: "SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), versions - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53, KERNEL - 7.49,7.53,7.77,7.81,7.84, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Cross Site Scripting", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-06-09T13:33:13", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3028370", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2021-33665", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML)", version: { version_data: [ { version_name: "<", version_value: "KRNL64NUC - 7.49", }, { version_name: "<", version_value: "KRNL64UC - 7.49", }, { version_name: "<", version_value: "7.53", }, { version_name: "<", version_value: "KERNEL - 7.49", }, { version_name: "<", version_value: "7.53", }, { version_name: "<", version_value: "7.77", }, { version_name: "<", version_value: "7.81", }, { version_name: "<", version_value: "7.84", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), versions - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53, KERNEL - 7.49,7.53,7.77,7.81,7.84, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.", }, ], }, impact: { cvss: { baseScore: "5.4", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Cross Site Scripting", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, { name: "https://launchpad.support.sap.com/#/notes/3028370", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3028370", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2021-33665", datePublished: "2021-06-09T13:33:13", dateReserved: "2021-05-28T00:00:00", dateUpdated: "2024-08-03T23:58:21.921Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-33663 (GCVE-0-2021-33663)
Vulnerability from cvelistv5
Published
2021-06-09 13:33
Modified
2024-08-03 23:58
Severity ?
EPSS score ?
Summary
SAP NetWeaver AS ABAP, versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84, allows an unauthorized attacker to insert cleartext commands due to improper restriction of I/O buffering into encrypted SMTP sessions over the network which can partially impact the integrity of the application.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3030604 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS ABAP |
Version: < KRNL32NUC - 7.22 Version: < 7.22EXT Version: < KRNL32UC - 7.22 Version: < KRNL64NUC - 7.22 Version: < 7.49 Version: < KRNL64UC - 8.04 Version: < 7.22 Version: < 7.53 Version: < 7.73 Version: < KERNEL - 7.22 Version: < 8.04 Version: < 7.77 Version: < 7.81 Version: < 7.82 Version: < 7.83 Version: < 7.84 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T23:58:22.262Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3030604", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS ABAP", vendor: "SAP SE", versions: [ { status: "affected", version: "< KRNL32NUC - 7.22", }, { status: "affected", version: "< 7.22EXT", }, { status: "affected", version: "< KRNL32UC - 7.22", }, { status: "affected", version: "< KRNL64NUC - 7.22", }, { status: "affected", version: "< 7.49", }, { status: "affected", version: "< KRNL64UC - 8.04", }, { status: "affected", version: "< 7.22", }, { status: "affected", version: "< 7.53", }, { status: "affected", version: "< 7.73", }, { status: "affected", version: "< KERNEL - 7.22", }, { status: "affected", version: "< 8.04", }, { status: "affected", version: "< 7.77", }, { status: "affected", version: "< 7.81", }, { status: "affected", version: "< 7.82", }, { status: "affected", version: "< 7.83", }, { status: "affected", version: "< 7.84", }, ], }, ], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP, versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84, allows an unauthorized attacker to insert cleartext commands due to improper restriction of I/O buffering into encrypted SMTP sessions over the network which can partially impact the integrity of the application.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.8, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-06-09T13:33:06", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3030604", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2021-33663", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS ABAP", version: { version_data: [ { version_name: "<", version_value: "KRNL32NUC - 7.22", }, { version_name: "<", version_value: "7.22EXT", }, { version_name: "<", version_value: "KRNL32UC - 7.22", }, { version_name: "<", version_value: "7.22EXT", }, { version_name: "<", version_value: "KRNL64NUC - 7.22", }, { version_name: "<", version_value: "7.22EXT", }, { version_name: "<", version_value: "7.49", }, { version_name: "<", version_value: "KRNL64UC - 8.04", }, { version_name: "<", version_value: "7.22", }, { version_name: "<", version_value: "7.22EXT", }, { version_name: "<", version_value: "7.49", }, { version_name: "<", version_value: "7.53", }, { version_name: "<", version_value: "7.73", }, { version_name: "<", version_value: "KERNEL - 7.22", }, { version_name: "<", version_value: "8.04", }, { version_name: "<", version_value: "7.49", }, { version_name: "<", version_value: "7.53", }, { version_name: "<", version_value: "7.73", }, { version_name: "<", version_value: "7.77", }, { version_name: "<", version_value: "7.81", }, { version_name: "<", version_value: "7.82", }, { version_name: "<", version_value: "7.83", }, { version_name: "<", version_value: "7.84", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP NetWeaver AS ABAP, versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84, allows an unauthorized attacker to insert cleartext commands due to improper restriction of I/O buffering into encrypted SMTP sessions over the network which can partially impact the integrity of the application.", }, ], }, impact: { cvss: { baseScore: "5.8", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, { name: "https://launchpad.support.sap.com/#/notes/3030604", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3030604", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2021-33663", datePublished: "2021-06-09T13:33:06", dateReserved: "2021-05-28T00:00:00", dateUpdated: "2024-08-03T23:58:22.262Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2020-6310 (GCVE-0-2020-6310)
Vulnerability from cvelistv5
Published
2020-08-12 13:52
Modified
2024-08-04 08:55
Severity ?
EPSS score ?
Summary
Improper access control in SOA Configuration Trace component in SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 702, 730, 731, 740, 750, allows any authenticated user to enumerate all SAP users, leading to Information Disclosure.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/2944988 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver (ABAP Server) and ABAP Platform |
Version: < 702 Version: < 730 Version: < 731 Version: < 740 Version: < 750 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T08:55:22.287Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/2944988", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver (ABAP Server) and ABAP Platform", vendor: "SAP SE", versions: [ { status: "affected", version: "< 702", }, { status: "affected", version: "< 730", }, { status: "affected", version: "< 731", }, { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, ], }, ], descriptions: [ { lang: "en", value: "Improper access control in SOA Configuration Trace component in SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 702, 730, 731, 740, 750, allows any authenticated user to enumerate all SAP users, leading to Information Disclosure.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Information Disclosure", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-08-12T13:52:51", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/2944988", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2020-6310", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver (ABAP Server) and ABAP Platform", version: { version_data: [ { version_name: "<", version_value: "702", }, { version_name: "<", version_value: "730", }, { version_name: "<", version_value: "731", }, { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Improper access control in SOA Configuration Trace component in SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 702, 730, 731, 740, 750, allows any authenticated user to enumerate all SAP users, leading to Information Disclosure.", }, ], }, impact: { cvss: { baseScore: "4.3", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information Disclosure", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345", }, { name: "https://launchpad.support.sap.com/#/notes/2944988", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/2944988", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2020-6310", datePublished: "2020-08-12T13:52:51", dateReserved: "2020-01-08T00:00:00", dateUpdated: "2024-08-04T08:55:22.287Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2019-0321 (GCVE-0-2019-0321)
Vulnerability from cvelistv5
Published
2019-07-10 18:54
Modified
2024-08-04 17:44
Severity ?
EPSS score ?
Summary
ABAP Server and ABAP Platform (SAP Basis), versions, 7.31, 7.4, 7.5, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/109078 | vdb-entry, x_refsource_BID | |
| https://launchpad.support.sap.com/#/notes/2773888 | x_refsource_MISC | |
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | ABAP Server and ABAP Platform (SAP Basis) |
Version: < 7.31 Version: < 7.4 Version: < 7.5 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T17:44:16.476Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "109078", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/109078", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/2773888", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "ABAP Server and ABAP Platform (SAP Basis)", vendor: "SAP SE", versions: [ { status: "affected", version: "< 7.31", }, { status: "affected", version: "< 7.4", }, { status: "affected", version: "< 7.5", }, ], }, ], descriptions: [ { lang: "en", value: "ABAP Server and ABAP Platform (SAP Basis), versions, 7.31, 7.4, 7.5, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.", }, ], problemTypes: [ { descriptions: [ { description: "Cross-Site Scripting", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-07-10T18:55:33", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { name: "109078", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/109078", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/2773888", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2019-0321", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "ABAP Server and ABAP Platform (SAP Basis)", version: { version_data: [ { version_name: "<", version_value: "7.31", }, { version_name: "<", version_value: "7.4", }, { version_name: "<", version_value: "7.5", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "ABAP Server and ABAP Platform (SAP Basis), versions, 7.31, 7.4, 7.5, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Cross-Site Scripting", }, ], }, ], }, references: { reference_data: [ { name: "109078", refsource: "BID", url: "http://www.securityfocus.com/bid/109078", }, { name: "https://launchpad.support.sap.com/#/notes/2773888", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/2773888", }, { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575", refsource: "CONFIRM", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2019-0321", datePublished: "2019-07-10T18:54:44", dateReserved: "2018-11-26T00:00:00", dateUpdated: "2024-08-04T17:44:16.476Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-25618 (GCVE-0-2023-25618)
Vulnerability from cvelistv5
Published
2023-03-14 04:51
Modified
2025-02-27 15:11
Severity ?
EPSS score ?
Summary
SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in an unused class for error handling in which an attacker authenticated as a non-administrative user can craft a request with certain parameters which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver AS for ABAP and ABAP Platform |
Version: 700 Version: 701 Version: 702 Version: 731 Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 757 Version: 791 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T11:25:19.274Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3296346", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-25618", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-27T15:11:25.902982Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-27T15:11:45.115Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver AS for ABAP and ABAP Platform", vendor: "SAP", versions: [ { status: "affected", version: "700", }, { status: "affected", version: "701", }, { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, { status: "affected", version: "791", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in an unused class for error handling in which an attacker authenticated as a non-administrative user can craft a request with certain parameters which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information.</p>", }, ], value: "SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in an unused class for error handling in which an attacker authenticated as a non-administrative user can craft a request with certain parameters which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400: Uncontrolled Resource Consumption", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:27:59.080Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3296346", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Denial of Service (DoS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-25618", datePublished: "2023-03-14T04:51:29.976Z", dateReserved: "2023-02-09T13:30:50.223Z", dateUpdated: "2025-02-27T15:11:45.115Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-25614 (GCVE-0-2023-25614)
Vulnerability from cvelistv5
Published
2023-02-14 03:20
Modified
2025-03-20 20:16
Severity ?
EPSS score ?
Summary
SAP NetWeaver AS ABAP (BSP Framework) application - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allow an unauthenticated attacker to inject the code that can be executed by the application over the network. On successful exploitation it can gain access to the sensitive information which leads to a limited impact on the confidentiality and the integrity of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver AS ABAP (BSP Framework) |
Version: 700 Version: 701 Version: 702 Version: 731 Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 757 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T11:25:19.310Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3274585", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-25614", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-20T20:16:04.671050Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-20T20:16:11.329Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver AS ABAP (BSP Framework)", vendor: "SAP", versions: [ { status: "affected", version: "700", }, { status: "affected", version: "701", }, { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver AS ABAP (BSP Framework) application - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allow an unauthenticated attacker to inject the code that can be executed by the application over the network. On successful exploitation it can gain access to the sensitive information which leads to a limited impact on the confidentiality and the integrity of the application.</p>", }, ], value: "SAP NetWeaver AS ABAP (BSP Framework) application - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allow an unauthenticated attacker to inject the code that can be executed by the application over the network. On successful exploitation it can gain access to the sensitive information which leads to a limited impact on the confidentiality and the integrity of the application.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:29:07.679Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3274585", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-25614", datePublished: "2023-02-14T03:20:11.856Z", dateReserved: "2023-02-09T13:30:50.223Z", dateUpdated: "2025-03-20T20:16:11.329Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-22540 (GCVE-0-2022-22540)
Vulnerability from cvelistv5
Published
2022-02-09 22:05
Modified
2024-08-03 03:14
Severity ?
EPSS score ?
Summary
SAP NetWeaver AS ABAP (Workplace Server) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787, allows an attacker to execute crafted database queries, that could expose the backend database. Successful attacks could result in disclosure of a table of contents from the system, but no risk of modification possible.
References
| ▼ | URL | Tags |
|---|---|---|
| https://launchpad.support.sap.com/#/notes/3140587 | x_refsource_MISC | |
| https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS ABAP (Workplace Server) |
Version: 700 Version: 701 Version: 702 Version: 731 Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 787 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T03:14:55.486Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3140587", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS ABAP (Workplace Server)", vendor: "SAP SE", versions: [ { status: "affected", version: "700", }, { status: "affected", version: "701", }, { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "787", }, ], }, ], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP (Workplace Server) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787, allows an attacker to execute crafted database queries, that could expose the backend database. Successful attacks could result in disclosure of a table of contents from the system, but no risk of modification possible.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-89", description: "CWE-89", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-08-24T15:18:50", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3140587", }, { tags: [ "x_refsource_MISC", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2022-22540", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS ABAP (Workplace Server)", version: { version_data: [ { version_affected: "=", version_value: "700", }, { version_affected: "=", version_value: "701", }, { version_affected: "=", version_value: "702", }, { version_affected: "=", version_value: "731", }, { version_affected: "=", version_value: "740", }, { version_affected: "=", version_value: "750", }, { version_affected: "=", version_value: "751", }, { version_affected: "=", version_value: "752", }, { version_affected: "=", version_value: "753", }, { version_affected: "=", version_value: "754", }, { version_affected: "=", version_value: "755", }, { version_affected: "=", version_value: "756", }, { version_affected: "=", version_value: "787", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP NetWeaver AS ABAP (Workplace Server) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787, allows an attacker to execute crafted database queries, that could expose the backend database. Successful attacks could result in disclosure of a table of contents from the system, but no risk of modification possible.", }, ], }, impact: { cvss: { baseScore: "null", vectorString: "null", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-89", }, ], }, ], }, references: { reference_data: [ { name: "https://launchpad.support.sap.com/#/notes/3140587", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3140587", }, { name: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", refsource: "MISC", url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2022-22540", datePublished: "2022-02-09T22:05:24", dateReserved: "2022-01-04T00:00:00", dateUpdated: "2024-08-03T03:14:55.486Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-35874 (GCVE-0-2023-35874)
Vulnerability from cvelistv5
Published
2023-07-11 02:47
Modified
2024-10-23 16:26
Severity ?
EPSS score ?
Summary
SAP NetWeaver Application Server ABAP and ABAP Platform - version KRNL64NUC, 7.22, KRNL64NUC 7.22EXT, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KERNEL 7.22, KERNEL, 7.53, KERNEL 7.77, KERNEL 7.81, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.92, KERNEL 7.93, under some conditions, performs improper authentication checks for functionalities that require user identity. An attacker can perform malicious actions over the network, extending the scope of impact, causing a limited impact on confidentiality, integrity and availability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver AS ABAP and ABAP Platform |
Version: KRNL64NUC 722 Version: KRNL64NUC 7.22EXT Version: KRNL64UC 7.22 Version: KRNL64UC 7.22EXT Version: KRNL64UC 7.53 Version: KERNEL 7.22 Version: KERNEL 7.53 Version: KERNEL 7.77 Version: KERNEL 7.81 Version: KERNEL 7.85 Version: KERNEL 7.89 Version: KERNEL 7.54 Version: KERNEL 7.92 Version: KERNEL 7.93 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T16:30:45.380Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3318850", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-35874", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-23T16:24:21.492073Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-23T16:26:07.026Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP NetWeaver AS ABAP and ABAP Platform", vendor: "SAP_SE", versions: [ { status: "affected", version: "KRNL64NUC 722", }, { status: "affected", version: "KRNL64NUC 7.22EXT", }, { status: "affected", version: "KRNL64UC 7.22", }, { status: "affected", version: "KRNL64UC 7.22EXT", }, { status: "affected", version: "KRNL64UC 7.53", }, { status: "affected", version: "KERNEL 7.22", }, { status: "affected", version: "KERNEL 7.53", }, { status: "affected", version: "KERNEL 7.77", }, { status: "affected", version: "KERNEL 7.81", }, { status: "affected", version: "KERNEL 7.85", }, { status: "affected", version: "KERNEL 7.89", }, { status: "affected", version: "KERNEL 7.54", }, { status: "affected", version: "KERNEL 7.92", }, { status: "affected", version: "KERNEL 7.93", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver Application Server ABAP and ABAP Platform - version KRNL64NUC, 7.22, KRNL64NUC 7.22EXT, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KERNEL 7.22, KERNEL, 7.53, KERNEL 7.77, KERNEL 7.81, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.92, KERNEL 7.93, under some conditions, performs improper authentication checks for functionalities that require user identity. An attacker can perform malicious actions over the network, extending the scope of impact, causing a limited impact on confidentiality, integrity and availability.</p>", }, ], value: "SAP NetWeaver Application Server ABAP and ABAP Platform - version KRNL64NUC, 7.22, KRNL64NUC 7.22EXT, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KERNEL 7.22, KERNEL, 7.53, KERNEL 7.77, KERNEL 7.81, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.92, KERNEL 7.93, under some conditions, performs improper authentication checks for functionalities that require user identity. An attacker can perform malicious actions over the network, extending the scope of impact, causing a limited impact on confidentiality, integrity and availability.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-306", description: "CWE-306: Missing Authentication for Critical Function", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-09-28T21:59:57.494Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3318850", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Improper authentication vulnerability in SAP NetWeaver AS ABAP and ABAP Platform", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-35874", datePublished: "2023-07-11T02:47:11.869Z", dateReserved: "2023-06-19T10:27:44.580Z", dateUpdated: "2024-10-23T16:26:07.026Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-27270 (GCVE-0-2023-27270)
Vulnerability from cvelistv5
Published
2023-03-14 04:58
Modified
2025-02-27 15:02
Severity ?
EPSS score ?
Summary
SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in a class for test purposes in which an attacker authenticated as a non-administrative user can craft a request with certain parameters, which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver Application Server for ABAP and ABAP Platform |
Version: 700 Version: 701 Version: 702 Version: 731 Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 757 Version: 791 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T12:09:41.807Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3296328", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-27270", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-27T15:01:52.640692Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-27T15:02:08.114Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver Application Server for ABAP and ABAP Platform", vendor: "SAP", versions: [ { status: "affected", version: "700", }, { status: "affected", version: "701", }, { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, { status: "affected", version: "791", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in a class for test purposes in which an attacker authenticated as a non-administrative user can craft a request with certain parameters, which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information.</p>", }, ], value: "SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in a class for test purposes in which an attacker authenticated as a non-administrative user can craft a request with certain parameters, which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400: Uncontrolled Resource Consumption", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T20:25:00.239Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3296328", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Denial of Service (DoS) in SAP NetWeaver AS for ABAP and ABAP Platform", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-27270", datePublished: "2023-03-14T04:58:44.671Z", dateReserved: "2023-02-27T15:19:34.024Z", dateUpdated: "2025-02-27T15:02:08.114Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-27610 (GCVE-0-2021-27610)
Vulnerability from cvelistv5
Published
2021-06-16 14:45
Modified
2024-08-03 21:26
Severity ?
EPSS score ?
Summary
SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious users to obtain illegitimate access to the system.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3007182 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS ABAP and ABAP Platform |
Version: < 700 Version: < 701 Version: < 702 Version: < 731 Version: < 740 Version: < 750 Version: < 751 Version: < 752 Version: < 753 Version: < 754 Version: < 755 Version: < 804 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T21:26:09.712Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3007182", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS ABAP and ABAP Platform", vendor: "SAP SE", versions: [ { status: "affected", version: "< 700", }, { status: "affected", version: "< 701", }, { status: "affected", version: "< 702", }, { status: "affected", version: "< 731", }, { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, { status: "affected", version: "< 751", }, { status: "affected", version: "< 752", }, { status: "affected", version: "< 753", }, { status: "affected", version: "< 754", }, { status: "affected", version: "< 755", }, { status: "affected", version: "< 804", }, ], }, ], descriptions: [ { lang: "en", value: "SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious users to obtain illegitimate access to the system.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Improper Authentication", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-06-16T14:45:57", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3007182", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2021-27610", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS ABAP and ABAP Platform", version: { version_data: [ { version_name: "<", version_value: "700", }, { version_name: "<", version_value: "701", }, { version_name: "<", version_value: "702", }, { version_name: "<", version_value: "731", }, { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, { version_name: "<", version_value: "751", }, { version_name: "<", version_value: "752", }, { version_name: "<", version_value: "753", }, { version_name: "<", version_value: "754", }, { version_name: "<", version_value: "755", }, { version_name: "<", version_value: "804", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious users to obtain illegitimate access to the system.", }, ], }, impact: { cvss: { baseScore: "9.0", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Improper Authentication", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, { name: "https://launchpad.support.sap.com/#/notes/3007182", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3007182", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2021-27610", datePublished: "2021-06-16T14:45:57", dateReserved: "2021-02-23T00:00:00", dateUpdated: "2024-08-03T21:26:09.712Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2020-6371 (GCVE-0-2020-6371)
Vulnerability from cvelistv5
Published
2020-10-15 01:56
Modified
2024-08-04 09:02
Severity ?
EPSS score ?
Summary
User enumeration vulnerability can be exploited to get a list of user accounts and personal user information can be exposed in SAP NetWeaver Application Server ABAP (POWL test application) versions - 710, 711, 730, 731, 740, 750, leading to Information Disclosure.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/2963137 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver Application Server ABAP (POWL test application) |
Version: < 710 Version: < 711 Version: < 730 Version: < 731 Version: < 740 Version: < 750 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T09:02:39.932Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/2963137", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver Application Server ABAP (POWL test application)", vendor: "SAP SE", versions: [ { status: "affected", version: "< 710", }, { status: "affected", version: "< 711", }, { status: "affected", version: "< 730", }, { status: "affected", version: "< 731", }, { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, ], }, ], descriptions: [ { lang: "en", value: "User enumeration vulnerability can be exploited to get a list of user accounts and personal user information can be exposed in SAP NetWeaver Application Server ABAP (POWL test application) versions - 710, 711, 730, 731, 740, 750, leading to Information Disclosure.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Information Disclosure", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-10-15T01:56:41", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/2963137", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2020-6371", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver Application Server ABAP (POWL test application)", version: { version_data: [ { version_name: "<", version_value: "710", }, { version_name: "<", version_value: "711", }, { version_name: "<", version_value: "730", }, { version_name: "<", version_value: "731", }, { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "User enumeration vulnerability can be exploited to get a list of user accounts and personal user information can be exposed in SAP NetWeaver Application Server ABAP (POWL test application) versions - 710, 711, 730, 731, 740, 750, leading to Information Disclosure.", }, ], }, impact: { cvss: { baseScore: "4.3", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information Disclosure", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196", }, { name: "https://launchpad.support.sap.com/#/notes/2963137", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/2963137", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2020-6371", datePublished: "2020-10-15T01:56:41", dateReserved: "2020-01-08T00:00:00", dateUpdated: "2024-08-04T09:02:39.932Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-40496 (GCVE-0-2021-40496)
Vulnerability from cvelistv5
Published
2021-10-12 14:03
Modified
2024-08-04 02:44
Severity ?
EPSS score ?
Summary
SAP Internet Communication framework (ICM) - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785, allows an attacker with logon functionality, to exploit the authentication function by using POST and form field to repeat executions of the initial command by a GET request and exposing sensitive data. This vulnerability is normally exposed over the network and successful exploitation can lead to exposure of data like system details.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3087254 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS ABAP and ABAP Platform |
Version: < 700 Version: < 701 Version: < 702 Version: < 730 Version: < 731 Version: < 740 Version: < 750 Version: < 751 Version: < 752 Version: < 753 Version: < 754 Version: < 755 Version: < 756 Version: < 785 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T02:44:10.795Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3087254", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS ABAP and ABAP Platform", vendor: "SAP SE", versions: [ { status: "affected", version: "< 700", }, { status: "affected", version: "< 701", }, { status: "affected", version: "< 702", }, { status: "affected", version: "< 730", }, { status: "affected", version: "< 731", }, { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, { status: "affected", version: "< 751", }, { status: "affected", version: "< 752", }, { status: "affected", version: "< 753", }, { status: "affected", version: "< 754", }, { status: "affected", version: "< 755", }, { status: "affected", version: "< 756", }, { status: "affected", version: "< 785", }, ], }, ], descriptions: [ { lang: "en", value: "SAP Internet Communication framework (ICM) - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785, allows an attacker with logon functionality, to exploit the authentication function by using POST and form field to repeat executions of the initial command by a GET request and exposing sensitive data. This vulnerability is normally exposed over the network and successful exploitation can lead to exposure of data like system details.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-668", description: "CWE-668", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-10-12T14:03:51", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3087254", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2021-40496", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS ABAP and ABAP Platform", version: { version_data: [ { version_name: "<", version_value: "700", }, { version_name: "<", version_value: "701", }, { version_name: "<", version_value: "702", }, { version_name: "<", version_value: "730", }, { version_name: "<", version_value: "731", }, { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, { version_name: "<", version_value: "751", }, { version_name: "<", version_value: "752", }, { version_name: "<", version_value: "753", }, { version_name: "<", version_value: "754", }, { version_name: "<", version_value: "755", }, { version_name: "<", version_value: "756", }, { version_name: "<", version_value: "785", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP Internet Communication framework (ICM) - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785, allows an attacker with logon functionality, to exploit the authentication function by using POST and form field to repeat executions of the initial command by a GET request and exposing sensitive data. This vulnerability is normally exposed over the network and successful exploitation can lead to exposure of data like system details.", }, ], }, impact: { cvss: { baseScore: "null", vectorString: "null", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-668", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, { name: "https://launchpad.support.sap.com/#/notes/3087254", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3087254", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2021-40496", datePublished: "2021-10-12T14:03:51", dateReserved: "2021-09-03T00:00:00", dateUpdated: "2024-08-04T02:44:10.795Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2020-6299 (GCVE-0-2020-6299)
Vulnerability from cvelistv5
Published
2020-08-12 13:43
Modified
2024-08-04 08:55
Severity ?
EPSS score ?
Summary
SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 740, 750, 751, 752, 753, 754, 755, allows a business user to access the list of users in the given system using value help, leading to Information Disclosure.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/2941510 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver (ABAP Server) and ABAP Platform |
Version: < 740 Version: < 750 Version: < 751 Version: < 752 Version: < 753 Version: < 754 Version: < 755 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T08:55:22.302Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/2941510", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver (ABAP Server) and ABAP Platform", vendor: "SAP SE", versions: [ { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, { status: "affected", version: "< 751", }, { status: "affected", version: "< 752", }, { status: "affected", version: "< 753", }, { status: "affected", version: "< 754", }, { status: "affected", version: "< 755", }, ], }, ], descriptions: [ { lang: "en", value: "SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 740, 750, 751, 752, 753, 754, 755, allows a business user to access the list of users in the given system using value help, leading to Information Disclosure.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Information Disclosure", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-08-12T13:43:57", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/2941510", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2020-6299", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver (ABAP Server) and ABAP Platform", version: { version_data: [ { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, { version_name: "<", version_value: "751", }, { version_name: "<", version_value: "752", }, { version_name: "<", version_value: "753", }, { version_name: "<", version_value: "754", }, { version_name: "<", version_value: "755", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 740, 750, 751, 752, 753, 754, 755, allows a business user to access the list of users in the given system using value help, leading to Information Disclosure.", }, ], }, impact: { cvss: { baseScore: "4.3", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information Disclosure", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345", }, { name: "https://launchpad.support.sap.com/#/notes/2941510", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/2941510", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2020-6299", datePublished: "2020-08-12T13:43:57", dateReserved: "2020-01-08T00:00:00", dateUpdated: "2024-08-04T08:55:22.302Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-33677 (GCVE-0-2021-33677)
Vulnerability from cvelistv5
Published
2021-07-14 11:03
Modified
2024-08-03 23:58
Severity ?
EPSS score ?
Summary
SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 702, 730, 731, 804, 740, 750, 784, expose functions to external which can lead to information disclosure.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3044754 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS ABAP and ABAP Platform |
Version: < 700 Version: < 702 Version: < 730 Version: < 731 Version: < 804 Version: < 740 Version: < 750 Version: < 784 Version: < DEV |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T23:58:22.565Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3044754", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS ABAP and ABAP Platform", vendor: "SAP SE", versions: [ { status: "affected", version: "< 700", }, { status: "affected", version: "< 702", }, { status: "affected", version: "< 730", }, { status: "affected", version: "< 731", }, { status: "affected", version: "< 804", }, { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, { status: "affected", version: "< 784", }, { status: "affected", version: "< DEV", }, ], }, ], descriptions: [ { lang: "en", value: "SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 702, 730, 731, 804, 740, 750, 784, expose functions to external which can lead to information disclosure.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Information Disclosure", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-07-14T11:03:57", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3044754", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2021-33677", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS ABAP and ABAP Platform", version: { version_data: [ { version_name: "<", version_value: "700", }, { version_name: "<", version_value: "702", }, { version_name: "<", version_value: "730", }, { version_name: "<", version_value: "731", }, { version_name: "<", version_value: "804", }, { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, { version_name: "<", version_value: "784", }, { version_name: "<", version_value: "DEV", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 702, 730, 731, 804, 740, 750, 784, expose functions to external which can lead to information disclosure.", }, ], }, impact: { cvss: { baseScore: "6.5", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information Disclosure", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506", }, { name: "https://launchpad.support.sap.com/#/notes/3044754", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3044754", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2021-33677", datePublished: "2021-07-14T11:03:57", dateReserved: "2021-05-28T00:00:00", dateUpdated: "2024-08-03T23:58:22.565Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-33664 (GCVE-0-2021-33664)
Vulnerability from cvelistv5
Published
2021-06-09 13:32
Modified
2024-08-03 23:58
Severity ?
EPSS score ?
Summary
SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), versions - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3025604 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP) |
Version: < SAP_UI - 750 Version: < 752 Version: < 753 Version: < 754 Version: < 755 Version: < SAP_BASIS - 702 Version: < 31 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T23:58:22.366Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3025604", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP)", vendor: "SAP SE", versions: [ { status: "affected", version: "< SAP_UI - 750", }, { status: "affected", version: "< 752", }, { status: "affected", version: "< 753", }, { status: "affected", version: "< 754", }, { status: "affected", version: "< 755", }, { status: "affected", version: "< SAP_BASIS - 702", }, { status: "affected", version: "< 31", }, ], }, ], descriptions: [ { lang: "en", value: "SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), versions - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Cross Site Scripting", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-06-09T13:32:50", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3025604", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2021-33664", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP)", version: { version_data: [ { version_name: "<", version_value: "SAP_UI - 750", }, { version_name: "<", version_value: "752", }, { version_name: "<", version_value: "753", }, { version_name: "<", version_value: "754", }, { version_name: "<", version_value: "755", }, { version_name: "<", version_value: "SAP_BASIS - 702", }, { version_name: "<", version_value: "31", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), versions - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.", }, ], }, impact: { cvss: { baseScore: "5.4", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Cross Site Scripting", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, { name: "https://launchpad.support.sap.com/#/notes/3025604", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3025604", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2021-33664", datePublished: "2021-06-09T13:32:50", dateReserved: "2021-05-28T00:00:00", dateUpdated: "2024-08-03T23:58:22.366Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-33684 (GCVE-0-2021-33684)
Vulnerability from cvelistv5
Published
2021-07-14 11:04
Modified
2024-08-03 23:58
Severity ?
EPSS score ?
Summary
SAP NetWeaver AS ABAP and ABAP Platform, versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.77, 7.81, 7.84, allows an attacker to send overlong content in the RFC request type thereby crashing the corresponding work process because of memory corruption vulnerability. The work process will attempt to restart itself after the crash and hence the impact on the availability is low.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3032624 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS ABAP and ABAP Platform |
Version: < KRNL32NUC 7.21 Version: < 7.21EXT Version: < 7.22 Version: < 7.22EXT Version: < KRNL32UC 7.21 Version: < KRNL64NUC 7.21 Version: < 7.49 Version: < KRNL64UC 8.04 Version: < 7.21 Version: < 7.53 Version: < KERNEL 8.04 Version: < 7.77 Version: < 7.81 Version: < 7.84 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T23:58:22.539Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3032624", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS ABAP and ABAP Platform", vendor: "SAP SE", versions: [ { status: "affected", version: "< KRNL32NUC 7.21", }, { status: "affected", version: "< 7.21EXT", }, { status: "affected", version: "< 7.22", }, { status: "affected", version: "< 7.22EXT", }, { status: "affected", version: "< KRNL32UC 7.21", }, { status: "affected", version: "< KRNL64NUC 7.21", }, { status: "affected", version: "< 7.49", }, { status: "affected", version: "< KRNL64UC 8.04", }, { status: "affected", version: "< 7.21", }, { status: "affected", version: "< 7.53", }, { status: "affected", version: "< KERNEL 8.04", }, { status: "affected", version: "< 7.77", }, { status: "affected", version: "< 7.81", }, { status: "affected", version: "< 7.84", }, ], }, ], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP and ABAP Platform, versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.77, 7.81, 7.84, allows an attacker to send overlong content in the RFC request type thereby crashing the corresponding work process because of memory corruption vulnerability. The work process will attempt to restart itself after the crash and hence the impact on the availability is low.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-787", description: "Memory Corruption (CWE-787)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-07-14T11:04:32", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3032624", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2021-33684", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS ABAP and ABAP Platform", version: { version_data: [ { version_name: "<", version_value: "KRNL32NUC 7.21", }, { version_name: "<", version_value: "7.21EXT", }, { version_name: "<", version_value: "7.22", }, { version_name: "<", version_value: "7.22EXT", }, { version_name: "<", version_value: "KRNL32UC 7.21", }, { version_name: "<", version_value: "7.21EXT", }, { version_name: "<", version_value: "7.22", }, { version_name: "<", version_value: "7.22EXT", }, { version_name: "<", version_value: "KRNL64NUC 7.21", }, { version_name: "<", version_value: "7.21EXT", }, { version_name: "<", version_value: "7.22", }, { version_name: "<", version_value: "7.22EXT", }, { version_name: "<", version_value: "7.49", }, { version_name: "<", version_value: "KRNL64UC 8.04", }, { version_name: "<", version_value: "7.21", }, { version_name: "<", version_value: "7.21EXT", }, { version_name: "<", version_value: "7.22", }, { version_name: "<", version_value: "7.22EXT", }, { version_name: "<", version_value: "7.49", }, { version_name: "<", version_value: "7.53", }, { version_name: "<", version_value: "KERNEL 8.04", }, { version_name: "<", version_value: "7.21", }, { version_name: "<", version_value: "7.21EXT", }, { version_name: "<", version_value: "7.22", }, { version_name: "<", version_value: "7.22EXT", }, { version_name: "<", version_value: "7.49", }, { version_name: "<", version_value: "7.53", }, { version_name: "<", version_value: "7.77", }, { version_name: "<", version_value: "7.81", }, { version_name: "<", version_value: "7.84", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP NetWeaver AS ABAP and ABAP Platform, versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.77, 7.81, 7.84, allows an attacker to send overlong content in the RFC request type thereby crashing the corresponding work process because of memory corruption vulnerability. The work process will attempt to restart itself after the crash and hence the impact on the availability is low.", }, ], }, impact: { cvss: { baseScore: "5.3", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Memory Corruption (CWE-787)", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506", }, { name: "https://launchpad.support.sap.com/#/notes/3032624", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3032624", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2021-33684", datePublished: "2021-07-14T11:04:32", dateReserved: "2021-05-28T00:00:00", dateUpdated: "2024-08-03T23:58:22.539Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2024-41734 (GCVE-0-2024-41734)
Vulnerability from cvelistv5
Published
2024-08-13 04:18
Modified
2024-08-13 14:38
Severity ?
EPSS score ?
Summary
Due to missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, an authenticated attacker could call an underlying transaction, which leads to disclosure of user related information. There is no impact on integrity or availability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver Application Server ABAP and ABAP Platform |
Version: SAP_BASIS 700 Version: SAP_BASIS 701 Version: SAP_BASIS 702 Version: SAP_BASIS 731 Version: SAP_BASIS 740 Version: SAP_BASIS 750 Version: SAP_BASIS 751 Version: SAP_BASIS 752 Version: SAP_BASIS 753 Version: SAP_BASIS 754 Version: SAP_BASIS 755 Version: SAP_BASIS 756 Version: SAP_BASIS 757 Version: SAP_BASIS 758 Version: SAP_BASIS 912 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-41734", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-08-13T14:32:33.604375Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-13T14:38:41.935Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP NetWeaver Application Server ABAP and ABAP Platform", vendor: "SAP_SE", versions: [ { status: "affected", version: "SAP_BASIS 700", }, { status: "affected", version: "SAP_BASIS 701", }, { status: "affected", version: "SAP_BASIS 702", }, { status: "affected", version: "SAP_BASIS 731", }, { status: "affected", version: "SAP_BASIS 740", }, { status: "affected", version: "SAP_BASIS 750", }, { status: "affected", version: "SAP_BASIS 751", }, { status: "affected", version: "SAP_BASIS 752", }, { status: "affected", version: "SAP_BASIS 753", }, { status: "affected", version: "SAP_BASIS 754", }, { status: "affected", version: "SAP_BASIS 755", }, { status: "affected", version: "SAP_BASIS 756", }, { status: "affected", version: "SAP_BASIS 757", }, { status: "affected", version: "SAP_BASIS 758", }, { status: "affected", version: "SAP_BASIS 912", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<span style=\"background-color: rgb(255, 255, 255);\">Due to missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, an authenticated attacker could call an underlying transaction, which leads to disclosure of user related information. There is no impact on integrity or availability.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>", }, ], value: "Due to missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, an authenticated attacker could call an underlying transaction, which leads to disclosure of user related information. There is no impact on integrity or availability.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-862", description: "CWE-862 Missing Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-08-13T04:18:03.596Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3494349", }, { url: "https://url.sap/sapsecuritypatchday", }, ], source: { discovery: "UNKNOWN", }, title: "Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-41734", datePublished: "2024-08-13T04:18:03.596Z", dateReserved: "2024-07-22T08:06:52.676Z", dateUpdated: "2024-08-13T14:38:41.935Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-42067 (GCVE-0-2021-42067)
Vulnerability from cvelistv5
Published
2022-01-14 19:11
Modified
2024-08-04 03:22
Severity ?
EPSS score ?
Summary
In SAP NetWeaver AS for ABAP and ABAP Platform - versions 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, an attacker authenticated as a regular user can use the S/4 Hana dashboard to reveal systems and services which they would not normally be allowed to see. No information alteration or denial of service is possible.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3112710 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS for ABAP and ABAP Platform |
Version: < 701 Version: < 702 Version: < 711 Version: < 730 Version: < 731 Version: < 740 Version: < 750 Version: < 751 Version: < 752 Version: < 753 Version: < 754 Version: < 755 Version: < 756 Version: < 786 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T03:22:25.941Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3112710", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS for ABAP and ABAP Platform", vendor: "SAP SE", versions: [ { status: "affected", version: "< 701", }, { status: "affected", version: "< 702", }, { status: "affected", version: "< 711", }, { status: "affected", version: "< 730", }, { status: "affected", version: "< 731", }, { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, { status: "affected", version: "< 751", }, { status: "affected", version: "< 752", }, { status: "affected", version: "< 753", }, { status: "affected", version: "< 754", }, { status: "affected", version: "< 755", }, { status: "affected", version: "< 756", }, { status: "affected", version: "< 786", }, ], }, ], descriptions: [ { lang: "en", value: "In SAP NetWeaver AS for ABAP and ABAP Platform - versions 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, an attacker authenticated as a regular user can use the S/4 Hana dashboard to reveal systems and services which they would not normally be allowed to see. No information alteration or denial of service is possible.", }, ], problemTypes: [ { descriptions: [ { description: "SSRF", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-01-14T19:11:31", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3112710", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2021-42067", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS for ABAP and ABAP Platform", version: { version_data: [ { version_name: "<", version_value: "701", }, { version_name: "<", version_value: "702", }, { version_name: "<", version_value: "711", }, { version_name: "<", version_value: "730", }, { version_name: "<", version_value: "731", }, { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, { version_name: "<", version_value: "751", }, { version_name: "<", version_value: "752", }, { version_name: "<", version_value: "753", }, { version_name: "<", version_value: "754", }, { version_name: "<", version_value: "755", }, { version_name: "<", version_value: "756", }, { version_name: "<", version_value: "786", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "In SAP NetWeaver AS for ABAP and ABAP Platform - versions 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, an attacker authenticated as a regular user can use the S/4 Hana dashboard to reveal systems and services which they would not normally be allowed to see. No information alteration or denial of service is possible.", }, ], }, impact: { cvss: { baseScore: "null", vectorString: "null", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "SSRF", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035", }, { name: "https://launchpad.support.sap.com/#/notes/3112710", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3112710", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2021-42067", datePublished: "2022-01-14T19:11:31", dateReserved: "2021-10-07T00:00:00", dateUpdated: "2024-08-04T03:22:25.941Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2020-26819 (GCVE-0-2020-26819)
Vulnerability from cvelistv5
Published
2020-11-10 16:13
Modified
2024-08-04 16:03
Severity ?
EPSS score ?
Summary
SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, that allows them to read and delete database logfiles because of Improper Access Control.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/2971954 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS ABAP (Web Dynpro) |
Version: < 731 Version: < 740 Version: < 750 Version: < 751 Version: < 752 Version: < 753 Version: < 754 Version: < 755 Version: < 782 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T16:03:23.072Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/2971954", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS ABAP (Web Dynpro)", vendor: "SAP SE", versions: [ { status: "affected", version: "< 731", }, { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, { status: "affected", version: "< 751", }, { status: "affected", version: "< 752", }, { status: "affected", version: "< 753", }, { status: "affected", version: "< 754", }, { status: "affected", version: "< 755", }, { status: "affected", version: "< 782", }, ], }, ], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, that allows them to read and delete database logfiles because of Improper Access Control.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Improper Access Control", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-11-10T16:13:34", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/2971954", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2020-26819", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS ABAP (Web Dynpro)", version: { version_data: [ { version_name: "<", version_value: "731", }, { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, { version_name: "<", version_value: "751", }, { version_name: "<", version_value: "752", }, { version_name: "<", version_value: "753", }, { version_name: "<", version_value: "754", }, { version_name: "<", version_value: "755", }, { version_name: "<", version_value: "782", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, that allows them to read and delete database logfiles because of Improper Access Control.", }, ], }, impact: { cvss: { baseScore: "5.4", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Improper Access Control", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571", }, { name: "https://launchpad.support.sap.com/#/notes/2971954", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/2971954", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2020-26819", datePublished: "2020-11-10T16:13:34", dateReserved: "2020-10-07T00:00:00", dateUpdated: "2024-08-04T16:03:23.072Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-35294 (GCVE-0-2022-35294)
Vulnerability from cvelistv5
Published
2022-09-13 15:43
Modified
2024-08-03 09:36
Severity ?
EPSS score ?
Summary
An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3218177 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS ABAP |
Version: KRNL64NUC 7.22 Version: 7.22EXT Version: 7.49 Version: KRNL64UC 7.22 Version: 7.53 Version: KERNEL 7.22 Version: 7.77 Version: 7.81 Version: 7.85 Version: 7.89 Version: 7.54 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T09:36:43.369Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3218177", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS ABAP", vendor: "SAP SE", versions: [ { status: "affected", version: "KRNL64NUC 7.22", }, { status: "affected", version: "7.22EXT", }, { status: "affected", version: "7.49", }, { status: "affected", version: "KRNL64UC 7.22", }, { status: "affected", version: "7.53", }, { status: "affected", version: "KERNEL 7.22", }, { status: "affected", version: "7.77", }, { status: "affected", version: "7.81", }, { status: "affected", version: "7.85", }, { status: "affected", version: "7.89", }, { status: "affected", version: "7.54", }, ], }, ], descriptions: [ { lang: "en", value: "An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-09-21T18:48:24", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3218177", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2022-35294", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS ABAP", version: { version_data: [ { version_affected: "=", version_value: "KRNL64NUC 7.22", }, { version_affected: "=", version_value: "7.22EXT", }, { version_affected: "=", version_value: "7.49", }, { version_affected: "=", version_value: "KRNL64UC 7.22", }, { version_affected: "=", version_value: "7.22EXT", }, { version_affected: "=", version_value: "7.49", }, { version_affected: "=", version_value: "7.53", }, { version_affected: "=", version_value: "KERNEL 7.22", }, { version_affected: "=", version_value: "7.49", }, { version_affected: "=", version_value: "7.53", }, { version_affected: "=", version_value: "7.77", }, { version_affected: "=", version_value: "7.81", }, { version_affected: "=", version_value: "7.85", }, { version_affected: "=", version_value: "7.89", }, { version_affected: "=", version_value: "7.54", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user.", }, ], }, impact: { cvss: { baseScore: "null", vectorString: "null", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-79", }, ], }, ], }, references: { reference_data: [ { name: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", refsource: "MISC", url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { name: "https://launchpad.support.sap.com/#/notes/3218177", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3218177", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2022-35294", datePublished: "2022-09-13T15:43:33", dateReserved: "2022-07-07T00:00:00", dateUpdated: "2024-08-03T09:36:43.369Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2020-6240 (GCVE-0-2020-6240)
Vulnerability from cvelistv5
Published
2020-05-12 17:46
Modified
2024-08-04 08:55
Severity ?
EPSS score ?
Summary
SAP NetWeaver AS ABAP (Web Dynpro ABAP), versions (SAP_UI 750, 752, 753, 754 and SAP_BASIS 700, 710, 730, 731, 804) allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service leading to Denial of Service
References
| ▼ | URL | Tags |
|---|---|---|
| https://launchpad.support.sap.com/#/notes/2856923 | x_refsource_MISC | |
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | SAP SE | SAP NetWeaver AS ABAP (Web Dynpro ABAP) (SAP_UI) |
Version: < 750 Version: < 752 Version: < 753 Version: < 754 |
||||||
|
|||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T08:55:22.180Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/2856923", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS ABAP (Web Dynpro ABAP) (SAP_UI)", vendor: "SAP SE", versions: [ { status: "affected", version: "< 750", }, { status: "affected", version: "< 752", }, { status: "affected", version: "< 753", }, { status: "affected", version: "< 754", }, ], }, { product: "SAP NetWeaver AS ABAP (Web Dynpro ABAP) (SAP_BASIS)", vendor: "SAP SE", versions: [ { status: "affected", version: "< 700", }, { status: "affected", version: "< 710", }, { status: "affected", version: "< 730", }, { status: "affected", version: "< 731", }, { status: "affected", version: "< 804", }, ], }, ], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP (Web Dynpro ABAP), versions (SAP_UI 750, 752, 753, 754 and SAP_BASIS 700, 710, 730, 731, 804) allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service leading to Denial of Service", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Denial of Service", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-05-12T17:46:58", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/2856923", }, { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2020-6240", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS ABAP (Web Dynpro ABAP) (SAP_UI)", version: { version_data: [ { version_name: "<", version_value: "750", }, { version_name: "<", version_value: "752", }, { version_name: "<", version_value: "753", }, { version_name: "<", version_value: "754", }, ], }, }, { product_name: "SAP NetWeaver AS ABAP (Web Dynpro ABAP) (SAP_BASIS)", version: { version_data: [ { version_name: "<", version_value: "700", }, { version_name: "<", version_value: "710", }, { version_name: "<", version_value: "730", }, { version_name: "<", version_value: "731", }, { version_name: "<", version_value: "804", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP NetWeaver AS ABAP (Web Dynpro ABAP), versions (SAP_UI 750, 752, 753, 754 and SAP_BASIS 700, 710, 730, 731, 804) allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service leading to Denial of Service", }, ], }, impact: { cvss: { baseScore: "5.3", vectorString: "CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Denial of Service", }, ], }, ], }, references: { reference_data: [ { name: "https://launchpad.support.sap.com/#/notes/2856923", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/2856923", }, { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2020-6240", datePublished: "2020-05-12T17:46:58", dateReserved: "2020-01-08T00:00:00", dateUpdated: "2024-08-04T08:55:22.180Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-40309 (GCVE-0-2023-40309)
Vulnerability from cvelistv5
Published
2023-09-12 02:21
Modified
2024-09-28 22:10
Severity ?
EPSS score ?
Summary
SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | SAP_SE | SAP CommonCryptoLib |
Version: 8 |
||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T18:31:53.172Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3340576", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-40309", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-09-26T14:26:09.938156Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-26T14:26:24.862Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP CommonCryptoLib", vendor: "SAP_SE", versions: [ { status: "affected", version: "8", }, ], }, { defaultStatus: "unaffected", product: "SAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premise", vendor: "SAP_SE", versions: [ { status: "affected", version: "KERNEL 7.22", }, { status: "affected", version: "KERNEL 7.53", }, { status: "affected", version: "KERNEL 7.54", }, { status: "affected", version: "KERNEL 7.77", }, { status: "affected", version: "KERNEL 7.85", }, { status: "affected", version: "KERNEL 7.89", }, { status: "affected", version: "KERNEL 7.91", }, { status: "affected", version: "KERNEL 7.92", }, { status: "affected", version: "KERNEL 7.93", }, { status: "affected", version: "KERNEL 8.04", }, { status: "affected", version: "KERNEL64UC 7.22", }, { status: "affected", version: "KERNEL64UC 7.22EXT", }, { status: "affected", version: "KERNEL64UC 7.53", }, { status: "affected", version: "KERNEL64UC 8.04", }, { status: "affected", version: "KERNEL64NUC 7.22", }, { status: "affected", version: "KERNEL64NUC 7.22EXT", }, ], }, { defaultStatus: "unaffected", product: "SAP Web Dispatcher", vendor: "SAP_SE", versions: [ { status: "affected", version: "7.22EXT", }, { status: "affected", version: "7.53", }, { status: "affected", version: "7.54", }, { status: "affected", version: "7.77", }, { status: "affected", version: "7.85", }, { status: "affected", version: "7.89", }, ], }, { defaultStatus: "unaffected", product: "SAP Content Server", vendor: "SAP_SE", versions: [ { status: "affected", version: "6.50", }, { status: "affected", version: "7.53", }, { status: "affected", version: "7.54", }, ], }, { defaultStatus: "unaffected", product: "SAP HANA Database", vendor: "SAP_SE", versions: [ { status: "affected", version: "2.00", }, ], }, { defaultStatus: "unaffected", product: "SAP Host Agent", vendor: "SAP_SE", versions: [ { status: "affected", version: "722", }, ], }, { defaultStatus: "unaffected", product: "SAP Extended Application Services and Runtime (XSA)", vendor: "SAP_SE", versions: [ { status: "affected", version: "SAP_EXTENDED_APP_SERVICES 1", }, { status: "affected", version: "XS_ADVANCED_RUNTIME 1.00", }, ], }, { defaultStatus: "unaffected", product: "SAPSSOEXT", vendor: "SAP_SE", versions: [ { status: "affected", version: "17", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.</p>", }, ], value: "SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-863", description: "CWE-863: Incorrect Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-09-28T22:10:46.845Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3340576", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Missing Authorization check in SAP CommonCryptoLib", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-40309", datePublished: "2023-09-12T02:21:19.058Z", dateReserved: "2023-08-14T07:36:04.796Z", dateUpdated: "2024-09-28T22:10:46.845Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-44235 (GCVE-0-2021-44235)
Vulnerability from cvelistv5
Published
2021-12-14 15:44
Modified
2024-08-04 04:17
Severity ?
EPSS score ?
Summary
Two methods of a utility class in SAP NetWeaver AS ABAP - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allow an attacker with high privileges and has direct access to SAP System, to inject code when executing with a certain transaction class builder. This could allow execution of arbitrary commands on the operating system, that could highly impact the Confidentiality, Integrity and Availability of the system.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3123196 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS ABAP |
Version: < 700 Version: < 701 Version: < 702 Version: < 710 Version: < 711 Version: < 730 Version: < 731 Version: < 740 Version: < 750 Version: < 751 Version: < 752 Version: < 753 Version: < 754 Version: < 755 Version: < 756 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T04:17:24.558Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3123196", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS ABAP", vendor: "SAP SE", versions: [ { status: "affected", version: "< 700", }, { status: "affected", version: "< 701", }, { status: "affected", version: "< 702", }, { status: "affected", version: "< 710", }, { status: "affected", version: "< 711", }, { status: "affected", version: "< 730", }, { status: "affected", version: "< 731", }, { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, { status: "affected", version: "< 751", }, { status: "affected", version: "< 752", }, { status: "affected", version: "< 753", }, { status: "affected", version: "< 754", }, { status: "affected", version: "< 755", }, { status: "affected", version: "< 756", }, ], }, ], descriptions: [ { lang: "en", value: "Two methods of a utility class in SAP NetWeaver AS ABAP - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allow an attacker with high privileges and has direct access to SAP System, to inject code when executing with a certain transaction class builder. This could allow execution of arbitrary commands on the operating system, that could highly impact the Confidentiality, Integrity and Availability of the system.", }, ], problemTypes: [ { descriptions: [ { description: "Code Injection", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-12-14T15:44:09", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3123196", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2021-44235", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS ABAP", version: { version_data: [ { version_name: "<", version_value: "700", }, { version_name: "<", version_value: "701", }, { version_name: "<", version_value: "702", }, { version_name: "<", version_value: "710", }, { version_name: "<", version_value: "711", }, { version_name: "<", version_value: "730", }, { version_name: "<", version_value: "731", }, { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, { version_name: "<", version_value: "751", }, { version_name: "<", version_value: "752", }, { version_name: "<", version_value: "753", }, { version_name: "<", version_value: "754", }, { version_name: "<", version_value: "755", }, { version_name: "<", version_value: "756", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Two methods of a utility class in SAP NetWeaver AS ABAP - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allow an attacker with high privileges and has direct access to SAP System, to inject code when executing with a certain transaction class builder. This could allow execution of arbitrary commands on the operating system, that could highly impact the Confidentiality, Integrity and Availability of the system.", }, ], }, impact: { cvss: { baseScore: "null", vectorString: "null", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Code Injection", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021", }, { name: "https://launchpad.support.sap.com/#/notes/3123196", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3123196", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2021-44235", datePublished: "2021-12-14T15:44:09", dateReserved: "2021-11-26T00:00:00", dateUpdated: "2024-08-04T04:17:24.558Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2024-44114 (GCVE-0-2024-44114)
Vulnerability from cvelistv5
Published
2024-09-10 03:06
Modified
2024-09-10 13:27
Severity ?
EPSS score ?
Summary
SAP NetWeaver Application Server for ABAP and ABAP Platform allow users with high privileges to execute a program that reveals data over the network. This results in a minimal impact on confidentiality of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver Application Server for ABAP and ABAP Platform |
Version: 702 Version: 731 Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 757 Version: 758 Version: 912 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-44114", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T13:27:35.804954Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-10T13:27:50.746Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP NetWeaver Application Server for ABAP and ABAP Platform", vendor: "SAP_SE", versions: [ { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, { status: "affected", version: "758", }, { status: "affected", version: "912", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver Application Server for ABAP and ABAP Platform allow users with high privileges to execute a program that reveals data over the network. This results in a minimal impact on confidentiality of the application.</p>", }, ], value: "SAP NetWeaver Application Server for ABAP and ABAP Platform allow users with high privileges to execute a program that reveals data over the network. This results in a minimal impact on confidentiality of the application.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 2, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-863", description: "CWE-863: Incorrect Authorization", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-09-10T03:06:18.174Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3507252", }, { url: "https://url.sap/sapsecuritypatchday", }, ], source: { discovery: "UNKNOWN", }, title: "Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-44114", datePublished: "2024-09-10T03:06:18.174Z", dateReserved: "2024-08-20T20:22:59.936Z", dateUpdated: "2024-09-10T13:27:50.746Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-21490 (GCVE-0-2021-21490)
Vulnerability from cvelistv5
Published
2021-06-09 13:23
Modified
2024-08-03 18:16
Severity ?
EPSS score ?
Summary
SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://launchpad.support.sap.com/#/notes/3004043 | x_refsource_MISC | |
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS for ABAP (Web Survey) |
Version: < 700 Version: < 702 Version: < 710 Version: < 711 Version: < 730 Version: < 731 Version: < 750 Version: < 752 Version: < 75A Version: < 75F |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T18:16:22.657Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3004043", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS for ABAP (Web Survey)", vendor: "SAP SE", versions: [ { status: "affected", version: "< 700", }, { status: "affected", version: "< 702", }, { status: "affected", version: "< 710", }, { status: "affected", version: "< 711", }, { status: "affected", version: "< 730", }, { status: "affected", version: "< 731", }, { status: "affected", version: "< 750", }, { status: "affected", version: "< 752", }, { status: "affected", version: "< 75A", }, { status: "affected", version: "< 75F", }, ], }, ], descriptions: [ { lang: "en", value: "SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Cross Site Scripting", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-06-09T13:23:40", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3004043", }, { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2021-21490", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS for ABAP (Web Survey)", version: { version_data: [ { version_name: "<", version_value: "700", }, { version_name: "<", version_value: "702", }, { version_name: "<", version_value: "710", }, { version_name: "<", version_value: "711", }, { version_name: "<", version_value: "730", }, { version_name: "<", version_value: "731", }, { version_name: "<", version_value: "750", }, { version_name: "<", version_value: "750", }, { version_name: "<", version_value: "752", }, { version_name: "<", version_value: "75A", }, { version_name: "<", version_value: "75F", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user.", }, ], }, impact: { cvss: { baseScore: "6.1", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Cross Site Scripting", }, ], }, ], }, references: { reference_data: [ { name: "https://launchpad.support.sap.com/#/notes/3004043", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3004043", }, { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2021-21490", datePublished: "2021-06-09T13:23:40", dateReserved: "2020-12-30T00:00:00", dateUpdated: "2024-08-03T18:16:22.657Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-33678 (GCVE-0-2021-33678)
Vulnerability from cvelistv5
Published
2021-07-14 11:04
Modified
2024-08-03 23:58
Severity ?
EPSS score ?
Summary
A function module of SAP NetWeaver AS ABAP (Reconciliation Framework), versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F, allows a high privileged attacker to inject code that can be executed by the application. An attacker could thereby delete some critical information and could make the SAP system completely unavailable.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3048657 | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2022/May/42 | mailing-list, x_refsource_FULLDISC | |
| http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS ABAP (Reconciliation Framework) |
Version: < 700 Version: < 701 Version: < 702 Version: < 710 Version: < 711 Version: < 730 Version: < 731 Version: < 740 Version: < 750 Version: < 751 Version: < 752 Version: < 75A Version: < 75B Version: < 75C Version: < 75D Version: < 75E Version: < 75F |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T23:58:22.357Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3048657", }, { name: "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)", tags: [ "mailing-list", "x_refsource_FULLDISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2022/May/42", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS ABAP (Reconciliation Framework)", vendor: "SAP SE", versions: [ { status: "affected", version: "< 700", }, { status: "affected", version: "< 701", }, { status: "affected", version: "< 702", }, { status: "affected", version: "< 710", }, { status: "affected", version: "< 711", }, { status: "affected", version: "< 730", }, { status: "affected", version: "< 731", }, { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, { status: "affected", version: "< 751", }, { status: "affected", version: "< 752", }, { status: "affected", version: "< 75A", }, { status: "affected", version: "< 75B", }, { status: "affected", version: "< 75C", }, { status: "affected", version: "< 75D", }, { status: "affected", version: "< 75E", }, { status: "affected", version: "< 75F", }, ], }, ], descriptions: [ { lang: "en", value: "A function module of SAP NetWeaver AS ABAP (Reconciliation Framework), versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F, allows a high privileged attacker to inject code that can be executed by the application. An attacker could thereby delete some critical information and could make the SAP system completely unavailable.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-95", description: "CWE-95 (Code Injection)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-05-19T17:06:18", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3048657", }, { name: "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)", tags: [ "mailing-list", "x_refsource_FULLDISC", ], url: "http://seclists.org/fulldisclosure/2022/May/42", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2021-33678", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS ABAP (Reconciliation Framework)", version: { version_data: [ { version_name: "<", version_value: "700", }, { version_name: "<", version_value: "701", }, { version_name: "<", version_value: "702", }, { version_name: "<", version_value: "710", }, { version_name: "<", version_value: "711", }, { version_name: "<", version_value: "730", }, { version_name: "<", version_value: "731", }, { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, { version_name: "<", version_value: "751", }, { version_name: "<", version_value: "752", }, { version_name: "<", version_value: "75A", }, { version_name: "<", version_value: "75B", }, { version_name: "<", version_value: "75B", }, { version_name: "<", version_value: "75C", }, { version_name: "<", version_value: "75D", }, { version_name: "<", version_value: "75E", }, { version_name: "<", version_value: "75F", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A function module of SAP NetWeaver AS ABAP (Reconciliation Framework), versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F, allows a high privileged attacker to inject code that can be executed by the application. An attacker could thereby delete some critical information and could make the SAP system completely unavailable.", }, ], }, impact: { cvss: { baseScore: "6.5", vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-95 (Code Injection)", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506", }, { name: "https://launchpad.support.sap.com/#/notes/3048657", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3048657", }, { name: "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)", refsource: "FULLDISC", url: "http://seclists.org/fulldisclosure/2022/May/42", }, { name: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2021-33678", datePublished: "2021-07-14T11:04:19", dateReserved: "2021-05-28T00:00:00", dateUpdated: "2024-08-03T23:58:22.357Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2020-6296 (GCVE-0-2020-6296)
Vulnerability from cvelistv5
Published
2020-08-12 13:34
Modified
2024-08-04 08:55
Severity ?
EPSS score ?
Summary
SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755, allows an attacker to inject code that can be executed by the application, leading to Code Injection. An attacker could thereby control the behavior of the application.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/2941667 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver (ABAP Server) and ABAP Platform |
Version: < 700 Version: < 701 Version: < 702 Version: < 710 Version: < 711 Version: < 730 Version: < 731 Version: < 740 Version: < 750 Version: < 751 Version: < 753 Version: < 755 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T08:55:22.230Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/2941667", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver (ABAP Server) and ABAP Platform", vendor: "SAP SE", versions: [ { status: "affected", version: "< 700", }, { status: "affected", version: "< 701", }, { status: "affected", version: "< 702", }, { status: "affected", version: "< 710", }, { status: "affected", version: "< 711", }, { status: "affected", version: "< 730", }, { status: "affected", version: "< 731", }, { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, { status: "affected", version: "< 751", }, { status: "affected", version: "< 753", }, { status: "affected", version: "< 755", }, ], }, ], descriptions: [ { lang: "en", value: "SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755, allows an attacker to inject code that can be executed by the application, leading to Code Injection. An attacker could thereby control the behavior of the application.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.3, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Code Injection", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-08-12T13:34:40", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/2941667", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2020-6296", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver (ABAP Server) and ABAP Platform", version: { version_data: [ { version_name: "<", version_value: "700", }, { version_name: "<", version_value: "701", }, { version_name: "<", version_value: "702", }, { version_name: "<", version_value: "710", }, { version_name: "<", version_value: "711", }, { version_name: "<", version_value: "730", }, { version_name: "<", version_value: "731", }, { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, { version_name: "<", version_value: "751", }, { version_name: "<", version_value: "753", }, { version_name: "<", version_value: "755", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755, allows an attacker to inject code that can be executed by the application, leading to Code Injection. An attacker could thereby control the behavior of the application.", }, ], }, impact: { cvss: { baseScore: "8.3", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Code Injection", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345", }, { name: "https://launchpad.support.sap.com/#/notes/2941667", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/2941667", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2020-6296", datePublished: "2020-08-12T13:34:40", dateReserved: "2020-01-08T00:00:00", dateUpdated: "2024-08-04T08:55:22.230Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-37492 (GCVE-0-2023-37492)
Vulnerability from cvelistv5
Published
2023-08-08 00:47
Modified
2024-10-08 16:26
Severity ?
EPSS score ?
Summary
SAP NetWeaver Application Server ABAP and ABAP Platform - versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 793, SAP_BASIS 804, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read sensitive information which can be used in a subsequent serious attack.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver AS ABAP and ABAP Platform |
Version: SAP_BASIS 700 Version: SAP_BASIS 701 Version: SAP_BASIS 702 Version: SAP_BASIS 731 Version: SAP_BASIS 740 Version: SAP_BASIS 750 Version: SAP_BASIS 752 Version: SAP_BASIS 753 Version: SAP_BASIS 754 Version: SAP_BASIS 755 Version: SAP_BASIS 756 Version: SAP_BASIS 757 Version: SAP_BASIS 758 Version: SAP_BASIS 793 Version: SAP_BASIS 804 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T17:16:30.352Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3348000", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-37492", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-08T16:24:07.282612Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-08T16:26:09.133Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP NetWeaver AS ABAP and ABAP Platform", vendor: "SAP_SE", versions: [ { status: "affected", version: "SAP_BASIS 700", }, { status: "affected", version: "SAP_BASIS 701", }, { status: "affected", version: "SAP_BASIS 702", }, { status: "affected", version: "SAP_BASIS 731", }, { status: "affected", version: "SAP_BASIS 740", }, { status: "affected", version: "SAP_BASIS 750", }, { status: "affected", version: "SAP_BASIS 752", }, { status: "affected", version: "SAP_BASIS 753", }, { status: "affected", version: "SAP_BASIS 754", }, { status: "affected", version: "SAP_BASIS 755", }, { status: "affected", version: "SAP_BASIS 756", }, { status: "affected", version: "SAP_BASIS 757", }, { status: "affected", version: "SAP_BASIS 758", }, { status: "affected", version: "SAP_BASIS 793", }, { status: "affected", version: "SAP_BASIS 804", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver Application Server ABAP and ABAP Platform - versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 793, SAP_BASIS 804, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read sensitive information which can be used in a subsequent serious attack.</p>", }, ], value: "SAP NetWeaver Application Server ABAP and ABAP Platform - versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 793, SAP_BASIS 804, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read sensitive information which can be used in a subsequent serious attack.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-863", description: "CWE-863: Incorrect Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-09-28T22:06:21.084Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3348000", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-37492", datePublished: "2023-08-08T00:47:40.255Z", dateReserved: "2023-07-06T14:57:18.511Z", dateUpdated: "2024-10-08T16:26:09.133Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-24522 (GCVE-0-2023-24522)
Vulnerability from cvelistv5
Published
2023-02-14 03:17
Modified
2025-03-20 20:31
Severity ?
EPSS score ?
Summary
Due to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver AS ABAP (BSP Framework) |
Version: 700 Version: 701 Version: 702 Version: 731 Version: 740 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:56:04.378Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3269118", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-24522", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-20T20:31:22.712249Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-20T20:31:30.924Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver AS ABAP (BSP Framework)", vendor: "SAP", versions: [ { status: "affected", version: "700", }, { status: "affected", version: "701", }, { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Due to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.</p>", }, ], value: "Due to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:26:34.087Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3269118", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-24522", datePublished: "2023-02-14T03:17:02.758Z", dateReserved: "2023-01-25T15:46:55.581Z", dateUpdated: "2025-03-20T20:31:30.924Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2020-26835 (GCVE-0-2020-26835)
Vulnerability from cvelistv5
Published
2020-12-09 16:30
Modified
2024-08-04 16:03
Severity ?
EPSS score ?
Summary
SAP NetWeaver AS ABAP, versions - 740, 750, 751, 752, 753, 754 , does not sufficiently encode URL which allows an attacker to input malicious java script in the URL which could be executed in the browser resulting in Reflected Cross-Site Scripting (XSS) vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/2996479 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS ABAP |
Version: < 740 Version: < 750 Version: < 751 Version: < 752 Version: < 753 Version: < 754 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T16:03:22.606Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/2996479", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS ABAP", vendor: "SAP SE", versions: [ { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, { status: "affected", version: "< 751", }, { status: "affected", version: "< 752", }, { status: "affected", version: "< 753", }, { status: "affected", version: "< 754", }, ], }, ], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP, versions - 740, 750, 751, 752, 753, 754 , does not sufficiently encode URL which allows an attacker to input malicious java script in the URL which could be executed in the browser resulting in Reflected Cross-Site Scripting (XSS) vulnerability.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Cross Site Scripting", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-12-09T16:30:53", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/2996479", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2020-26835", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS ABAP", version: { version_data: [ { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, { version_name: "<", version_value: "751", }, { version_name: "<", version_value: "752", }, { version_name: "<", version_value: "753", }, { version_name: "<", version_value: "754", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP NetWeaver AS ABAP, versions - 740, 750, 751, 752, 753, 754 , does not sufficiently encode URL which allows an attacker to input malicious java script in the URL which could be executed in the browser resulting in Reflected Cross-Site Scripting (XSS) vulnerability.", }, ], }, impact: { cvss: { baseScore: "5.3", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Cross Site Scripting", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079", }, { name: "https://launchpad.support.sap.com/#/notes/2996479", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/2996479", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2020-26835", datePublished: "2020-12-09T16:30:53", dateReserved: "2020-10-07T00:00:00", dateUpdated: "2024-08-04T16:03:22.606Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2020-6270 (GCVE-0-2020-6270)
Vulnerability from cvelistv5
Published
2020-06-10 12:36
Modified
2024-08-04 08:55
Severity ?
EPSS score ?
Summary
SAP NetWeaver AS ABAP (Banking Services), versions - 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, does not perform necessary authorization checks for an authenticated user due to Missing Authorization Check, allowing wrong and unexpected change of individual conditions by a malicious user leading to wrong prices.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/2916562 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS ABAP (Banking Services) |
Version: < 710 Version: < 711 Version: < 740 Version: < 750 Version: < 751 Version: < 752 Version: < 75A Version: < 75B Version: < 75C Version: < 75D Version: < 75E |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T08:55:22.334Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/2916562", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS ABAP (Banking Services)", vendor: "SAP SE", versions: [ { status: "affected", version: "< 710", }, { status: "affected", version: "< 711", }, { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, { status: "affected", version: "< 751", }, { status: "affected", version: "< 752", }, { status: "affected", version: "< 75A", }, { status: "affected", version: "< 75B", }, { status: "affected", version: "< 75C", }, { status: "affected", version: "< 75D", }, { status: "affected", version: "< 75E", }, ], }, ], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP (Banking Services), versions - 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, does not perform necessary authorization checks for an authenticated user due to Missing Authorization Check, allowing wrong and unexpected change of individual conditions by a malicious user leading to wrong prices.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Missing Authorization Check", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-06-10T12:36:10", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/2916562", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2020-6270", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS ABAP (Banking Services)", version: { version_data: [ { version_name: "<", version_value: "710", }, { version_name: "<", version_value: "711", }, { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, { version_name: "<", version_value: "751", }, { version_name: "<", version_value: "752", }, { version_name: "<", version_value: "75A", }, { version_name: "<", version_value: "75B", }, { version_name: "<", version_value: "75C", }, { version_name: "<", version_value: "75D", }, { version_name: "<", version_value: "75E", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP NetWeaver AS ABAP (Banking Services), versions - 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, does not perform necessary authorization checks for an authenticated user due to Missing Authorization Check, allowing wrong and unexpected change of individual conditions by a malicious user leading to wrong prices.", }, ], }, impact: { cvss: { baseScore: "6.5", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Missing Authorization Check", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775", }, { name: "https://launchpad.support.sap.com/#/notes/2916562", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/2916562", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2020-6270", datePublished: "2020-06-10T12:36:10", dateReserved: "2020-01-08T00:00:00", dateUpdated: "2024-08-04T08:55:22.334Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-28763 (GCVE-0-2023-28763)
Vulnerability from cvelistv5
Published
2023-04-11 02:52
Modified
2025-02-07 16:54
Severity ?
EPSS score ?
Summary
SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker authenticated as a non-administrative user to craft a request with certain parameters which can consume the server's resources sufficiently to make it unavailable over the network without any user interaction.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver AS for ABAP and ABAP Platform |
Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 757 Version: 791 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T13:51:38.228Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3296378", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-28763", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-07T16:54:10.286221Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-07T16:54:13.312Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver AS for ABAP and ABAP Platform", vendor: "SAP", versions: [ { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, { status: "affected", version: "791", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker authenticated as a non-administrative user to craft a request with certain parameters which can consume the server's resources sufficiently to make it unavailable over the network without any user interaction.</p>", }, ], value: "SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker authenticated as a non-administrative user to craft a request with certain parameters which can consume the server's resources sufficiently to make it unavailable over the network without any user interaction.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400 Uncontrolled Resource Consumption", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T20:18:52.577Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3296378", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Denial of Service in SAP NetWeaver AS for ABAP and ABAP Platform", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-28763", datePublished: "2023-04-11T02:52:07.602Z", dateReserved: "2023-03-23T04:20:27.699Z", dateUpdated: "2025-02-07T16:54:13.312Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2020-6275 (GCVE-0-2020-6275)
Vulnerability from cvelistv5
Published
2020-06-10 12:39
Modified
2024-08-04 08:55
Severity ?
EPSS score ?
Summary
SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Server Side Request Forgery Attack where in an attacker can use inappropriate path names containing malicious server names in the import/export of sessions functionality and coerce the web server into authenticating with the malicious server. Furthermore, if NTLM is setup the attacker can compromise confidentiality, integrity and availability of the SAP database.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/2912939 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP Netweaver AS ABAP |
Version: < 700 Version: < 701 Version: < 702 Version: < 710 Version: < 711 Version: < 730 Version: < 731 Version: < 740 Version: < 750 Version: < 751 Version: < 752 Version: < 753 Version: < 754 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T08:55:22.250Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/2912939", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP Netweaver AS ABAP", vendor: "SAP SE", versions: [ { status: "affected", version: "< 700", }, { status: "affected", version: "< 701", }, { status: "affected", version: "< 702", }, { status: "affected", version: "< 710", }, { status: "affected", version: "< 711", }, { status: "affected", version: "< 730", }, { status: "affected", version: "< 731", }, { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, { status: "affected", version: "< 751", }, { status: "affected", version: "< 752", }, { status: "affected", version: "< 753", }, { status: "affected", version: "< 754", }, ], }, ], descriptions: [ { lang: "en", value: "SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Server Side Request Forgery Attack where in an attacker can use inappropriate path names containing malicious server names in the import/export of sessions functionality and coerce the web server into authenticating with the malicious server. Furthermore, if NTLM is setup the attacker can compromise confidentiality, integrity and availability of the SAP database.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "HIGH", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 7.6, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Server Side Request Forgery", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-06-10T12:39:02", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/2912939", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2020-6275", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP Netweaver AS ABAP", version: { version_data: [ { version_name: "<", version_value: "700", }, { version_name: "<", version_value: "701", }, { version_name: "<", version_value: "702", }, { version_name: "<", version_value: "710", }, { version_name: "<", version_value: "711", }, { version_name: "<", version_value: "730", }, { version_name: "<", version_value: "731", }, { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, { version_name: "<", version_value: "751", }, { version_name: "<", version_value: "752", }, { version_name: "<", version_value: "753", }, { version_name: "<", version_value: "754", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Server Side Request Forgery Attack where in an attacker can use inappropriate path names containing malicious server names in the import/export of sessions functionality and coerce the web server into authenticating with the malicious server. Furthermore, if NTLM is setup the attacker can compromise confidentiality, integrity and availability of the SAP database.", }, ], }, impact: { cvss: { baseScore: "7.6", vectorString: "CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Server Side Request Forgery", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775", }, { name: "https://launchpad.support.sap.com/#/notes/2912939", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/2912939", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2020-6275", datePublished: "2020-06-10T12:39:02", dateReserved: "2020-01-08T00:00:00", dateUpdated: "2024-08-04T08:55:22.250Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2024-41732 (GCVE-0-2024-41732)
Vulnerability from cvelistv5
Published
2024-08-13 03:58
Modified
2024-08-13 13:28
Severity ?
EPSS score ?
Summary
SAP NetWeaver Application Server ABAP allows
an unauthenticated attacker to craft a URL link that could bypass allowlist
controls. Depending on the web applications provided by this server, the
attacker might inject CSS code or links into the web application that could
allow the attacker to read or modify information. There is no impact on
availability of application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver Application Server ABAP |
Version: SAP_UI 754 Version: 755 Version: 756 Version: 757 Version: 758 Version: SAP_BASIS 700 Version: SAP_BASIS 701 Version: SAP_BASIS 702 Version: SAP_BASIS 731 Version: SAP_BASIS 912 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-41732", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-08-13T13:02:08.351578Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-13T13:28:06.622Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP NetWeaver Application Server ABAP", vendor: "SAP_SE", versions: [ { status: "affected", version: "SAP_UI 754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, { status: "affected", version: "758", }, { status: "affected", version: "SAP_BASIS 700", }, { status: "affected", version: "SAP_BASIS 701", }, { status: "affected", version: "SAP_BASIS 702", }, { status: "affected", version: "SAP_BASIS 731", }, { status: "affected", version: "SAP_BASIS 912", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<table>\n <tbody><tr>\n <td>\n <p>SAP NetWeaver Application Server ABAP allows\n an unauthenticated attacker to craft a URL link that could bypass allowlist\n controls. Depending on the web applications provided by this server, the\n attacker might inject CSS code or links into the web application that could\n allow the attacker to read or modify information. There is no impact on\n availability of application.</p>\n <p> </p>\n </td>\n </tr>\n</tbody></table>", }, ], value: "SAP NetWeaver Application Server ABAP allows\n an unauthenticated attacker to craft a URL link that could bypass allowlist\n controls. Depending on the web applications provided by this server, the\n attacker might inject CSS code or links into the web application that could\n allow the attacker to read or modify information. There is no impact on\n availability of application.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-284", description: "CWE-284: Improper Access Control", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-08-13T03:58:36.444Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3468102", }, { url: "https://url.sap/sapsecuritypatchday", }, ], source: { discovery: "UNKNOWN", }, title: "Improper Access Control in SAP Netweaver Application Server ABAP", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-41732", datePublished: "2024-08-13T03:58:36.444Z", dateReserved: "2024-07-22T08:06:52.676Z", dateUpdated: "2024-08-13T13:28:06.622Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-23854 (GCVE-0-2023-23854)
Vulnerability from cvelistv5
Published
2023-02-14 03:13
Modified
2025-03-19 15:30
Severity ?
EPSS score ?
Summary
SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver AS ABAP and ABAP Platform |
Version: 700 Version: 701 Version: 702 Version: 731 Version: 740 Version: 750 Version: 751 Version: 752 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:42:26.812Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3287291", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-23854", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-19T15:30:14.639772Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-19T15:30:40.260Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver AS ABAP and ABAP Platform", vendor: "SAP", versions: [ { status: "affected", version: "700", }, { status: "affected", version: "701", }, { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.</p>", }, ], value: "SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 3.8, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-862", description: "CWE-862 Missing Authorization", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T21:21:48.072Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3287291", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-23854", datePublished: "2023-02-14T03:13:55.816Z", dateReserved: "2023-01-19T00:05:29.415Z", dateUpdated: "2025-03-19T15:30:40.260Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-41212 (GCVE-0-2022-41212)
Vulnerability from cvelistv5
Published
2022-11-08 00:00
Modified
2024-08-03 12:35
Severity ?
EPSS score ?
Summary
Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to read a file which is otherwise restricted. On successful exploitation an attacker can completely compromise the confidentiality of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver Application Server ABAP and ABAP Platform |
Version: = 700 Version: = 731 Version: = 804 Version: = 740 Version: = 750 Version: = 789 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T12:35:49.640Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3256571", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver Application Server ABAP and ABAP Platform", vendor: "SAP SE", versions: [ { status: "affected", version: "= 700", }, { status: "affected", version: "= 731", }, { status: "affected", version: "= 804", }, { status: "affected", version: "= 740", }, { status: "affected", version: "= 750", }, { status: "affected", version: "= 789", }, ], }, ], descriptions: [ { lang: "en", value: "Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to read a file which is otherwise restricted. On successful exploitation an attacker can completely compromise the confidentiality of the application.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-11-08T00:00:00", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { url: "https://launchpad.support.sap.com/#/notes/3256571", }, ], }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2022-41212", datePublished: "2022-11-08T00:00:00", dateReserved: "2022-09-21T00:00:00", dateUpdated: "2024-08-03T12:35:49.640Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-38181 (GCVE-0-2021-38181)
Vulnerability from cvelistv5
Published
2021-10-12 14:03
Modified
2024-08-04 01:37
Severity ?
EPSS score ?
Summary
SAP NetWeaver AS ABAP and ABAP Platform - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.
References
| ▼ | URL | Tags |
|---|---|---|
| https://launchpad.support.sap.com/#/notes/3080710 | x_refsource_MISC | |
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS ABAP and ABAP Platform |
Version: < 700 Version: < 701 Version: < 702 Version: < 730 Version: < 731 Version: < 740 Version: < 750 Version: < 751 Version: < 752 Version: < 753 Version: < 754 Version: < 755 Version: < 756 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T01:37:15.601Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3080710", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS ABAP and ABAP Platform", vendor: "SAP SE", versions: [ { status: "affected", version: "< 700", }, { status: "affected", version: "< 701", }, { status: "affected", version: "< 702", }, { status: "affected", version: "< 730", }, { status: "affected", version: "< 731", }, { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, { status: "affected", version: "< 751", }, { status: "affected", version: "< 752", }, { status: "affected", version: "< 753", }, { status: "affected", version: "< 754", }, { status: "affected", version: "< 755", }, { status: "affected", version: "< 756", }, ], }, ], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP and ABAP Platform - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.", }, ], problemTypes: [ { descriptions: [ { description: "Denial of Service", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-10-12T14:03:12", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3080710", }, { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2021-38181", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS ABAP and ABAP Platform", version: { version_data: [ { version_name: "<", version_value: "700", }, { version_name: "<", version_value: "701", }, { version_name: "<", version_value: "702", }, { version_name: "<", version_value: "730", }, { version_name: "<", version_value: "731", }, { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, { version_name: "<", version_value: "751", }, { version_name: "<", version_value: "752", }, { version_name: "<", version_value: "753", }, { version_name: "<", version_value: "754", }, { version_name: "<", version_value: "755", }, { version_name: "<", version_value: "756", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP NetWeaver AS ABAP and ABAP Platform - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.", }, ], }, impact: { cvss: { baseScore: "null", vectorString: "null", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Denial of Service", }, ], }, ], }, references: { reference_data: [ { name: "https://launchpad.support.sap.com/#/notes/3080710", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3080710", }, { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2021-38181", datePublished: "2021-10-12T14:03:13", dateReserved: "2021-08-07T00:00:00", dateUpdated: "2024-08-04T01:37:15.601Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-29611 (GCVE-0-2022-29611)
Vulnerability from cvelistv5
Published
2022-05-11 14:57
Modified
2024-08-03 06:26
Severity ?
EPSS score ?
Summary
SAP NetWeaver Application Server for ABAP and ABAP Platform do not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3165801 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver Application Server for ABAP and ABAP Platform |
Version: 700 Version: 701 Version: 702 Version: 710 Version: 711 Version: 730 Version: 731 Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 787 Version: 788 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T06:26:06.632Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3165801", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver Application Server for ABAP and ABAP Platform", vendor: "SAP SE", versions: [ { status: "affected", version: "700", }, { status: "affected", version: "701", }, { status: "affected", version: "702", }, { status: "affected", version: "710", }, { status: "affected", version: "711", }, { status: "affected", version: "730", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "787", }, { status: "affected", version: "788", }, ], }, ], descriptions: [ { lang: "en", value: "SAP NetWeaver Application Server for ABAP and ABAP Platform do not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-862", description: "CWE-862", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-05-11T14:57:20", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3165801", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2022-29611", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver Application Server for ABAP and ABAP Platform", version: { version_data: [ { version_affected: "=", version_value: "700", }, { version_affected: "=", version_value: "701", }, { version_affected: "=", version_value: "702", }, { version_affected: "=", version_value: "710", }, { version_affected: "=", version_value: "711", }, { version_affected: "=", version_value: "730", }, { version_affected: "=", version_value: "731", }, { version_affected: "=", version_value: "740", }, { version_affected: "=", version_value: "750", }, { version_affected: "=", version_value: "751", }, { version_affected: "=", version_value: "752", }, { version_affected: "=", version_value: "753", }, { version_affected: "=", version_value: "754", }, { version_affected: "=", version_value: "755", }, { version_affected: "=", version_value: "756", }, { version_affected: "=", version_value: "787", }, { version_affected: "=", version_value: "788", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP NetWeaver Application Server for ABAP and ABAP Platform do not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.", }, ], }, impact: { cvss: { baseScore: "null", vectorString: "null", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-862", }, ], }, ], }, references: { reference_data: [ { name: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", refsource: "MISC", url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { name: "https://launchpad.support.sap.com/#/notes/3165801", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3165801", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2022-29611", datePublished: "2022-05-11T14:57:20", dateReserved: "2022-04-25T00:00:00", dateUpdated: "2024-08-03T06:26:06.632Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2024-41728 (GCVE-0-2024-41728)
Vulnerability from cvelistv5
Published
2024-09-10 04:00
Modified
2024-09-10 13:26
Severity ?
EPSS score ?
Summary
Due to missing authorization check, SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker logged in as a developer to read objects contained in a package. This causes an impact on confidentiality, as this attacker would otherwise not have access to view these objects.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver Application Server for ABAP and ABAP Platform |
Version: 700 Version: 701 Version: 702 Version: 731 Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 757 Version: 758 Version: 912 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-41728", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-10T13:25:47.604562Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-10T13:26:14.224Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP NetWeaver Application Server for ABAP and ABAP Platform", vendor: "SAP_SE", versions: [ { status: "affected", version: "700", }, { status: "affected", version: "701", }, { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, { status: "affected", version: "758", }, { status: "affected", version: "912", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Due to missing authorization check, SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker logged in as a developer to read objects contained in a package. This causes an impact on confidentiality, as this attacker would otherwise not have access to view these objects.</p>", }, ], value: "Due to missing authorization check, SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker logged in as a developer to read objects contained in a package. This causes an impact on confidentiality, as this attacker would otherwise not have access to view these objects.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 2.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-862", description: "CWE-862: Missing Authorization", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-09-10T04:00:56.713Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3496410", }, { url: "https://url.sap/sapsecuritypatchday", }, ], source: { discovery: "UNKNOWN", }, title: "Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-41728", datePublished: "2024-09-10T04:00:56.713Z", dateReserved: "2024-07-22T08:06:52.675Z", dateUpdated: "2024-09-10T13:26:14.224Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-40499 (GCVE-0-2021-40499)
Vulnerability from cvelistv5
Published
2021-10-12 14:04
Modified
2024-08-04 02:44
Severity ?
EPSS score ?
Summary
Client-side printing services SAP Cloud Print Manager and SAPSprint for SAP NetWeaver Application Server for ABAP - versions 7.70, 7.70 PI, 7.70 BYD, allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3100882 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver Application Server for ABAP (SAP Cloud Print Manager and SAPSprint) |
Version: < 7.70 Version: < 7.70 PI Version: < 7.70BYD |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T02:44:10.842Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3100882", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver Application Server for ABAP (SAP Cloud Print Manager and SAPSprint)", vendor: "SAP SE", versions: [ { status: "affected", version: "< 7.70", }, { status: "affected", version: "< 7.70 PI", }, { status: "affected", version: "< 7.70BYD", }, ], }, ], descriptions: [ { lang: "en", value: "Client-side printing services SAP Cloud Print Manager and SAPSprint for SAP NetWeaver Application Server for ABAP - versions 7.70, 7.70 PI, 7.70 BYD, allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.", }, ], problemTypes: [ { descriptions: [ { description: "Code Injection", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-10-12T14:04:00", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3100882", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2021-40499", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver Application Server for ABAP (SAP Cloud Print Manager and SAPSprint)", version: { version_data: [ { version_name: "<", version_value: "7.70", }, { version_name: "<", version_value: "7.70 PI", }, { version_name: "<", version_value: "7.70BYD", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Client-side printing services SAP Cloud Print Manager and SAPSprint for SAP NetWeaver Application Server for ABAP - versions 7.70, 7.70 PI, 7.70 BYD, allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.", }, ], }, impact: { cvss: { baseScore: "null", vectorString: "null", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Code Injection", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983", }, { name: "https://launchpad.support.sap.com/#/notes/3100882", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3100882", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2021-40499", datePublished: "2021-10-12T14:04:00", dateReserved: "2021-09-03T00:00:00", dateUpdated: "2024-08-04T02:44:10.842Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-27611 (GCVE-0-2021-27611)
Vulnerability from cvelistv5
Published
2021-05-11 14:19
Modified
2024-08-03 21:26
Severity ?
EPSS score ?
Summary
SAP NetWeaver AS ABAP, versions - 700, 701, 702, 730, 731, allow a high privileged attacker to inject malicious code by executing an ABAP report when the attacker has access to the local SAP system. The attacker could then get access to data, overwrite them, or execute a denial of service.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=576094655 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/3046610 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver AS ABAP |
Version: < 700 Version: < 701 Version: < 702 Version: < 730 Version: < 731 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T21:26:09.917Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=576094655", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3046610", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS ABAP", vendor: "SAP SE", versions: [ { status: "affected", version: "< 700", }, { status: "affected", version: "< 701", }, { status: "affected", version: "< 702", }, { status: "affected", version: "< 730", }, { status: "affected", version: "< 731", }, ], }, ], descriptions: [ { lang: "en", value: "SAP NetWeaver AS ABAP, versions - 700, 701, 702, 730, 731, allow a high privileged attacker to inject malicious code by executing an ABAP report when the attacker has access to the local SAP system. The attacker could then get access to data, overwrite them, or execute a denial of service.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Code Injection", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-05-11T14:19:33", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=576094655", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3046610", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2021-27611", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS ABAP", version: { version_data: [ { version_name: "<", version_value: "700", }, { version_name: "<", version_value: "701", }, { version_name: "<", version_value: "702", }, { version_name: "<", version_value: "730", }, { version_name: "<", version_value: "731", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP NetWeaver AS ABAP, versions - 700, 701, 702, 730, 731, allow a high privileged attacker to inject malicious code by executing an ABAP report when the attacker has access to the local SAP system. The attacker could then get access to data, overwrite them, or execute a denial of service.", }, ], }, impact: { cvss: { baseScore: "8.2", vectorString: "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Code Injection", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=576094655", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=576094655", }, { name: "https://launchpad.support.sap.com/#/notes/3046610", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3046610", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2021-27611", datePublished: "2021-05-11T14:19:33", dateReserved: "2021-02-23T00:00:00", dateUpdated: "2024-08-03T21:26:09.917Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2020-6280 (GCVE-0-2020-6280)
Vulnerability from cvelistv5
Published
2020-07-14 12:30
Modified
2024-08-04 08:55
Severity ?
EPSS score ?
Summary
SAP NetWeaver (ABAP Server) and ABAP Platform, versions 731, 740, 750, allows an attacker with admin privileges to access certain files which should otherwise be restricted, leading to Information Disclosure.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675 | x_refsource_MISC | |
| https://launchpad.support.sap.com/#/notes/2927373 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver (ABAP Server) and ABAP Platform |
Version: < 731 Version: < 740 Version: < 750 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T08:55:22.265Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/2927373", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver (ABAP Server) and ABAP Platform", vendor: "SAP SE", versions: [ { status: "affected", version: "< 731", }, { status: "affected", version: "< 740", }, { status: "affected", version: "< 750", }, ], }, ], descriptions: [ { lang: "en", value: "SAP NetWeaver (ABAP Server) and ABAP Platform, versions 731, 740, 750, allows an attacker with admin privileges to access certain files which should otherwise be restricted, leading to Information Disclosure.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 2.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Information Disclosure", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-07-14T12:30:14", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/2927373", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2020-6280", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver (ABAP Server) and ABAP Platform", version: { version_data: [ { version_name: "<", version_value: "731", }, { version_name: "<", version_value: "740", }, { version_name: "<", version_value: "750", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP NetWeaver (ABAP Server) and ABAP Platform, versions 731, 740, 750, allows an attacker with admin privileges to access certain files which should otherwise be restricted, leading to Information Disclosure.", }, ], }, impact: { cvss: { baseScore: "2.7", vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information Disclosure", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675", }, { name: "https://launchpad.support.sap.com/#/notes/2927373", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/2927373", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2020-6280", datePublished: "2020-07-14T12:30:14", dateReserved: "2020-01-08T00:00:00", dateUpdated: "2024-08-04T08:55:22.265Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-40624 (GCVE-0-2023-40624)
Vulnerability from cvelistv5
Published
2023-09-12 02:00
Modified
2024-09-25 20:15
Severity ?
EPSS score ?
Summary
SAP NetWeaver AS ABAP (applications based on Unified Rendering) - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 702, SAP_BASIS 731, allows an attacker to inject JavaScript code that can be executed in the web-application. An attacker could thereby control the behavior of this web-application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver AS ABAP (applications based on Unified Rendering) |
Version: SAP_UI 754 Version: SAP_UI 755 Version: SAP_UI 756 Version: SAP_UI 757 Version: SAP_UI 758 Version: SAP_BASIS 702 Version: SAP_BASIS 731 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T18:38:51.028Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3323163", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-40624", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-25T15:04:43.441539Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-25T20:15:00.246Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP NetWeaver AS ABAP (applications based on Unified Rendering)", vendor: "SAP_SE", versions: [ { status: "affected", version: "SAP_UI 754", }, { status: "affected", version: "SAP_UI 755", }, { status: "affected", version: "SAP_UI 756", }, { status: "affected", version: "SAP_UI 757", }, { status: "affected", version: "SAP_UI 758", }, { status: "affected", version: "SAP_BASIS 702", }, { status: "affected", version: "SAP_BASIS 731", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP NetWeaver AS ABAP (applications based on Unified Rendering) - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 702, SAP_BASIS 731, allows an attacker to inject JavaScript code that can be executed in the web-application. An attacker could thereby control the behavior of this web-application.</p>", }, ], value: "SAP NetWeaver AS ABAP (applications based on Unified Rendering) - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 702, SAP_BASIS 731, allows an attacker to inject JavaScript code that can be executed in the web-application. An attacker could thereby control the behavior of this web-application.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-09-12T02:00:30.824Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3323163", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Code Injection vulnerability in SAP NetWeaver AS ABAP (applications based on Unified Rendering)", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-40624", datePublished: "2023-09-12T02:00:30.824Z", dateReserved: "2023-08-17T18:10:44.966Z", dateUpdated: "2024-09-25T20:15:00.246Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-49581 (GCVE-0-2023-49581)
Vulnerability from cvelistv5
Published
2023-12-12 01:10
Modified
2024-08-02 22:01
Severity ?
EPSS score ?
Summary
SAP GUI for Windows and SAP GUI for Java allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to write data to a database table. By doing so the attacker could increase response times of the AS ABAP, leading to mild impact on availability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver Application Server ABAP and ABAP Platform |
Version: SAP_BASIS 700 Version: SAP_BASIS731 Version: SAP_BASIS740 Version: SAP_BASIS750 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T22:01:25.898Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3392547", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP NetWeaver Application Server ABAP and ABAP Platform", vendor: "SAP_SE", versions: [ { status: "affected", version: "SAP_BASIS 700", }, { status: "affected", version: "SAP_BASIS731", }, { status: "affected", version: "SAP_BASIS740", }, { status: "affected", version: "SAP_BASIS750", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP GUI for Windows and SAP GUI for Java allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to write data to a database table. By doing so the attacker could increase response times of the AS ABAP, leading to mild impact on availability.</p>", }, ], value: "SAP GUI for Windows and SAP GUI for Java allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to write data to a database table. By doing so the attacker could increase response times of the AS ABAP, leading to mild impact on availability.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-89", description: "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-16T13:56:46.654Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3392547", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "SQL Injection vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-49581", datePublished: "2023-12-12T01:10:14.702Z", dateReserved: "2023-11-27T18:07:40.886Z", dateUpdated: "2024-08-02T22:01:25.898Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-27500 (GCVE-0-2023-27500)
Vulnerability from cvelistv5
Published
2023-03-14 05:05
Modified
2024-08-02 12:16
Severity ?
EPSS score ?
Summary
An attacker with non-administrative authorizations can exploit a directory traversal flaw in program SAPRSBRO to over-write system files. In this attack, no data can be read but potentially critical OS files can be over-written making the system unavailable.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | NetWeaver AS for ABAP and ABAP Platform (SAPRSBRO Program) |
Version: 700 Version: 701 Version: 702 Version: 731 Version: 740 Version: 750 Version: 751 Version: 752 Version: 753 Version: 754 Version: 755 Version: 756 Version: 757 |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "netweaver_application_server_abap", vendor: "sap", versions: [ { status: "affected", version: "700", }, { status: "affected", version: "701", }, { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-27500", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-07-18T19:40:42.634918Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-18T19:46:50.267Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T12:16:35.333Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3302162", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "NetWeaver AS for ABAP and ABAP Platform (SAPRSBRO Program)", vendor: "SAP", versions: [ { status: "affected", version: "700", }, { status: "affected", version: "701", }, { status: "affected", version: "702", }, { status: "affected", version: "731", }, { status: "affected", version: "740", }, { status: "affected", version: "750", }, { status: "affected", version: "751", }, { status: "affected", version: "752", }, { status: "affected", version: "753", }, { status: "affected", version: "754", }, { status: "affected", version: "755", }, { status: "affected", version: "756", }, { status: "affected", version: "757", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>An attacker with non-administrative authorizations can exploit a directory traversal flaw in program SAPRSBRO to over-write system files. In this attack, no data can be read but potentially critical OS files can be over-written making the system unavailable.</p>", }, ], value: "An attacker with non-administrative authorizations can exploit a directory traversal flaw in program SAPRSBRO to over-write system files. In this attack, no data can be read but potentially critical OS files can be over-written making the system unavailable.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T20:23:18.260Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3302162", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-27500", datePublished: "2023-03-14T05:05:20.861Z", dateReserved: "2023-03-02T03:37:32.234Z", dateUpdated: "2024-08-02T12:16:35.333Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }