Search criteria
45 vulnerabilities found for sap_basis by sap
FKIE_CVE-2025-42918
Vulnerability from fkie_nvd - Published: 2025-09-09 02:15 - Updated: 2025-10-23 12:44
Severity ?
Summary
SAP NetWeaver Application Server for ABAP allows authenticated users with access to background processing to gain unauthorized read access to profile parameters. This results in a low impact on confidentiality, with no impact on integrity or availability
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3623504 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Patch |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:sap_basis:700:*:*:*:*:*:*:*",
"matchCriteriaId": "85616273-040E-49CB-8EB6-D2D4D7B603E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:701:*:*:*:*:*:*:*",
"matchCriteriaId": "C5F2C3A9-DCC0-4FF1-8E68-9EA150E209F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:702:*:*:*:*:*:*:*",
"matchCriteriaId": "6F774A45-2A9F-4873-A5DC-766D030C8CCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:731:*:*:*:*:*:*:*",
"matchCriteriaId": "D3A0A2D6-9259-4A35-A236-F4BEE986C1FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:740:*:*:*:*:*:*:*",
"matchCriteriaId": "49C3A8E5-FA6A-4EF3-BF50-FD4E1576024F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:750:*:*:*:*:*:*:*",
"matchCriteriaId": "ABA8AB4E-3FE6-46A8-847E-660C5DF6CE71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:751:*:*:*:*:*:*:*",
"matchCriteriaId": "6DA4A6F0-C0F1-42CB-8BBD-7198064733EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:752:*:*:*:*:*:*:*",
"matchCriteriaId": "8C121CC9-26F6-4103-8EB0-BAFF6B5B5FE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:753:*:*:*:*:*:*:*",
"matchCriteriaId": "86086D00-10BF-4C55-8D87-82CCBE468153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:754:*:*:*:*:*:*:*",
"matchCriteriaId": "2F25246A-D9E5-4F0D-B91A-478D4E5570DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:755:*:*:*:*:*:*:*",
"matchCriteriaId": "0218695F-C4AD-46BF-B176-F10C644A9C2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:756:*:*:*:*:*:*:*",
"matchCriteriaId": "FC9E7C3E-1005-450A-9198-E014C1BAADBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:757:*:*:*:*:*:*:*",
"matchCriteriaId": "3A177AB1-CC85-46EF-91DF-462096608C9F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:758:*:*:*:*:*:*:*",
"matchCriteriaId": "F7591F81-708C-4285-9BB2-F2B4BDB9759B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:816:*:*:*:*:*:*:*",
"matchCriteriaId": "EF7825FC-2F0F-4096-BE41-67B4DCC4F7DE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver Application Server for ABAP allows authenticated users with access to background processing to gain unauthorized read access to profile parameters. This results in a low impact on confidentiality, with no impact on integrity or availability"
}
],
"id": "CVE-2025-42918",
"lastModified": "2025-10-23T12:44:38.700",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "cna@sap.com",
"type": "Primary"
}
]
},
"published": "2025-09-09T02:15:40.110",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3623504"
},
{
"source": "cna@sap.com",
"tags": [
"Patch"
],
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-42911
Vulnerability from fkie_nvd - Published: 2025-09-09 02:15 - Updated: 2025-10-23 12:45
Severity ?
5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system. This leads to a low impact on confidentiality, with no effect on the integrity and availability of the application
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3627644 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Patch |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:sap_basis:700:*:*:*:*:*:*:*",
"matchCriteriaId": "85616273-040E-49CB-8EB6-D2D4D7B603E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:701:*:*:*:*:*:*:*",
"matchCriteriaId": "C5F2C3A9-DCC0-4FF1-8E68-9EA150E209F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:702:*:*:*:*:*:*:*",
"matchCriteriaId": "6F774A45-2A9F-4873-A5DC-766D030C8CCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:731:*:*:*:*:*:*:*",
"matchCriteriaId": "D3A0A2D6-9259-4A35-A236-F4BEE986C1FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:740:*:*:*:*:*:*:*",
"matchCriteriaId": "49C3A8E5-FA6A-4EF3-BF50-FD4E1576024F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:750:*:*:*:*:*:*:*",
"matchCriteriaId": "ABA8AB4E-3FE6-46A8-847E-660C5DF6CE71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:751:*:*:*:*:*:*:*",
"matchCriteriaId": "6DA4A6F0-C0F1-42CB-8BBD-7198064733EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:752:*:*:*:*:*:*:*",
"matchCriteriaId": "8C121CC9-26F6-4103-8EB0-BAFF6B5B5FE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:753:*:*:*:*:*:*:*",
"matchCriteriaId": "86086D00-10BF-4C55-8D87-82CCBE468153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:754:*:*:*:*:*:*:*",
"matchCriteriaId": "2F25246A-D9E5-4F0D-B91A-478D4E5570DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:755:*:*:*:*:*:*:*",
"matchCriteriaId": "0218695F-C4AD-46BF-B176-F10C644A9C2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:756:*:*:*:*:*:*:*",
"matchCriteriaId": "FC9E7C3E-1005-450A-9198-E014C1BAADBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:757:*:*:*:*:*:*:*",
"matchCriteriaId": "3A177AB1-CC85-46EF-91DF-462096608C9F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:758:*:*:*:*:*:*:*",
"matchCriteriaId": "F7591F81-708C-4285-9BB2-F2B4BDB9759B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:816:*:*:*:*:*:*:*",
"matchCriteriaId": "EF7825FC-2F0F-4096-BE41-67B4DCC4F7DE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system. This leads to a low impact on confidentiality, with no effect on the integrity and availability of the application"
}
],
"id": "CVE-2025-42911",
"lastModified": "2025-10-23T12:45:48.857",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 1.4,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-09-09T02:15:38.737",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3627644"
},
{
"source": "cna@sap.com",
"tags": [
"Patch"
],
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-42936
Vulnerability from fkie_nvd - Published: 2025-08-12 03:15 - Updated: 2025-10-23 12:41
Severity ?
Summary
The SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this issue allows authenticated users to access restricted objects in the barcode interface, leading to privilege escalation. This results in a low impact on the confidentiality and integrity of the application, there is no impact on availability.
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3602656 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Patch |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:sap_basis:700:*:*:*:*:*:*:*",
"matchCriteriaId": "85616273-040E-49CB-8EB6-D2D4D7B603E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:701:*:*:*:*:*:*:*",
"matchCriteriaId": "C5F2C3A9-DCC0-4FF1-8E68-9EA150E209F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:702:*:*:*:*:*:*:*",
"matchCriteriaId": "6F774A45-2A9F-4873-A5DC-766D030C8CCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:731:*:*:*:*:*:*:*",
"matchCriteriaId": "D3A0A2D6-9259-4A35-A236-F4BEE986C1FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:740:*:*:*:*:*:*:*",
"matchCriteriaId": "49C3A8E5-FA6A-4EF3-BF50-FD4E1576024F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:750:*:*:*:*:*:*:*",
"matchCriteriaId": "ABA8AB4E-3FE6-46A8-847E-660C5DF6CE71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:751:*:*:*:*:*:*:*",
"matchCriteriaId": "6DA4A6F0-C0F1-42CB-8BBD-7198064733EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:752:*:*:*:*:*:*:*",
"matchCriteriaId": "8C121CC9-26F6-4103-8EB0-BAFF6B5B5FE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:753:*:*:*:*:*:*:*",
"matchCriteriaId": "86086D00-10BF-4C55-8D87-82CCBE468153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:754:*:*:*:*:*:*:*",
"matchCriteriaId": "2F25246A-D9E5-4F0D-B91A-478D4E5570DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:755:*:*:*:*:*:*:*",
"matchCriteriaId": "0218695F-C4AD-46BF-B176-F10C644A9C2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:756:*:*:*:*:*:*:*",
"matchCriteriaId": "FC9E7C3E-1005-450A-9198-E014C1BAADBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:757:*:*:*:*:*:*:*",
"matchCriteriaId": "3A177AB1-CC85-46EF-91DF-462096608C9F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:758:*:*:*:*:*:*:*",
"matchCriteriaId": "F7591F81-708C-4285-9BB2-F2B4BDB9759B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:816:*:*:*:*:*:*:*",
"matchCriteriaId": "EF7825FC-2F0F-4096-BE41-67B4DCC4F7DE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this issue allows authenticated users to access restricted objects in the barcode interface, leading to privilege escalation. This results in a low impact on the confidentiality and integrity of the application, there is no impact on availability."
},
{
"lang": "es",
"value": "SAP NetWeaver Application Server para ABAP no permite que un administrador asigne autorizaciones distinguidas a diferentes roles de usuario. Este problema permite que los usuarios autenticados accedan a objetos restringidos en la interfaz de c\u00f3digo de barras, lo que provoca una escalada de privilegios. Esto tiene un impacto m\u00ednimo en la confidencialidad e integridad de la aplicaci\u00f3n y no afecta a la disponibilidad."
}
],
"id": "CVE-2025-42936",
"lastModified": "2025-10-23T12:41:58.860",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "cna@sap.com",
"type": "Primary"
}
]
},
"published": "2025-08-12T03:15:26.477",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3602656"
},
{
"source": "cna@sap.com",
"tags": [
"Patch"
],
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-266"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-42956
Vulnerability from fkie_nvd - Published: 2025-07-08 07:15 - Updated: 2025-10-27 16:51
Severity ?
Summary
SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, injected input data will be used by the web site page generation to create content which when executed in the victim's browser leading to low impact on Confidentiality and Integrity with no effect on Availability of the application.
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3617131 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Patch |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:sap_basis:700:*:*:*:*:*:*:*",
"matchCriteriaId": "85616273-040E-49CB-8EB6-D2D4D7B603E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:701:*:*:*:*:*:*:*",
"matchCriteriaId": "C5F2C3A9-DCC0-4FF1-8E68-9EA150E209F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:702:*:*:*:*:*:*:*",
"matchCriteriaId": "6F774A45-2A9F-4873-A5DC-766D030C8CCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:731:*:*:*:*:*:*:*",
"matchCriteriaId": "D3A0A2D6-9259-4A35-A236-F4BEE986C1FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:740:*:*:*:*:*:*:*",
"matchCriteriaId": "49C3A8E5-FA6A-4EF3-BF50-FD4E1576024F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:750:*:*:*:*:*:*:*",
"matchCriteriaId": "ABA8AB4E-3FE6-46A8-847E-660C5DF6CE71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:751:*:*:*:*:*:*:*",
"matchCriteriaId": "6DA4A6F0-C0F1-42CB-8BBD-7198064733EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:752:*:*:*:*:*:*:*",
"matchCriteriaId": "8C121CC9-26F6-4103-8EB0-BAFF6B5B5FE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:753:*:*:*:*:*:*:*",
"matchCriteriaId": "86086D00-10BF-4C55-8D87-82CCBE468153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:754:*:*:*:*:*:*:*",
"matchCriteriaId": "2F25246A-D9E5-4F0D-B91A-478D4E5570DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:755:*:*:*:*:*:*:*",
"matchCriteriaId": "0218695F-C4AD-46BF-B176-F10C644A9C2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:756:*:*:*:*:*:*:*",
"matchCriteriaId": "FC9E7C3E-1005-450A-9198-E014C1BAADBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:757:*:*:*:*:*:*:*",
"matchCriteriaId": "3A177AB1-CC85-46EF-91DF-462096608C9F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:758:*:*:*:*:*:*:*",
"matchCriteriaId": "F7591F81-708C-4285-9BB2-F2B4BDB9759B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:816:*:*:*:*:*:*:*",
"matchCriteriaId": "EF7825FC-2F0F-4096-BE41-67B4DCC4F7DE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, injected input data will be used by the web site page generation to create content which when executed in the victim\u0027s browser leading to low impact on Confidentiality and Integrity with no effect on Availability of the application."
},
{
"lang": "es",
"value": "SAP NetWeaver Application Server ABAP y ABAP Platform permiten a un atacante no autenticado crear un enlace malicioso que puede publicar. Cuando una v\u00edctima autenticada hace clic en este enlace malicioso, el sistema de generaci\u00f3n de p\u00e1ginas web utiliza los datos de entrada inyectados para crear contenido que, al ejecutarse en el navegador de la v\u00edctima, tiene un impacto m\u00ednimo en la confidencialidad e integridad, sin afectar la disponibilidad de la aplicaci\u00f3n."
}
],
"id": "CVE-2025-42956",
"lastModified": "2025-10-27T16:51:37.780",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "cna@sap.com",
"type": "Primary"
}
]
},
"published": "2025-07-08T07:15:26.167",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3617131"
},
{
"source": "cna@sap.com",
"tags": [
"Patch"
],
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-42986
Vulnerability from fkie_nvd - Published: 2025-07-08 01:15 - Updated: 2025-10-27 16:55
Severity ?
Summary
Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality, with no impact on integrity or availability of the application.
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3626440 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Patch |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:sap_basis:700:*:*:*:*:*:*:*",
"matchCriteriaId": "85616273-040E-49CB-8EB6-D2D4D7B603E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:701:*:*:*:*:*:*:*",
"matchCriteriaId": "C5F2C3A9-DCC0-4FF1-8E68-9EA150E209F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:702:*:*:*:*:*:*:*",
"matchCriteriaId": "6F774A45-2A9F-4873-A5DC-766D030C8CCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:731:*:*:*:*:*:*:*",
"matchCriteriaId": "D3A0A2D6-9259-4A35-A236-F4BEE986C1FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:740:*:*:*:*:*:*:*",
"matchCriteriaId": "49C3A8E5-FA6A-4EF3-BF50-FD4E1576024F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:750:*:*:*:*:*:*:*",
"matchCriteriaId": "ABA8AB4E-3FE6-46A8-847E-660C5DF6CE71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:751:*:*:*:*:*:*:*",
"matchCriteriaId": "6DA4A6F0-C0F1-42CB-8BBD-7198064733EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:752:*:*:*:*:*:*:*",
"matchCriteriaId": "8C121CC9-26F6-4103-8EB0-BAFF6B5B5FE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:753:*:*:*:*:*:*:*",
"matchCriteriaId": "86086D00-10BF-4C55-8D87-82CCBE468153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:754:*:*:*:*:*:*:*",
"matchCriteriaId": "2F25246A-D9E5-4F0D-B91A-478D4E5570DB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality, with no impact on integrity or availability of the application."
},
{
"lang": "es",
"value": "Debido a la falta de una verificaci\u00f3n de autorizaci\u00f3n en un m\u00f3dulo de funci\u00f3n obsoleto habilitado para RFC en SAP BASIS, un atacante autenticado con pocos privilegios podr\u00eda ejecutar una Llamada a Funci\u00f3n Remota (RFC), lo que podr\u00eda permitir el acceso a informaci\u00f3n restringida del sistema. Esto genera un impacto m\u00ednimo en la confidencialidad, sin afectar la integridad ni la disponibilidad de la aplicaci\u00f3n."
}
],
"id": "CVE-2025-42986",
"lastModified": "2025-10-27T16:55:48.213",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "cna@sap.com",
"type": "Primary"
}
]
},
"published": "2025-07-08T01:15:25.730",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3626440"
},
{
"source": "cna@sap.com",
"tags": [
"Patch"
],
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-23193
Vulnerability from fkie_nvd - Published: 2025-02-11 01:15 - Updated: 2025-10-23 18:37
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
SAP NetWeaver Server ABAP allows an unauthenticated attacker to exploit a vulnerability that causes the server to respond differently based on the existence of a specified user, potentially revealing sensitive information. This issue does not enable data modification and has no impact on server availability.
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3561264 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Patch |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:sap_basis:700:*:*:*:*:*:*:*",
"matchCriteriaId": "85616273-040E-49CB-8EB6-D2D4D7B603E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:701:*:*:*:*:*:*:*",
"matchCriteriaId": "C5F2C3A9-DCC0-4FF1-8E68-9EA150E209F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:702:*:*:*:*:*:*:*",
"matchCriteriaId": "6F774A45-2A9F-4873-A5DC-766D030C8CCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:731:*:*:*:*:*:*:*",
"matchCriteriaId": "D3A0A2D6-9259-4A35-A236-F4BEE986C1FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:740:*:*:*:*:*:*:*",
"matchCriteriaId": "49C3A8E5-FA6A-4EF3-BF50-FD4E1576024F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:750:*:*:*:*:*:*:*",
"matchCriteriaId": "ABA8AB4E-3FE6-46A8-847E-660C5DF6CE71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:751:*:*:*:*:*:*:*",
"matchCriteriaId": "6DA4A6F0-C0F1-42CB-8BBD-7198064733EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:752:*:*:*:*:*:*:*",
"matchCriteriaId": "8C121CC9-26F6-4103-8EB0-BAFF6B5B5FE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:753:*:*:*:*:*:*:*",
"matchCriteriaId": "86086D00-10BF-4C55-8D87-82CCBE468153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:754:*:*:*:*:*:*:*",
"matchCriteriaId": "2F25246A-D9E5-4F0D-B91A-478D4E5570DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:755:*:*:*:*:*:*:*",
"matchCriteriaId": "0218695F-C4AD-46BF-B176-F10C644A9C2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:756:*:*:*:*:*:*:*",
"matchCriteriaId": "FC9E7C3E-1005-450A-9198-E014C1BAADBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:757:*:*:*:*:*:*:*",
"matchCriteriaId": "3A177AB1-CC85-46EF-91DF-462096608C9F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:758:*:*:*:*:*:*:*",
"matchCriteriaId": "F7591F81-708C-4285-9BB2-F2B4BDB9759B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver Server ABAP allows an unauthenticated attacker to exploit a vulnerability that causes the server to respond differently based on the existence of a specified user, potentially revealing sensitive information. This issue does not enable data modification and has no impact on server availability."
},
{
"lang": "es",
"value": "SAP NetWeaver Server ABAP permite que un atacante no autenticado aproveche una vulnerabilidad que hace que el servidor responda de forma diferente en funci\u00f3n de la existencia de un usuario espec\u00edfico, lo que podr\u00eda revelar informaci\u00f3n confidencial. Este problema no permite la modificaci\u00f3n de datos y no afecta a la disponibilidad del servidor."
}
],
"id": "CVE-2025-23193",
"lastModified": "2025-10-23T18:37:18.397",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-11T01:15:10.700",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3561264"
},
{
"source": "cna@sap.com",
"tags": [
"Patch"
],
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-204"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-0063
Vulnerability from fkie_nvd - Published: 2025-01-14 01:15 - Updated: 2025-10-24 19:11
Severity ?
Summary
SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules. This could lead to an attacker with basic user privileges to gain control over the data in Informix database, leading to complete compromise of confidentiality, integrity and availability.
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3550816 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Patch |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:sap_basis:700:*:*:*:*:*:*:*",
"matchCriteriaId": "85616273-040E-49CB-8EB6-D2D4D7B603E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:701:*:*:*:*:*:*:*",
"matchCriteriaId": "C5F2C3A9-DCC0-4FF1-8E68-9EA150E209F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:702:*:*:*:*:*:*:*",
"matchCriteriaId": "6F774A45-2A9F-4873-A5DC-766D030C8CCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:731:*:*:*:*:*:*:*",
"matchCriteriaId": "D3A0A2D6-9259-4A35-A236-F4BEE986C1FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:740:*:*:*:*:*:*:*",
"matchCriteriaId": "49C3A8E5-FA6A-4EF3-BF50-FD4E1576024F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:750:*:*:*:*:*:*:*",
"matchCriteriaId": "ABA8AB4E-3FE6-46A8-847E-660C5DF6CE71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:751:*:*:*:*:*:*:*",
"matchCriteriaId": "6DA4A6F0-C0F1-42CB-8BBD-7198064733EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:752:*:*:*:*:*:*:*",
"matchCriteriaId": "8C121CC9-26F6-4103-8EB0-BAFF6B5B5FE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:753:*:*:*:*:*:*:*",
"matchCriteriaId": "86086D00-10BF-4C55-8D87-82CCBE468153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:754:*:*:*:*:*:*:*",
"matchCriteriaId": "2F25246A-D9E5-4F0D-B91A-478D4E5570DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:755:*:*:*:*:*:*:*",
"matchCriteriaId": "0218695F-C4AD-46BF-B176-F10C644A9C2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:756:*:*:*:*:*:*:*",
"matchCriteriaId": "FC9E7C3E-1005-450A-9198-E014C1BAADBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:757:*:*:*:*:*:*:*",
"matchCriteriaId": "3A177AB1-CC85-46EF-91DF-462096608C9F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:758:*:*:*:*:*:*:*",
"matchCriteriaId": "F7591F81-708C-4285-9BB2-F2B4BDB9759B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules. This could lead to an attacker with basic user privileges to gain control over the data in Informix database, leading to complete compromise of confidentiality, integrity and availability."
},
{
"lang": "es",
"value": "SAP NetWeaver AS ABAP y ABAP Platform no comprueban la autorizaci\u00f3n cuando un usuario ejecuta algunos m\u00f3dulos de funciones RFC. Esto podr\u00eda llevar a un atacante con privilegios de usuario b\u00e1sicos a obtener el control de los datos en la base de datos Informix, lo que provocar\u00eda un compromiso total de la confidencialidad, la integridad y la disponibilidad."
}
],
"id": "CVE-2025-0063",
"lastModified": "2025-10-24T19:11:48.830",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "cna@sap.com",
"type": "Secondary"
}
]
},
"published": "2025-01-14T01:15:16.633",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3550816"
},
{
"source": "cna@sap.com",
"tags": [
"Patch"
],
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-0058
Vulnerability from fkie_nvd - Published: 2025-01-14 01:15 - Updated: 2025-10-24 19:22
Severity ?
Summary
In SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a parameter in an otherwise legitimate resource request to view sensitive information that should otherwise be restricted. The attacker does not have the ability to modify the information or to make the information unavailable.
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3542698 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Patch |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:sap_basis:753:*:*:*:*:*:*:*",
"matchCriteriaId": "86086D00-10BF-4C55-8D87-82CCBE468153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:754:*:*:*:*:*:*:*",
"matchCriteriaId": "2F25246A-D9E5-4F0D-B91A-478D4E5570DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:755:*:*:*:*:*:*:*",
"matchCriteriaId": "0218695F-C4AD-46BF-B176-F10C644A9C2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:756:*:*:*:*:*:*:*",
"matchCriteriaId": "FC9E7C3E-1005-450A-9198-E014C1BAADBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:757:*:*:*:*:*:*:*",
"matchCriteriaId": "3A177AB1-CC85-46EF-91DF-462096608C9F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:758:*:*:*:*:*:*:*",
"matchCriteriaId": "F7591F81-708C-4285-9BB2-F2B4BDB9759B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:912:*:*:*:*:*:*:*",
"matchCriteriaId": "186B1AB2-9345-450B-BBE2-14F0F650AAF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:913:*:*:*:*:*:*:*",
"matchCriteriaId": "2C4A728A-DCF9-42A2-AB32-620885A0CEC5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:914:*:*:*:*:*:*:*",
"matchCriteriaId": "21CA6E71-AD1B-424B-9254-13785DC9F9F3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a parameter in an otherwise legitimate resource request to view sensitive information that should otherwise be restricted. The attacker does not have the ability to modify the information or to make the information unavailable."
},
{
"lang": "es",
"value": " En SAP Business Workflow y SAP Flexible Workflow, un atacante autenticado puede manipular un par\u00e1metro en una solicitud de recursos leg\u00edtima para ver informaci\u00f3n confidencial que, de otro modo, deber\u00eda estar restringida. El atacante no tiene la capacidad de modificar la informaci\u00f3n ni de hacer que no est\u00e9 disponible."
}
],
"id": "CVE-2025-0058",
"lastModified": "2025-10-24T19:22:46.037",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "cna@sap.com",
"type": "Secondary"
}
]
},
"published": "2025-01-14T01:15:16.040",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3542698"
},
{
"source": "cna@sap.com",
"tags": [
"Patch"
],
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-0066
Vulnerability from fkie_nvd - Published: 2025-01-14 01:15 - Updated: 2025-10-23 19:06
Severity ?
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. This can have a significant impact on the confidentiality, integrity, and availability of an application
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3550708 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Patch |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | sap_basis | 700 | |
| sap | sap_basis | 701 | |
| sap | sap_basis | 702 | |
| sap | sap_basis | 731 | |
| sap | sap_basis | 740 | |
| sap | sap_basis | 750 | |
| sap | sap_basis | 751 | |
| sap | sap_basis | 752 | |
| sap | sap_basis | 753 | |
| sap | sap_basis | 754 | |
| sap | sap_basis | 755 | |
| sap | sap_basis | 756 | |
| sap | sap_basis | 757 | |
| sap | sap_basis | 758 | |
| sap | sap_basis | 912 | |
| sap | sap_basis | 913 | |
| sap | sap_basis | 914 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:sap_basis:700:*:*:*:*:*:*:*",
"matchCriteriaId": "85616273-040E-49CB-8EB6-D2D4D7B603E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:701:*:*:*:*:*:*:*",
"matchCriteriaId": "C5F2C3A9-DCC0-4FF1-8E68-9EA150E209F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:702:*:*:*:*:*:*:*",
"matchCriteriaId": "6F774A45-2A9F-4873-A5DC-766D030C8CCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:731:*:*:*:*:*:*:*",
"matchCriteriaId": "D3A0A2D6-9259-4A35-A236-F4BEE986C1FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:740:*:*:*:*:*:*:*",
"matchCriteriaId": "49C3A8E5-FA6A-4EF3-BF50-FD4E1576024F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:750:*:*:*:*:*:*:*",
"matchCriteriaId": "ABA8AB4E-3FE6-46A8-847E-660C5DF6CE71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:751:*:*:*:*:*:*:*",
"matchCriteriaId": "6DA4A6F0-C0F1-42CB-8BBD-7198064733EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:752:*:*:*:*:*:*:*",
"matchCriteriaId": "8C121CC9-26F6-4103-8EB0-BAFF6B5B5FE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:753:*:*:*:*:*:*:*",
"matchCriteriaId": "86086D00-10BF-4C55-8D87-82CCBE468153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:754:*:*:*:*:*:*:*",
"matchCriteriaId": "2F25246A-D9E5-4F0D-B91A-478D4E5570DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:755:*:*:*:*:*:*:*",
"matchCriteriaId": "0218695F-C4AD-46BF-B176-F10C644A9C2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:756:*:*:*:*:*:*:*",
"matchCriteriaId": "FC9E7C3E-1005-450A-9198-E014C1BAADBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:757:*:*:*:*:*:*:*",
"matchCriteriaId": "3A177AB1-CC85-46EF-91DF-462096608C9F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:758:*:*:*:*:*:*:*",
"matchCriteriaId": "F7591F81-708C-4285-9BB2-F2B4BDB9759B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:912:*:*:*:*:*:*:*",
"matchCriteriaId": "186B1AB2-9345-450B-BBE2-14F0F650AAF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:913:*:*:*:*:*:*:*",
"matchCriteriaId": "2C4A728A-DCF9-42A2-AB32-620885A0CEC5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:914:*:*:*:*:*:*:*",
"matchCriteriaId": "21CA6E71-AD1B-424B-9254-13785DC9F9F3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. This can have a significant impact on the confidentiality, integrity, and availability of an application"
},
{
"lang": "es",
"value": " En determinadas circunstancias, SAP NetWeaver AS para ABAP y la plataforma ABAP (Internet Communication Framework) permite a un atacante acceder a informaci\u00f3n restringida debido a controles de acceso d\u00e9biles. Esto puede tener un impacto significativo en la confidencialidad, integridad y disponibilidad de una aplicaci\u00f3n."
}
],
"id": "CVE-2025-0066",
"lastModified": "2025-10-23T19:06:57.513",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-01-14T01:15:16.783",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3550708"
},
{
"source": "cna@sap.com",
"tags": [
"Patch"
],
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-0053
Vulnerability from fkie_nvd - Published: 2025-01-14 01:15 - Updated: 2025-10-24 19:24
Severity ?
Summary
SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information. By using a specific URL parameter, an unauthenticated attacker could retrieve details such as system configuration. This has a limited impact on the confidentiality of the application and may be leveraged to facilitate further attacks or exploits.
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3536461 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Patch |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:sap_basis:700:*:*:*:*:*:*:*",
"matchCriteriaId": "85616273-040E-49CB-8EB6-D2D4D7B603E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:701:*:*:*:*:*:*:*",
"matchCriteriaId": "C5F2C3A9-DCC0-4FF1-8E68-9EA150E209F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:702:*:*:*:*:*:*:*",
"matchCriteriaId": "6F774A45-2A9F-4873-A5DC-766D030C8CCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:731:*:*:*:*:*:*:*",
"matchCriteriaId": "D3A0A2D6-9259-4A35-A236-F4BEE986C1FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:740:*:*:*:*:*:*:*",
"matchCriteriaId": "49C3A8E5-FA6A-4EF3-BF50-FD4E1576024F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:750:*:*:*:*:*:*:*",
"matchCriteriaId": "ABA8AB4E-3FE6-46A8-847E-660C5DF6CE71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:751:*:*:*:*:*:*:*",
"matchCriteriaId": "6DA4A6F0-C0F1-42CB-8BBD-7198064733EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:752:*:*:*:*:*:*:*",
"matchCriteriaId": "8C121CC9-26F6-4103-8EB0-BAFF6B5B5FE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:753:*:*:*:*:*:*:*",
"matchCriteriaId": "86086D00-10BF-4C55-8D87-82CCBE468153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:754:*:*:*:*:*:*:*",
"matchCriteriaId": "2F25246A-D9E5-4F0D-B91A-478D4E5570DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:755:*:*:*:*:*:*:*",
"matchCriteriaId": "0218695F-C4AD-46BF-B176-F10C644A9C2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:756:*:*:*:*:*:*:*",
"matchCriteriaId": "FC9E7C3E-1005-450A-9198-E014C1BAADBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:sap_basis:757:*:*:*:*:*:*:*",
"matchCriteriaId": "3A177AB1-CC85-46EF-91DF-462096608C9F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information. By using a specific URL parameter, an unauthenticated attacker could retrieve details such as system configuration. This has a limited impact on the confidentiality of the application and may be leveraged to facilitate further attacks or exploits."
},
{
"lang": "es",
"value": " SAP NetWeaver Application Server para ABAP y la plataforma ABAP permite a un atacante obtener acceso no autorizado a la informaci\u00f3n del sistema. Al utilizar un par\u00e1metro de URL espec\u00edfico, un atacante no autenticado podr\u00eda recuperar detalles como la configuraci\u00f3n del sistema. Esto tiene un impacto limitado en la confidencialidad de la aplicaci\u00f3n y puede aprovecharse para facilitar otros ataques o exploits."
}
],
"id": "CVE-2025-0053",
"lastModified": "2025-10-24T19:24:55.573",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "cna@sap.com",
"type": "Secondary"
}
]
},
"published": "2025-01-14T01:15:15.403",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3536461"
},
{
"source": "cna@sap.com",
"tags": [
"Patch"
],
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-209"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
CVE-2025-42918 (GCVE-0-2025-42918)
Vulnerability from cvelistv5 – Published: 2025-09-09 02:09 – Updated: 2025-09-09 13:41
VLAI?
Summary
SAP NetWeaver Application Server for ABAP allows authenticated users with access to background processing to gain unauthorized read access to profile parameters. This results in a low impact on confidentiality, with no impact on integrity or availability
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver Application Server for ABAP (Background Processing) |
Affected:
SAP_BASIS 700
Affected: SAP_BASIS 701 Affected: SAP_BASIS 702 Affected: SAP_BASIS 731 Affected: SAP_BASIS 740 Affected: SAP_BASIS 750 Affected: SAP_BASIS 751 Affected: SAP_BASIS 752 Affected: SAP_BASIS 753 Affected: SAP_BASIS 754 Affected: SAP_BASIS 755 Affected: SAP_BASIS 756 Affected: SAP_BASIS 757 Affected: SAP_BASIS 758 Affected: SAP_BASIS 816 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-42918",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-09T13:41:39.122529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T13:41:50.007Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver Application Server for ABAP (Background Processing)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 700"
},
{
"status": "affected",
"version": "SAP_BASIS 701"
},
{
"status": "affected",
"version": "SAP_BASIS 702"
},
{
"status": "affected",
"version": "SAP_BASIS 731"
},
{
"status": "affected",
"version": "SAP_BASIS 740"
},
{
"status": "affected",
"version": "SAP_BASIS 750"
},
{
"status": "affected",
"version": "SAP_BASIS 751"
},
{
"status": "affected",
"version": "SAP_BASIS 752"
},
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
},
{
"status": "affected",
"version": "SAP_BASIS 755"
},
{
"status": "affected",
"version": "SAP_BASIS 756"
},
{
"status": "affected",
"version": "SAP_BASIS 757"
},
{
"status": "affected",
"version": "SAP_BASIS 758"
},
{
"status": "affected",
"version": "SAP_BASIS 816"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP NetWeaver Application Server for ABAP allows authenticated users with access to background processing to gain unauthorized read access to profile parameters. This results in a low impact on confidentiality, with no impact on integrity or availability\u003c/p\u003e"
}
],
"value": "SAP NetWeaver Application Server for ABAP allows authenticated users with access to background processing to gain unauthorized read access to profile parameters. This results in a low impact on confidentiality, with no impact on integrity or availability"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T02:09:18.915Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3623504"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization check in SAP NetWeaver Application Server for ABAP (Background Processing)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-42918",
"datePublished": "2025-09-09T02:09:18.915Z",
"dateReserved": "2025-04-16T13:25:30.253Z",
"dateUpdated": "2025-09-09T13:41:50.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-42911 (GCVE-0-2025-42911)
Vulnerability from cvelistv5 – Published: 2025-09-09 02:05 – Updated: 2025-09-09 13:51
VLAI?
Summary
SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system. This leads to a low impact on confidentiality, with no effect on the integrity and availability of the application
Severity ?
5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver (Service Data Download) |
Affected:
SAP_BASIS 700
Affected: SAP_BASIS 701 Affected: SAP_BASIS 702 Affected: SAP_BASIS 731 Affected: SAP_BASIS 740 Affected: SAP_BASIS 750 Affected: SAP_BASIS 751 Affected: SAP_BASIS 752 Affected: SAP_BASIS 753 Affected: SAP_BASIS 754 Affected: SAP_BASIS 755 Affected: SAP_BASIS 756 Affected: SAP_BASIS 757 Affected: SAP_BASIS 758 Affected: SAP_BASIS 816 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-42911",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-09T13:51:14.974813Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T13:51:38.627Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver (Service Data Download)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 700"
},
{
"status": "affected",
"version": "SAP_BASIS 701"
},
{
"status": "affected",
"version": "SAP_BASIS 702"
},
{
"status": "affected",
"version": "SAP_BASIS 731"
},
{
"status": "affected",
"version": "SAP_BASIS 740"
},
{
"status": "affected",
"version": "SAP_BASIS 750"
},
{
"status": "affected",
"version": "SAP_BASIS 751"
},
{
"status": "affected",
"version": "SAP_BASIS 752"
},
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
},
{
"status": "affected",
"version": "SAP_BASIS 755"
},
{
"status": "affected",
"version": "SAP_BASIS 756"
},
{
"status": "affected",
"version": "SAP_BASIS 757"
},
{
"status": "affected",
"version": "SAP_BASIS 758"
},
{
"status": "affected",
"version": "SAP_BASIS 816"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system. This leads to a low impact on confidentiality, with no effect on the integrity and availability of the application\u003c/p\u003e"
}
],
"value": "SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system. This leads to a low impact on confidentiality, with no effect on the integrity and availability of the application"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T02:05:56.778Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3627644"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization check in SAP NetWeaver (Service Data Download)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-42911",
"datePublished": "2025-09-09T02:05:56.778Z",
"dateReserved": "2025-04-16T13:25:30.252Z",
"dateUpdated": "2025-09-09T13:51:38.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-42936 (GCVE-0-2025-42936)
Vulnerability from cvelistv5 – Published: 2025-08-12 02:05 – Updated: 2025-08-13 15:03
VLAI?
Summary
The SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this issue allows authenticated users to access restricted objects in the barcode interface, leading to privilege escalation. This results in a low impact on the confidentiality and integrity of the application, there is no impact on availability.
Severity ?
5.4 (Medium)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver Application Server for ABAP |
Affected:
SAP_BASIS 700
Affected: SAP_BASIS 701 Affected: SAP_BASIS 702 Affected: SAP_BASIS 731 Affected: SAP_BASIS 740 Affected: SAP_BASIS 750 Affected: SAP_BASIS 751 Affected: SAP_BASIS 752 Affected: SAP_BASIS 753 Affected: SAP_BASIS 754 Affected: SAP_BASIS 755 Affected: SAP_BASIS 756 Affected: SAP_BASIS 757 Affected: SAP_BASIS 758 Affected: SAP_BASIS 816 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-42936",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-12T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T15:03:51.218Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver Application Server for ABAP",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 700"
},
{
"status": "affected",
"version": "SAP_BASIS 701"
},
{
"status": "affected",
"version": "SAP_BASIS 702"
},
{
"status": "affected",
"version": "SAP_BASIS 731"
},
{
"status": "affected",
"version": "SAP_BASIS 740"
},
{
"status": "affected",
"version": "SAP_BASIS 750"
},
{
"status": "affected",
"version": "SAP_BASIS 751"
},
{
"status": "affected",
"version": "SAP_BASIS 752"
},
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
},
{
"status": "affected",
"version": "SAP_BASIS 755"
},
{
"status": "affected",
"version": "SAP_BASIS 756"
},
{
"status": "affected",
"version": "SAP_BASIS 757"
},
{
"status": "affected",
"version": "SAP_BASIS 758"
},
{
"status": "affected",
"version": "SAP_BASIS 816"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this issue allows authenticated users to access restricted objects in the barcode interface, leading to privilege escalation. This results in a low impact on the confidentiality and integrity of the application, there is no impact on availability.\u003c/p\u003e"
}
],
"value": "The SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this issue allows authenticated users to access restricted objects in the barcode interface, leading to privilege escalation. This results in a low impact on the confidentiality and integrity of the application, there is no impact on availability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266: Incorrect Privilege Assignment",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-12T02:05:19.690Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3602656"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization check in SAP NetWeaver Application Server for ABAP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-42936",
"datePublished": "2025-08-12T02:05:19.690Z",
"dateReserved": "2025-04-16T13:25:34.582Z",
"dateUpdated": "2025-08-13T15:03:51.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-42956 (GCVE-0-2025-42956)
Vulnerability from cvelistv5 – Published: 2025-07-08 06:57 – Updated: 2025-07-08 16:12
VLAI?
Summary
SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, injected input data will be used by the web site page generation to create content which when executed in the victim's browser leading to low impact on Confidentiality and Integrity with no effect on Availability of the application.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver Application Server ABAP |
Affected:
SAP_BASIS 700
Affected: SAP_BASIS 701 Affected: SAP_BASIS 702 Affected: SAP_BASIS 731 Affected: SAP_BASIS 740 Affected: SAP_BASIS 750 Affected: SAP_BASIS 751 Affected: SAP_BASIS 752 Affected: SAP_BASIS 753 Affected: SAP_BASIS 754 Affected: SAP_BASIS 755 Affected: SAP_BASIS 756 Affected: SAP_BASIS 757 Affected: SAP_BASIS 758 Affected: SAP_BASIS 816 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-42956",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-08T14:27:35.695828Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T16:12:38.657Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver Application Server ABAP",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 700"
},
{
"status": "affected",
"version": "SAP_BASIS 701"
},
{
"status": "affected",
"version": "SAP_BASIS 702"
},
{
"status": "affected",
"version": "SAP_BASIS 731"
},
{
"status": "affected",
"version": "SAP_BASIS 740"
},
{
"status": "affected",
"version": "SAP_BASIS 750"
},
{
"status": "affected",
"version": "SAP_BASIS 751"
},
{
"status": "affected",
"version": "SAP_BASIS 752"
},
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
},
{
"status": "affected",
"version": "SAP_BASIS 755"
},
{
"status": "affected",
"version": "SAP_BASIS 756"
},
{
"status": "affected",
"version": "SAP_BASIS 757"
},
{
"status": "affected",
"version": "SAP_BASIS 758"
},
{
"status": "affected",
"version": "SAP_BASIS 816"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, injected input data will be used by the web site page generation to create content which when executed in the victim\u0027s browser leading to low impact on Confidentiality and Integrity with no effect on Availability of the application.\u003c/span\u003e"
}
],
"value": "SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, injected input data will be used by the web site page generation to create content which when executed in the victim\u0027s browser leading to low impact on Confidentiality and Integrity with no effect on Availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T06:57:25.262Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3617131"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP NetWeaver Application Server ABAP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-42956",
"datePublished": "2025-07-08T06:57:25.262Z",
"dateReserved": "2025-04-16T13:25:39.583Z",
"dateUpdated": "2025-07-08T16:12:38.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-42986 (GCVE-0-2025-42986)
Vulnerability from cvelistv5 – Published: 2025-07-08 00:38 – Updated: 2025-07-08 18:13
VLAI?
Summary
Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality, with no impact on integrity or availability of the application.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver and ABAP Platform |
Affected:
SAP_BASIS 700
Affected: SAP_BASIS 701 Affected: SAP_BASIS 702 Affected: SAP_BASIS 731 Affected: SAP_BASIS 740 Affected: SAP_BASIS 750 Affected: SAP_BASIS 751 Affected: SAP_BASIS 752 Affected: SAP_BASIS 753 Affected: SAP_BASIS 754 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-42986",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-08T18:11:27.468016Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T18:13:40.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver and ABAP Platform",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 700"
},
{
"status": "affected",
"version": "SAP_BASIS 701"
},
{
"status": "affected",
"version": "SAP_BASIS 702"
},
{
"status": "affected",
"version": "SAP_BASIS 731"
},
{
"status": "affected",
"version": "SAP_BASIS 740"
},
{
"status": "affected",
"version": "SAP_BASIS 750"
},
{
"status": "affected",
"version": "SAP_BASIS 751"
},
{
"status": "affected",
"version": "SAP_BASIS 752"
},
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDue to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality, with no impact on integrity or availability of the application.\u003c/p\u003e"
}
],
"value": "Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality, with no impact on integrity or availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T00:38:32.873Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3626440"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization check in SAP NetWeaver and ABAP Platform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-42986",
"datePublished": "2025-07-08T00:38:32.873Z",
"dateReserved": "2025-04-16T13:25:48.060Z",
"dateUpdated": "2025-07-08T18:13:40.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-23193 (GCVE-0-2025-23193)
Vulnerability from cvelistv5 – Published: 2025-02-11 00:35 – Updated: 2025-02-11 16:00
VLAI?
Summary
SAP NetWeaver Server ABAP allows an unauthenticated attacker to exploit a vulnerability that causes the server to respond differently based on the existence of a specified user, potentially revealing sensitive information. This issue does not enable data modification and has no impact on server availability.
Severity ?
5.3 (Medium)
CWE
- CWE-204 - Observable Response Discrepancy
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver Server ABAP |
Affected:
SAP_BASIS 700
Affected: SAP_BASIS 701 Affected: SAP_BASIS 702 Affected: SAP_BASIS 731 Affected: SAP_BASIS 740 Affected: SAP_BASIS 750 Affected: SAP_BASIS 751 Affected: SAP_BASIS 752 Affected: SAP_BASIS 753 Affected: SAP_BASIS 754 Affected: SAP_BASIS 755 Affected: SAP_BASIS 756 Affected: SAP_BASIS 757 Affected: SAP_BASIS 758 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23193",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T15:59:35.647495Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T16:00:41.684Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver Server ABAP",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 700"
},
{
"status": "affected",
"version": "SAP_BASIS 701"
},
{
"status": "affected",
"version": "SAP_BASIS 702"
},
{
"status": "affected",
"version": "SAP_BASIS 731"
},
{
"status": "affected",
"version": "SAP_BASIS 740"
},
{
"status": "affected",
"version": "SAP_BASIS 750"
},
{
"status": "affected",
"version": "SAP_BASIS 751"
},
{
"status": "affected",
"version": "SAP_BASIS 752"
},
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
},
{
"status": "affected",
"version": "SAP_BASIS 755"
},
{
"status": "affected",
"version": "SAP_BASIS 756"
},
{
"status": "affected",
"version": "SAP_BASIS 757"
},
{
"status": "affected",
"version": "SAP_BASIS 758"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP NetWeaver Server ABAP allows an unauthenticated attacker to exploit a vulnerability that causes the server to respond differently based on the existence of a specified user, potentially revealing sensitive information. This issue does not enable data modification and has no impact on server availability.\u003c/p\u003e"
}
],
"value": "SAP NetWeaver Server ABAP allows an unauthenticated attacker to exploit a vulnerability that causes the server to respond differently based on the existence of a specified user, potentially revealing sensitive information. This issue does not enable data modification and has no impact on server availability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T00:35:25.783Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3561264"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-23193",
"datePublished": "2025-02-11T00:35:25.783Z",
"dateReserved": "2025-01-13T11:13:59.547Z",
"dateUpdated": "2025-02-11T16:00:41.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0066 (GCVE-0-2025-0066)
Vulnerability from cvelistv5 – Published: 2025-01-14 00:09 – Updated: 2025-01-14 14:50
VLAI?
Summary
Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. This can have a significant impact on the confidentiality, integrity, and availability of an application
Severity ?
9.9 (Critical)
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) |
Affected:
SAP_BASIS 700
Affected: SAP_BASIS 701 Affected: SAP_BASIS 702 Affected: SAP_BASIS 731 Affected: SAP_BASIS 740 Affected: SAP_BASIS 750 Affected: SAP_BASIS 751 Affected: SAP_BASIS 752 Affected: SAP_BASIS 753 Affected: SAP_BASIS 754 Affected: SAP_BASIS 755 Affected: SAP_BASIS 756 Affected: SAP_BASIS 757 Affected: SAP_BASIS 758 Affected: SAP_BASIS 912 Affected: SAP_BASIS 913 Affected: SAP_BASIS 914 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0066",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T14:50:09.959227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T14:50:46.306Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 700"
},
{
"status": "affected",
"version": "SAP_BASIS 701"
},
{
"status": "affected",
"version": "SAP_BASIS 702"
},
{
"status": "affected",
"version": "SAP_BASIS 731"
},
{
"status": "affected",
"version": "SAP_BASIS 740"
},
{
"status": "affected",
"version": "SAP_BASIS 750"
},
{
"status": "affected",
"version": "SAP_BASIS 751"
},
{
"status": "affected",
"version": "SAP_BASIS 752"
},
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
},
{
"status": "affected",
"version": "SAP_BASIS 755"
},
{
"status": "affected",
"version": "SAP_BASIS 756"
},
{
"status": "affected",
"version": "SAP_BASIS 757"
},
{
"status": "affected",
"version": "SAP_BASIS 758"
},
{
"status": "affected",
"version": "SAP_BASIS 912"
},
{
"status": "affected",
"version": "SAP_BASIS 913"
},
{
"status": "affected",
"version": "SAP_BASIS 914"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUnder certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. This can have a significant impact on the confidentiality, integrity, and availability of an application\u003c/p\u003e"
}
],
"value": "Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. This can have a significant impact on the confidentiality, integrity, and availability of an application"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T00:09:36.035Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3550708"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-0066",
"datePublished": "2025-01-14T00:09:36.035Z",
"dateReserved": "2024-12-11T05:05:07.367Z",
"dateUpdated": "2025-01-14T14:50:46.306Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0063 (GCVE-0-2025-0063)
Vulnerability from cvelistv5 – Published: 2025-01-14 00:09 – Updated: 2025-01-14 14:51
VLAI?
Summary
SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules. This could lead to an attacker with basic user privileges to gain control over the data in Informix database, leading to complete compromise of confidentiality, integrity and availability.
Severity ?
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver AS ABAP and ABAP Platform |
Affected:
SAP_BASIS 700
Affected: SAP_BASIS 701 Affected: SAP_BASIS 702 Affected: SAP_BASIS 731 Affected: SAP_BASIS 740 Affected: SAP_BASIS 750 Affected: SAP_BASIS 751 Affected: SAP_BASIS 752 Affected: SAP_BASIS 753 Affected: SAP_BASIS 754 Affected: SAP_BASIS 755 Affected: SAP_BASIS 756 Affected: SAP_BASIS 757 Affected: SAP_BASIS 758 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0063",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T14:51:02.419843Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T14:51:11.362Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver AS ABAP and ABAP Platform",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 700"
},
{
"status": "affected",
"version": "SAP_BASIS 701"
},
{
"status": "affected",
"version": "SAP_BASIS 702"
},
{
"status": "affected",
"version": "SAP_BASIS 731"
},
{
"status": "affected",
"version": "SAP_BASIS 740"
},
{
"status": "affected",
"version": "SAP_BASIS 750"
},
{
"status": "affected",
"version": "SAP_BASIS 751"
},
{
"status": "affected",
"version": "SAP_BASIS 752"
},
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
},
{
"status": "affected",
"version": "SAP_BASIS 755"
},
{
"status": "affected",
"version": "SAP_BASIS 756"
},
{
"status": "affected",
"version": "SAP_BASIS 757"
},
{
"status": "affected",
"version": "SAP_BASIS 758"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules. This could lead to an attacker with basic user privileges to gain control over the data in Informix database, leading to complete compromise of confidentiality, integrity and availability.\u003c/p\u003e"
}
],
"value": "SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules. This could lead to an attacker with basic user privileges to gain control over the data in Informix database, leading to complete compromise of confidentiality, integrity and availability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T00:09:28.885Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3550816"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SQL Injection vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-0063",
"datePublished": "2025-01-14T00:09:28.885Z",
"dateReserved": "2024-12-05T21:53:06.796Z",
"dateUpdated": "2025-01-14T14:51:11.362Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0058 (GCVE-0-2025-0058)
Vulnerability from cvelistv5 – Published: 2025-01-14 00:08 – Updated: 2025-01-14 15:00
VLAI?
Summary
In SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a parameter in an otherwise legitimate resource request to view sensitive information that should otherwise be restricted. The attacker does not have the ability to modify the information or to make the information unavailable.
Severity ?
6.5 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Business Workflow and SAP Flexible Workflow |
Affected:
SAP_BASIS 753
Affected: SAP_BASIS 754 Affected: SAP_BASIS 755 Affected: SAP_BASIS 756 Affected: SAP_BASIS 757 Affected: SAP_BASIS 758 Affected: SAP_BASIS 912 Affected: SAP_BASIS 913 Affected: SAP_BASIS 914 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0058",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T15:00:27.919691Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T15:00:38.824Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Business Workflow and SAP Flexible Workflow",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
},
{
"status": "affected",
"version": "SAP_BASIS 755"
},
{
"status": "affected",
"version": "SAP_BASIS 756"
},
{
"status": "affected",
"version": "SAP_BASIS 757"
},
{
"status": "affected",
"version": "SAP_BASIS 758"
},
{
"status": "affected",
"version": "SAP_BASIS 912"
},
{
"status": "affected",
"version": "SAP_BASIS 913"
},
{
"status": "affected",
"version": "SAP_BASIS 914"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a parameter in an otherwise legitimate resource request to view sensitive information that should otherwise be restricted. The attacker does not have the ability to modify the information or to make the information unavailable.\u003c/p\u003e"
}
],
"value": "In SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a parameter in an otherwise legitimate resource request to view sensitive information that should otherwise be restricted. The attacker does not have the ability to modify the information or to make the information unavailable."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T00:08:59.323Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3542698"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information Disclosure vulnerability in SAP Business Workflow and SAP Flexible Workflow",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-0058",
"datePublished": "2025-01-14T00:08:59.323Z",
"dateReserved": "2024-12-05T21:38:15.279Z",
"dateUpdated": "2025-01-14T15:00:38.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0053 (GCVE-0-2025-0053)
Vulnerability from cvelistv5 – Published: 2025-01-14 00:08 – Updated: 2025-01-14 15:01
VLAI?
Summary
SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information. By using a specific URL parameter, an unauthenticated attacker could retrieve details such as system configuration. This has a limited impact on the confidentiality of the application and may be leveraged to facilitate further attacks or exploits.
Severity ?
5.3 (Medium)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver Application Server for ABAP and ABAP Platform |
Affected:
SAP_BASIS 700
Affected: SAP_BASIS 701 Affected: SAP_BASIS 702 Affected: SAP_BASIS 731 Affected: SAP_BASIS 740 Affected: SAP_BASIS 750 Affected: SAP_BASIS 751 Affected: SAP_BASIS 752 Affected: SAP_BASIS 753 Affected: SAP_BASIS 754 Affected: SAP_BASIS 755 Affected: SAP_BASIS 756 Affected: SAP_BASIS 757 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0053",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T15:01:35.337636Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T15:01:44.276Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver Application Server for ABAP and ABAP Platform",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 700"
},
{
"status": "affected",
"version": "SAP_BASIS 701"
},
{
"status": "affected",
"version": "SAP_BASIS 702"
},
{
"status": "affected",
"version": "SAP_BASIS 731"
},
{
"status": "affected",
"version": "SAP_BASIS 740"
},
{
"status": "affected",
"version": "SAP_BASIS 750"
},
{
"status": "affected",
"version": "SAP_BASIS 751"
},
{
"status": "affected",
"version": "SAP_BASIS 752"
},
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
},
{
"status": "affected",
"version": "SAP_BASIS 755"
},
{
"status": "affected",
"version": "SAP_BASIS 756"
},
{
"status": "affected",
"version": "SAP_BASIS 757"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information. By using a specific URL parameter, an unauthenticated attacker could retrieve details such as system configuration. This has a limited impact on the confidentiality of the application and may be leveraged to facilitate further attacks or exploits.\u003c/p\u003e"
}
],
"value": "SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information. By using a specific URL parameter, an unauthenticated attacker could retrieve details such as system configuration. This has a limited impact on the confidentiality of the application and may be leveraged to facilitate further attacks or exploits."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T00:08:21.600Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3536461"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information Disclosure Vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-0053",
"datePublished": "2025-01-14T00:08:21.600Z",
"dateReserved": "2024-12-05T21:37:23.093Z",
"dateUpdated": "2025-01-14T15:01:44.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-42918 (GCVE-0-2025-42918)
Vulnerability from nvd – Published: 2025-09-09 02:09 – Updated: 2025-09-09 13:41
VLAI?
Summary
SAP NetWeaver Application Server for ABAP allows authenticated users with access to background processing to gain unauthorized read access to profile parameters. This results in a low impact on confidentiality, with no impact on integrity or availability
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver Application Server for ABAP (Background Processing) |
Affected:
SAP_BASIS 700
Affected: SAP_BASIS 701 Affected: SAP_BASIS 702 Affected: SAP_BASIS 731 Affected: SAP_BASIS 740 Affected: SAP_BASIS 750 Affected: SAP_BASIS 751 Affected: SAP_BASIS 752 Affected: SAP_BASIS 753 Affected: SAP_BASIS 754 Affected: SAP_BASIS 755 Affected: SAP_BASIS 756 Affected: SAP_BASIS 757 Affected: SAP_BASIS 758 Affected: SAP_BASIS 816 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-42918",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-09T13:41:39.122529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T13:41:50.007Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver Application Server for ABAP (Background Processing)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 700"
},
{
"status": "affected",
"version": "SAP_BASIS 701"
},
{
"status": "affected",
"version": "SAP_BASIS 702"
},
{
"status": "affected",
"version": "SAP_BASIS 731"
},
{
"status": "affected",
"version": "SAP_BASIS 740"
},
{
"status": "affected",
"version": "SAP_BASIS 750"
},
{
"status": "affected",
"version": "SAP_BASIS 751"
},
{
"status": "affected",
"version": "SAP_BASIS 752"
},
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
},
{
"status": "affected",
"version": "SAP_BASIS 755"
},
{
"status": "affected",
"version": "SAP_BASIS 756"
},
{
"status": "affected",
"version": "SAP_BASIS 757"
},
{
"status": "affected",
"version": "SAP_BASIS 758"
},
{
"status": "affected",
"version": "SAP_BASIS 816"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP NetWeaver Application Server for ABAP allows authenticated users with access to background processing to gain unauthorized read access to profile parameters. This results in a low impact on confidentiality, with no impact on integrity or availability\u003c/p\u003e"
}
],
"value": "SAP NetWeaver Application Server for ABAP allows authenticated users with access to background processing to gain unauthorized read access to profile parameters. This results in a low impact on confidentiality, with no impact on integrity or availability"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T02:09:18.915Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3623504"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization check in SAP NetWeaver Application Server for ABAP (Background Processing)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-42918",
"datePublished": "2025-09-09T02:09:18.915Z",
"dateReserved": "2025-04-16T13:25:30.253Z",
"dateUpdated": "2025-09-09T13:41:50.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-42911 (GCVE-0-2025-42911)
Vulnerability from nvd – Published: 2025-09-09 02:05 – Updated: 2025-09-09 13:51
VLAI?
Summary
SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system. This leads to a low impact on confidentiality, with no effect on the integrity and availability of the application
Severity ?
5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver (Service Data Download) |
Affected:
SAP_BASIS 700
Affected: SAP_BASIS 701 Affected: SAP_BASIS 702 Affected: SAP_BASIS 731 Affected: SAP_BASIS 740 Affected: SAP_BASIS 750 Affected: SAP_BASIS 751 Affected: SAP_BASIS 752 Affected: SAP_BASIS 753 Affected: SAP_BASIS 754 Affected: SAP_BASIS 755 Affected: SAP_BASIS 756 Affected: SAP_BASIS 757 Affected: SAP_BASIS 758 Affected: SAP_BASIS 816 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-42911",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-09T13:51:14.974813Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T13:51:38.627Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver (Service Data Download)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 700"
},
{
"status": "affected",
"version": "SAP_BASIS 701"
},
{
"status": "affected",
"version": "SAP_BASIS 702"
},
{
"status": "affected",
"version": "SAP_BASIS 731"
},
{
"status": "affected",
"version": "SAP_BASIS 740"
},
{
"status": "affected",
"version": "SAP_BASIS 750"
},
{
"status": "affected",
"version": "SAP_BASIS 751"
},
{
"status": "affected",
"version": "SAP_BASIS 752"
},
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
},
{
"status": "affected",
"version": "SAP_BASIS 755"
},
{
"status": "affected",
"version": "SAP_BASIS 756"
},
{
"status": "affected",
"version": "SAP_BASIS 757"
},
{
"status": "affected",
"version": "SAP_BASIS 758"
},
{
"status": "affected",
"version": "SAP_BASIS 816"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system. This leads to a low impact on confidentiality, with no effect on the integrity and availability of the application\u003c/p\u003e"
}
],
"value": "SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system. This leads to a low impact on confidentiality, with no effect on the integrity and availability of the application"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T02:05:56.778Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3627644"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization check in SAP NetWeaver (Service Data Download)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-42911",
"datePublished": "2025-09-09T02:05:56.778Z",
"dateReserved": "2025-04-16T13:25:30.252Z",
"dateUpdated": "2025-09-09T13:51:38.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-42936 (GCVE-0-2025-42936)
Vulnerability from nvd – Published: 2025-08-12 02:05 – Updated: 2025-08-13 15:03
VLAI?
Summary
The SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this issue allows authenticated users to access restricted objects in the barcode interface, leading to privilege escalation. This results in a low impact on the confidentiality and integrity of the application, there is no impact on availability.
Severity ?
5.4 (Medium)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver Application Server for ABAP |
Affected:
SAP_BASIS 700
Affected: SAP_BASIS 701 Affected: SAP_BASIS 702 Affected: SAP_BASIS 731 Affected: SAP_BASIS 740 Affected: SAP_BASIS 750 Affected: SAP_BASIS 751 Affected: SAP_BASIS 752 Affected: SAP_BASIS 753 Affected: SAP_BASIS 754 Affected: SAP_BASIS 755 Affected: SAP_BASIS 756 Affected: SAP_BASIS 757 Affected: SAP_BASIS 758 Affected: SAP_BASIS 816 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-42936",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-12T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T15:03:51.218Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver Application Server for ABAP",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 700"
},
{
"status": "affected",
"version": "SAP_BASIS 701"
},
{
"status": "affected",
"version": "SAP_BASIS 702"
},
{
"status": "affected",
"version": "SAP_BASIS 731"
},
{
"status": "affected",
"version": "SAP_BASIS 740"
},
{
"status": "affected",
"version": "SAP_BASIS 750"
},
{
"status": "affected",
"version": "SAP_BASIS 751"
},
{
"status": "affected",
"version": "SAP_BASIS 752"
},
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
},
{
"status": "affected",
"version": "SAP_BASIS 755"
},
{
"status": "affected",
"version": "SAP_BASIS 756"
},
{
"status": "affected",
"version": "SAP_BASIS 757"
},
{
"status": "affected",
"version": "SAP_BASIS 758"
},
{
"status": "affected",
"version": "SAP_BASIS 816"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this issue allows authenticated users to access restricted objects in the barcode interface, leading to privilege escalation. This results in a low impact on the confidentiality and integrity of the application, there is no impact on availability.\u003c/p\u003e"
}
],
"value": "The SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this issue allows authenticated users to access restricted objects in the barcode interface, leading to privilege escalation. This results in a low impact on the confidentiality and integrity of the application, there is no impact on availability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266: Incorrect Privilege Assignment",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-12T02:05:19.690Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3602656"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization check in SAP NetWeaver Application Server for ABAP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-42936",
"datePublished": "2025-08-12T02:05:19.690Z",
"dateReserved": "2025-04-16T13:25:34.582Z",
"dateUpdated": "2025-08-13T15:03:51.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-42956 (GCVE-0-2025-42956)
Vulnerability from nvd – Published: 2025-07-08 06:57 – Updated: 2025-07-08 16:12
VLAI?
Summary
SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, injected input data will be used by the web site page generation to create content which when executed in the victim's browser leading to low impact on Confidentiality and Integrity with no effect on Availability of the application.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP NetWeaver Application Server ABAP |
Affected:
SAP_BASIS 700
Affected: SAP_BASIS 701 Affected: SAP_BASIS 702 Affected: SAP_BASIS 731 Affected: SAP_BASIS 740 Affected: SAP_BASIS 750 Affected: SAP_BASIS 751 Affected: SAP_BASIS 752 Affected: SAP_BASIS 753 Affected: SAP_BASIS 754 Affected: SAP_BASIS 755 Affected: SAP_BASIS 756 Affected: SAP_BASIS 757 Affected: SAP_BASIS 758 Affected: SAP_BASIS 816 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-42956",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-08T14:27:35.695828Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T16:12:38.657Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver Application Server ABAP",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 700"
},
{
"status": "affected",
"version": "SAP_BASIS 701"
},
{
"status": "affected",
"version": "SAP_BASIS 702"
},
{
"status": "affected",
"version": "SAP_BASIS 731"
},
{
"status": "affected",
"version": "SAP_BASIS 740"
},
{
"status": "affected",
"version": "SAP_BASIS 750"
},
{
"status": "affected",
"version": "SAP_BASIS 751"
},
{
"status": "affected",
"version": "SAP_BASIS 752"
},
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
},
{
"status": "affected",
"version": "SAP_BASIS 755"
},
{
"status": "affected",
"version": "SAP_BASIS 756"
},
{
"status": "affected",
"version": "SAP_BASIS 757"
},
{
"status": "affected",
"version": "SAP_BASIS 758"
},
{
"status": "affected",
"version": "SAP_BASIS 816"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, injected input data will be used by the web site page generation to create content which when executed in the victim\u0027s browser leading to low impact on Confidentiality and Integrity with no effect on Availability of the application.\u003c/span\u003e"
}
],
"value": "SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, injected input data will be used by the web site page generation to create content which when executed in the victim\u0027s browser leading to low impact on Confidentiality and Integrity with no effect on Availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T06:57:25.262Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3617131"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP NetWeaver Application Server ABAP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-42956",
"datePublished": "2025-07-08T06:57:25.262Z",
"dateReserved": "2025-04-16T13:25:39.583Z",
"dateUpdated": "2025-07-08T16:12:38.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-42986 (GCVE-0-2025-42986)
Vulnerability from nvd – Published: 2025-07-08 00:38 – Updated: 2025-07-08 18:13
VLAI?
Summary
Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality, with no impact on integrity or availability of the application.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver and ABAP Platform |
Affected:
SAP_BASIS 700
Affected: SAP_BASIS 701 Affected: SAP_BASIS 702 Affected: SAP_BASIS 731 Affected: SAP_BASIS 740 Affected: SAP_BASIS 750 Affected: SAP_BASIS 751 Affected: SAP_BASIS 752 Affected: SAP_BASIS 753 Affected: SAP_BASIS 754 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-42986",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-08T18:11:27.468016Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T18:13:40.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver and ABAP Platform",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 700"
},
{
"status": "affected",
"version": "SAP_BASIS 701"
},
{
"status": "affected",
"version": "SAP_BASIS 702"
},
{
"status": "affected",
"version": "SAP_BASIS 731"
},
{
"status": "affected",
"version": "SAP_BASIS 740"
},
{
"status": "affected",
"version": "SAP_BASIS 750"
},
{
"status": "affected",
"version": "SAP_BASIS 751"
},
{
"status": "affected",
"version": "SAP_BASIS 752"
},
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDue to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality, with no impact on integrity or availability of the application.\u003c/p\u003e"
}
],
"value": "Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality, with no impact on integrity or availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T00:38:32.873Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3626440"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization check in SAP NetWeaver and ABAP Platform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-42986",
"datePublished": "2025-07-08T00:38:32.873Z",
"dateReserved": "2025-04-16T13:25:48.060Z",
"dateUpdated": "2025-07-08T18:13:40.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-23193 (GCVE-0-2025-23193)
Vulnerability from nvd – Published: 2025-02-11 00:35 – Updated: 2025-02-11 16:00
VLAI?
Summary
SAP NetWeaver Server ABAP allows an unauthenticated attacker to exploit a vulnerability that causes the server to respond differently based on the existence of a specified user, potentially revealing sensitive information. This issue does not enable data modification and has no impact on server availability.
Severity ?
5.3 (Medium)
CWE
- CWE-204 - Observable Response Discrepancy
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver Server ABAP |
Affected:
SAP_BASIS 700
Affected: SAP_BASIS 701 Affected: SAP_BASIS 702 Affected: SAP_BASIS 731 Affected: SAP_BASIS 740 Affected: SAP_BASIS 750 Affected: SAP_BASIS 751 Affected: SAP_BASIS 752 Affected: SAP_BASIS 753 Affected: SAP_BASIS 754 Affected: SAP_BASIS 755 Affected: SAP_BASIS 756 Affected: SAP_BASIS 757 Affected: SAP_BASIS 758 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23193",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T15:59:35.647495Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T16:00:41.684Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver Server ABAP",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 700"
},
{
"status": "affected",
"version": "SAP_BASIS 701"
},
{
"status": "affected",
"version": "SAP_BASIS 702"
},
{
"status": "affected",
"version": "SAP_BASIS 731"
},
{
"status": "affected",
"version": "SAP_BASIS 740"
},
{
"status": "affected",
"version": "SAP_BASIS 750"
},
{
"status": "affected",
"version": "SAP_BASIS 751"
},
{
"status": "affected",
"version": "SAP_BASIS 752"
},
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
},
{
"status": "affected",
"version": "SAP_BASIS 755"
},
{
"status": "affected",
"version": "SAP_BASIS 756"
},
{
"status": "affected",
"version": "SAP_BASIS 757"
},
{
"status": "affected",
"version": "SAP_BASIS 758"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP NetWeaver Server ABAP allows an unauthenticated attacker to exploit a vulnerability that causes the server to respond differently based on the existence of a specified user, potentially revealing sensitive information. This issue does not enable data modification and has no impact on server availability.\u003c/p\u003e"
}
],
"value": "SAP NetWeaver Server ABAP allows an unauthenticated attacker to exploit a vulnerability that causes the server to respond differently based on the existence of a specified user, potentially revealing sensitive information. This issue does not enable data modification and has no impact on server availability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T00:35:25.783Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3561264"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-23193",
"datePublished": "2025-02-11T00:35:25.783Z",
"dateReserved": "2025-01-13T11:13:59.547Z",
"dateUpdated": "2025-02-11T16:00:41.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0066 (GCVE-0-2025-0066)
Vulnerability from nvd – Published: 2025-01-14 00:09 – Updated: 2025-01-14 14:50
VLAI?
Summary
Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. This can have a significant impact on the confidentiality, integrity, and availability of an application
Severity ?
9.9 (Critical)
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) |
Affected:
SAP_BASIS 700
Affected: SAP_BASIS 701 Affected: SAP_BASIS 702 Affected: SAP_BASIS 731 Affected: SAP_BASIS 740 Affected: SAP_BASIS 750 Affected: SAP_BASIS 751 Affected: SAP_BASIS 752 Affected: SAP_BASIS 753 Affected: SAP_BASIS 754 Affected: SAP_BASIS 755 Affected: SAP_BASIS 756 Affected: SAP_BASIS 757 Affected: SAP_BASIS 758 Affected: SAP_BASIS 912 Affected: SAP_BASIS 913 Affected: SAP_BASIS 914 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0066",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T14:50:09.959227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T14:50:46.306Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 700"
},
{
"status": "affected",
"version": "SAP_BASIS 701"
},
{
"status": "affected",
"version": "SAP_BASIS 702"
},
{
"status": "affected",
"version": "SAP_BASIS 731"
},
{
"status": "affected",
"version": "SAP_BASIS 740"
},
{
"status": "affected",
"version": "SAP_BASIS 750"
},
{
"status": "affected",
"version": "SAP_BASIS 751"
},
{
"status": "affected",
"version": "SAP_BASIS 752"
},
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
},
{
"status": "affected",
"version": "SAP_BASIS 755"
},
{
"status": "affected",
"version": "SAP_BASIS 756"
},
{
"status": "affected",
"version": "SAP_BASIS 757"
},
{
"status": "affected",
"version": "SAP_BASIS 758"
},
{
"status": "affected",
"version": "SAP_BASIS 912"
},
{
"status": "affected",
"version": "SAP_BASIS 913"
},
{
"status": "affected",
"version": "SAP_BASIS 914"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUnder certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. This can have a significant impact on the confidentiality, integrity, and availability of an application\u003c/p\u003e"
}
],
"value": "Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. This can have a significant impact on the confidentiality, integrity, and availability of an application"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T00:09:36.035Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3550708"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-0066",
"datePublished": "2025-01-14T00:09:36.035Z",
"dateReserved": "2024-12-11T05:05:07.367Z",
"dateUpdated": "2025-01-14T14:50:46.306Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0063 (GCVE-0-2025-0063)
Vulnerability from nvd – Published: 2025-01-14 00:09 – Updated: 2025-01-14 14:51
VLAI?
Summary
SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules. This could lead to an attacker with basic user privileges to gain control over the data in Informix database, leading to complete compromise of confidentiality, integrity and availability.
Severity ?
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver AS ABAP and ABAP Platform |
Affected:
SAP_BASIS 700
Affected: SAP_BASIS 701 Affected: SAP_BASIS 702 Affected: SAP_BASIS 731 Affected: SAP_BASIS 740 Affected: SAP_BASIS 750 Affected: SAP_BASIS 751 Affected: SAP_BASIS 752 Affected: SAP_BASIS 753 Affected: SAP_BASIS 754 Affected: SAP_BASIS 755 Affected: SAP_BASIS 756 Affected: SAP_BASIS 757 Affected: SAP_BASIS 758 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0063",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T14:51:02.419843Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T14:51:11.362Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver AS ABAP and ABAP Platform",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 700"
},
{
"status": "affected",
"version": "SAP_BASIS 701"
},
{
"status": "affected",
"version": "SAP_BASIS 702"
},
{
"status": "affected",
"version": "SAP_BASIS 731"
},
{
"status": "affected",
"version": "SAP_BASIS 740"
},
{
"status": "affected",
"version": "SAP_BASIS 750"
},
{
"status": "affected",
"version": "SAP_BASIS 751"
},
{
"status": "affected",
"version": "SAP_BASIS 752"
},
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
},
{
"status": "affected",
"version": "SAP_BASIS 755"
},
{
"status": "affected",
"version": "SAP_BASIS 756"
},
{
"status": "affected",
"version": "SAP_BASIS 757"
},
{
"status": "affected",
"version": "SAP_BASIS 758"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules. This could lead to an attacker with basic user privileges to gain control over the data in Informix database, leading to complete compromise of confidentiality, integrity and availability.\u003c/p\u003e"
}
],
"value": "SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules. This could lead to an attacker with basic user privileges to gain control over the data in Informix database, leading to complete compromise of confidentiality, integrity and availability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T00:09:28.885Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3550816"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SQL Injection vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-0063",
"datePublished": "2025-01-14T00:09:28.885Z",
"dateReserved": "2024-12-05T21:53:06.796Z",
"dateUpdated": "2025-01-14T14:51:11.362Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0058 (GCVE-0-2025-0058)
Vulnerability from nvd – Published: 2025-01-14 00:08 – Updated: 2025-01-14 15:00
VLAI?
Summary
In SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a parameter in an otherwise legitimate resource request to view sensitive information that should otherwise be restricted. The attacker does not have the ability to modify the information or to make the information unavailable.
Severity ?
6.5 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Business Workflow and SAP Flexible Workflow |
Affected:
SAP_BASIS 753
Affected: SAP_BASIS 754 Affected: SAP_BASIS 755 Affected: SAP_BASIS 756 Affected: SAP_BASIS 757 Affected: SAP_BASIS 758 Affected: SAP_BASIS 912 Affected: SAP_BASIS 913 Affected: SAP_BASIS 914 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0058",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T15:00:27.919691Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T15:00:38.824Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Business Workflow and SAP Flexible Workflow",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
},
{
"status": "affected",
"version": "SAP_BASIS 755"
},
{
"status": "affected",
"version": "SAP_BASIS 756"
},
{
"status": "affected",
"version": "SAP_BASIS 757"
},
{
"status": "affected",
"version": "SAP_BASIS 758"
},
{
"status": "affected",
"version": "SAP_BASIS 912"
},
{
"status": "affected",
"version": "SAP_BASIS 913"
},
{
"status": "affected",
"version": "SAP_BASIS 914"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a parameter in an otherwise legitimate resource request to view sensitive information that should otherwise be restricted. The attacker does not have the ability to modify the information or to make the information unavailable.\u003c/p\u003e"
}
],
"value": "In SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a parameter in an otherwise legitimate resource request to view sensitive information that should otherwise be restricted. The attacker does not have the ability to modify the information or to make the information unavailable."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T00:08:59.323Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3542698"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information Disclosure vulnerability in SAP Business Workflow and SAP Flexible Workflow",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-0058",
"datePublished": "2025-01-14T00:08:59.323Z",
"dateReserved": "2024-12-05T21:38:15.279Z",
"dateUpdated": "2025-01-14T15:00:38.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0053 (GCVE-0-2025-0053)
Vulnerability from nvd – Published: 2025-01-14 00:08 – Updated: 2025-01-14 15:01
VLAI?
Summary
SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information. By using a specific URL parameter, an unauthenticated attacker could retrieve details such as system configuration. This has a limited impact on the confidentiality of the application and may be leveraged to facilitate further attacks or exploits.
Severity ?
5.3 (Medium)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver Application Server for ABAP and ABAP Platform |
Affected:
SAP_BASIS 700
Affected: SAP_BASIS 701 Affected: SAP_BASIS 702 Affected: SAP_BASIS 731 Affected: SAP_BASIS 740 Affected: SAP_BASIS 750 Affected: SAP_BASIS 751 Affected: SAP_BASIS 752 Affected: SAP_BASIS 753 Affected: SAP_BASIS 754 Affected: SAP_BASIS 755 Affected: SAP_BASIS 756 Affected: SAP_BASIS 757 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0053",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T15:01:35.337636Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T15:01:44.276Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver Application Server for ABAP and ABAP Platform",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 700"
},
{
"status": "affected",
"version": "SAP_BASIS 701"
},
{
"status": "affected",
"version": "SAP_BASIS 702"
},
{
"status": "affected",
"version": "SAP_BASIS 731"
},
{
"status": "affected",
"version": "SAP_BASIS 740"
},
{
"status": "affected",
"version": "SAP_BASIS 750"
},
{
"status": "affected",
"version": "SAP_BASIS 751"
},
{
"status": "affected",
"version": "SAP_BASIS 752"
},
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
},
{
"status": "affected",
"version": "SAP_BASIS 755"
},
{
"status": "affected",
"version": "SAP_BASIS 756"
},
{
"status": "affected",
"version": "SAP_BASIS 757"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information. By using a specific URL parameter, an unauthenticated attacker could retrieve details such as system configuration. This has a limited impact on the confidentiality of the application and may be leveraged to facilitate further attacks or exploits.\u003c/p\u003e"
}
],
"value": "SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information. By using a specific URL parameter, an unauthenticated attacker could retrieve details such as system configuration. This has a limited impact on the confidentiality of the application and may be leveraged to facilitate further attacks or exploits."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T00:08:21.600Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3536461"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information Disclosure Vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-0053",
"datePublished": "2025-01-14T00:08:21.600Z",
"dateReserved": "2024-12-05T21:37:23.093Z",
"dateUpdated": "2025-01-14T15:01:44.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}