Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-0059 (GCVE-0-2025-0059)
Vulnerability from cvelistv5 – Published: 2025-01-14 00:09 – Updated: 2025-01-14 14:59
VLAI
EPSS
Title
Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
Summary
Applications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in the local browser storage to improve usability. An attacker with administrative privileges or access to the victim�s user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the disclosed data could range from non-critical data to highly sensitive data, causing high impact on confidentiality of the application.
Severity
6 (Medium)
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SAP_SE | SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) |
Affected:
KRNL64UC 7.53
Affected: KERNEL 7.53 Affected: 7.54 Affected: 7.77 Affected: 7.89 Affected: 7.93 Affected: 9.12 Affected: 9.14 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0059",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T14:59:47.210508Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T14:59:54.719Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "KRNL64UC 7.53"
},
{
"status": "affected",
"version": "KERNEL 7.53"
},
{
"status": "affected",
"version": "7.54"
},
{
"status": "affected",
"version": "7.77"
},
{
"status": "affected",
"version": "7.89"
},
{
"status": "affected",
"version": "7.93"
},
{
"status": "affected",
"version": "9.12"
},
{
"status": "affected",
"version": "9.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eApplications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in the local browser storage to improve usability. An attacker with administrative privileges or access to the victim\ufffds user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the disclosed data could range from non-critical data to highly sensitive data, causing high impact on confidentiality of the application.\u003c/p\u003e"
}
],
"value": "Applications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in the local browser storage to improve usability. An attacker with administrative privileges or access to the victim\ufffds user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the disclosed data could range from non-critical data to highly sensitive data, causing high impact on confidentiality of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T00:09:07.029Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3503138"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-0059",
"datePublished": "2025-01-14T00:09:07.029Z",
"dateReserved": "2024-12-05T21:38:16.253Z",
"dateUpdated": "2025-01-14T14:59:54.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-0059",
"date": "2026-05-27",
"epss": "0.0002",
"percentile": "0.05995"
},
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"Applications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in the local browser storage to improve usability. An attacker with administrative privileges or access to the victim\\ufffds user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the disclosed data could range from non-critical data to highly sensitive data, causing high impact on confidentiality of the application.\"}]",
"id": "CVE-2025-0059",
"lastModified": "2025-01-14T01:15:16.190",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"cna@sap.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N\", \"baseScore\": 6.0, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.5, \"impactScore\": 4.0}]}",
"published": "2025-01-14T01:15:16.190",
"references": "[{\"url\": \"https://me.sap.com/notes/3503138\", \"source\": \"cna@sap.com\"}, {\"url\": \"https://url.sap/sapsecuritypatchday\", \"source\": \"cna@sap.com\"}]",
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Received",
"weaknesses": "[{\"source\": \"cna@sap.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-497\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-0059\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2025-01-14T01:15:16.190\",\"lastModified\":\"2025-01-14T01:15:16.190\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Applications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in the local browser storage to improve usability. An attacker with administrative privileges or access to the victim\ufffds user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the disclosed data could range from non-critical data to highly sensitive data, causing high impact on confidentiality of the application.\"},{\"lang\":\"es\",\"value\":\" Las aplicaciones basadas en SAP GUI para HTML en SAP NetWeaver Application Server ABAP almacenan la informaci\u00f3n ingresada por el usuario en el almacenamiento local del navegador para mejorar la usabilidad. Un atacante con privilegios administrativos o acceso al directorio de usuarios de la v\u00edctima en el nivel del sistema operativo podr\u00eda leer estos datos. Dependiendo de la informaci\u00f3n ingresada por el usuario en las transacciones, los datos divulgados podr\u00edan variar desde datos no cr\u00edticos hasta datos altamente sensibles, lo que causa un alto impacto en la confidencialidad de la aplicaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cna@sap.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N\",\"baseScore\":6.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.5,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"cna@sap.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-497\"}]}],\"references\":[{\"url\":\"https://me.sap.com/notes/3503138\",\"source\":\"cna@sap.com\"},{\"url\":\"https://url.sap/sapsecuritypatchday\",\"source\":\"cna@sap.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-0059\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-14T14:59:47.210508Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-14T14:59:50.886Z\"}}], \"cna\": {\"title\": \"Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SAP_SE\", \"product\": \"SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)\", \"versions\": [{\"status\": \"affected\", \"version\": \"KRNL64UC 7.53\"}, {\"status\": \"affected\", \"version\": \"KERNEL 7.53\"}, {\"status\": \"affected\", \"version\": \"7.54\"}, {\"status\": \"affected\", \"version\": \"7.77\"}, {\"status\": \"affected\", \"version\": \"7.89\"}, {\"status\": \"affected\", \"version\": \"7.93\"}, {\"status\": \"affected\", \"version\": \"9.12\"}, {\"status\": \"affected\", \"version\": \"9.14\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://me.sap.com/notes/3503138\"}, {\"url\": \"https://url.sap/sapsecuritypatchday\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Applications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in the local browser storage to improve usability. An attacker with administrative privileges or access to the victim\\ufffds user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the disclosed data could range from non-critical data to highly sensitive data, causing high impact on confidentiality of the application.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eApplications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in the local browser storage to improve usability. An attacker with administrative privileges or access to the victim\\ufffds user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the disclosed data could range from non-critical data to highly sensitive data, causing high impact on confidentiality of the application.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"eng\", \"type\": \"CWE\", \"cweId\": \"CWE-497\", \"description\": \"CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere\"}]}], \"providerMetadata\": {\"orgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"shortName\": \"sap\", \"dateUpdated\": \"2025-01-14T00:09:07.029Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-0059\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-14T14:59:54.719Z\", \"dateReserved\": \"2024-12-05T21:38:16.253Z\", \"assignerOrgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"datePublished\": \"2025-01-14T00:09:07.029Z\", \"assignerShortName\": \"sap\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
CERTFR-2025-AVI-0027
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SAP | N/A | GUI pour Java version BC-FES-JAV 7.80 sans le dernier correctif de sécurité | ||
| SAP | N/A | GUI pour Windows version BC-FES-GUI 8.0 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver AS pour ABAP et ABAP Platform (Internet Communication Framework) versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 912, SAP_BASIS 913 et SAP_BASIS 914 sans le dernier correctif de sécurité | ||
| SAP | N/A | SAPSetup version LMSAPSETUP 9.0 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver Application Server pour ABAP et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756 et SAP_BASIS 757 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver Application Server ABAP (applications basé sur GUI pour HTML) versions KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.12 et 9.14 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver Application Server Java version WD-RUNTIME 7.50 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver Application Server pour ABAP et ABAP Platform versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, 8.04, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 7.97, 8.04, 9.12, 9.13 et 9.14 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver AS JAVA (User Admin Application) versions ENGINEAPI 7.50, SERVERCORE 7.50 et UMEADMIN 7.50 sans le dernier correctif de sécurité | ||
| SAP | N/A | Business Workflow et Flexible Workflow versions SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 912, SAP_BASIS 913 et SAP_BASIS 914 sans le dernier correctif de sécurité | ||
| SAP | N/A | BusinessObjects Business Intelligence Platform (Crystal Reports pour Enterprise) version ENTERPRISE 430 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver Application Server ABAP versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver AS ABAP et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de sécurité | ||
| SAP | N/A | BusinessObjects Business Intelligence Platform versions ENTERPRISE 420, 430 et 2025 sans le dernier correctif de sécurité |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "GUI pour Java version BC-FES-JAV 7.80 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "GUI pour Windows version BC-FES-GUI 8.0 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver AS pour ABAP et ABAP Platform (Internet Communication Framework) versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 912, SAP_BASIS 913 et SAP_BASIS 914 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAPSetup version LMSAPSETUP 9.0 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server pour ABAP et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756 et SAP_BASIS 757 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server ABAP (applications bas\u00e9 sur GUI pour HTML) versions KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.12 et 9.14 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server Java version WD-RUNTIME 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server pour ABAP et ABAP Platform versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, 8.04, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 7.97, 8.04, 9.12, 9.13 et 9.14 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver AS JAVA (User Admin Application) versions ENGINEAPI 7.50, SERVERCORE 7.50 et UMEADMIN 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Business Workflow et Flexible Workflow versions SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 912, SAP_BASIS 913 et SAP_BASIS 914 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects Business Intelligence Platform (Crystal Reports pour Enterprise) version ENTERPRISE 430 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server ABAP versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver AS ABAP et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects Business Intelligence Platform versions ENTERPRISE 420, 430 et 2025 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-0055",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0055"
},
{
"name": "CVE-2025-0057",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0057"
},
{
"name": "CVE-2025-0056",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0056"
},
{
"name": "CVE-2025-0060",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0060"
},
{
"name": "CVE-2025-0058",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0058"
},
{
"name": "CVE-2024-29131",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29131"
},
{
"name": "CVE-2025-0068",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0068"
},
{
"name": "CVE-2025-0053",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0053"
},
{
"name": "CVE-2025-0059",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0059"
},
{
"name": "CVE-2025-0069",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0069"
},
{
"name": "CVE-2024-29133",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29133"
},
{
"name": "CVE-2025-0070",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0070"
},
{
"name": "CVE-2025-0066",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0066"
},
{
"name": "CVE-2025-0061",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0061"
},
{
"name": "CVE-2025-0067",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0067"
},
{
"name": "CVE-2025-0063",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0063"
}
],
"links": [],
"reference": "CERTFR-2025-AVI-0027",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-01-14T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
"vendor_advisories": [
{
"published_at": "2025-01-14",
"title": "Bulletin de s\u00e9curit\u00e9 SAP january-2025",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/january-2025.html"
}
]
}
CERTFR-2025-AVI-0867
Vulnerability from certfr_avis - Published: 2025-10-14 - Updated: 2025-10-14
De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SAP | SAP NetWeaver AS Java | NetWeaver AS Java version SERVERCORE 7.50 sans le dernier correctif de sécurité | ||
| SAP | Financial Service Claims Management | Financial Service Claims Management versions INSURANCE 803, 804, 805, 806, S4CEXT 107, 108 et 109 sans le dernier correctif de sécurité | ||
| SAP | Print Service | Print Service versions SAPSPRINT 8.00 et 8.10 sans le dernier correctif de sécurité | ||
| SAP | Data Hub Integration Suite | Data Hub Integration Suite version CX_DATAHUB_INT_PACK 2205 sans le dernier correctif de sécurité | ||
| SAP | BusinessObjects | BusinessObjects versions ENTERPRISE 430, 2025 et 2027 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver Application Server pour ABAP | Application Server pour ABAP versions KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93 et 9.16 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver | NetWeaver versions SAP_ABA 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H et 75I sans le dernier correctif de sécurité | ||
| SAP | S/4HANA | S/4HANA versions S4CORE 104, 105, 106, 107, 108 et 109 sans le dernier correctif de sécurité | ||
| SAP | Cloud Appliance Library Appliances | Cloud Appliance Library Appliances version TITANIUM_WEBAPP 4.0 sans le dernier correctif de sécurité | ||
| SAP | Commerce Cloud | Commerce Cloud versions HY_COM 2205, COM_CLOUD 2211 et 2211-JDK21 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver Application Server pour ABAP | Application Server pour ABAP versions SAP_BASIS 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758 et 816 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver Application Server ABAP et ABAP Platform | NetWeaver Application Server ABAP and ABAP Platform versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.14, 9.15 et 9.16 sans le dernier correctif de sécurité | ||
| SAP | Supplier Relationship Management | Supplier Relationship Management versions SRMNXP01 100 et 150 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver Application Server ABAP | NetWeaver Application Server ABAP versions RNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.12 et 9.14 sans le dernier correctif de sécurité |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "NetWeaver AS Java version SERVERCORE 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "SAP NetWeaver AS Java",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Financial Service Claims Management versions INSURANCE 803, 804, 805, 806, S4CEXT 107, 108 et 109 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Financial Service Claims Management",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Print Service versions SAPSPRINT 8.00 et 8.10 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Print Service",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Data Hub Integration Suite version CX_DATAHUB_INT_PACK 2205 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Data Hub Integration Suite",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects versions ENTERPRISE 430, 2025 et 2027 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "BusinessObjects",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Application Server pour ABAP versions KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93 et 9.16 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver Application Server pour ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver versions SAP_ABA 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H et 75I sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "S/4HANA versions S4CORE 104, 105, 106, 107, 108 et 109 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "S/4HANA",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Cloud Appliance Library Appliances version TITANIUM_WEBAPP 4.0 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Cloud Appliance Library Appliances",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Commerce Cloud versions HY_COM 2205, COM_CLOUD 2211 et 2211-JDK21 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Commerce Cloud",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Application Server pour ABAP versions SAP_BASIS 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758 et 816 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver Application Server pour ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server ABAP and ABAP Platform versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.14, 9.15 et 9.16 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver Application Server ABAP et ABAP Platform",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Supplier Relationship Management versions SRMNXP01 100 et 150 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Supplier Relationship Management",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server ABAP versions RNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.12 et 9.14 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver Application Server ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-42944",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42944"
},
{
"name": "CVE-2025-42906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42906"
},
{
"name": "CVE-2025-42902",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42902"
},
{
"name": "CVE-2025-42903",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42903"
},
{
"name": "CVE-2025-42910",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42910"
},
{
"name": "CVE-2025-42909",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42909"
},
{
"name": "CVE-2025-5115",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5115"
},
{
"name": "CVE-2025-42984",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42984"
},
{
"name": "CVE-2025-42908",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42908"
},
{
"name": "CVE-2025-42937",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42937"
},
{
"name": "CVE-2025-0059",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0059"
},
{
"name": "CVE-2025-48913",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48913"
},
{
"name": "CVE-2025-42939",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42939"
},
{
"name": "CVE-2025-31672",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31672"
},
{
"name": "CVE-2025-31331",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31331"
},
{
"name": "CVE-2025-42901",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42901"
}
],
"initial_release_date": "2025-10-14T00:00:00",
"last_revision_date": "2025-10-14T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0867",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-10-14T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
"vendor_advisories": [
{
"published_at": "2025-10-14",
"title": "Bulletin de s\u00e9curit\u00e9 SAP october-2025",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/october-2025.html"
}
]
}
CERTFR-2026-AVI-0141
Vulnerability from certfr_avis - Published: 2026-02-10 - Updated: 2026-02-10
De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SAP | S/4HANA | S/4HANA Defense & Security (Disconnected Operations) versions EA-DFPS 600, 603, 604, 605, 606, 616, 617, 618, 619, 800, 801, 802, 803, 804, 805, 806, 807, 808 et 809 sans le dernier correctif de sécurité | ||
| SAP | Business Objects Business Intelligence Platform | BusinessObjects Business Intelligence Platform (AdminTools) versions ENTERPRISE 430, 2025 et 2027 sans le dernier correctif de sécurité | ||
| SAP | Business Objects Business Intelligence Platform | BusinessObjects BI Platform versions ENTERPRISE 430, 2025 et 2027 sans le dernier correctif de sécurité | ||
| SAP | Business Objects Business Intelligence Platform | BusinessObjects Business Intelligence Platform versions ENTERPRISE 430, 2025 et 2027 sans le dernier correctif de sécurité | ||
| SAP | N/A | Support Tools Plug-In versions ST-PI 2008_1_700, 2008_1_710, 740 et 758 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver et ABAP | NetWeaver (JMS service) version J2EE-FRMW 7.50 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver et ABAP | ABAP based systems versions ST-PI 2005_1_700, 2008_1_710, 740 et 758 sans le dernier correctif de sécurité | ||
| SAP | N/A | Document Management System versions SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 600, 602, 603, 604, 605, 606 et 617 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver et ABAP | NetWeaver AS ABAP and ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 804, SAP_BASIS 916, SAP_BASIS 917 et SAP_BASIS 918 sans le dernier correctif de sécurité | ||
| SAP | S/4HANA | CRM et S/4HANA (Scripting Editor) versions S4FND 102, 103, 104, 105, 106, 107, 108, 109, SAP_ABA 700, WEBCUIF 700, 701, 730, 731, 746, 747, 748, 800 et 801 sans le dernier correctif de sécurité | ||
| SAP | Business One (SLD) | Business One (B1 Client Memory Dump Files) versions B1_ON_HANA 10.0 et SAP-M-BO 10.0 sans le dernier correctif de sécurité | ||
| SAP | N/A | Supply Chain Management versions SCMAPO 713, 714, SCM 700, 701, 702 et 712 sans le dernier correctif de sécurité | ||
| SAP | Fiori App | Fiori App (Manage Service Entry Sheets - Lean Services) versions S4CORE 102, 103, 104, 105, 106 et 107 sans le dernier correctif de sécurité | ||
| SAP | N/A | Business Workflow versions SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 816 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver et ABAP | NetWeaver Application Server ABAP and S/4HANA versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 816 sans le dernier correctif de sécurité | ||
| SAP | N/A | Business Server Pages Application (TAF_APPLAUNCHER) versions ST-PI 2008_1_700, 2008_1_710, 740 et 758 sans le dernier correctif de sécurité | ||
| SAP | Commerce Cloud | Commerce Cloud versions HY_COM 2205, COM_CLOUD 2211 et 2211-JDK21 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver et ABAP | NetWeaver and ABAP Platform (Application Server ABAP) versions [KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, 8.04, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 8.04, 9.16, 9.17 et 9.18] sans le dernier correctif de sécurité | ||
| SAP | Commerce Cloud | Commerce Cloud versions HY_COM 2205, COM_CLOUD 2211 et COM_CLOUD 2211-JDK21 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver et ABAP | NetWeaver Application Server ABAP and ABAP Platform versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18 et 9.19 sans le dernier correctif de sécurité | ||
| SAP | N/A | Solution Tools Plug-In (ST-PI) versions ST-PI 2008_1_700, 2008_1_710, 740 et 758 sans le dernier correctif de sécurité | ||
| SAP | N/A | BusinessObjects Enterprise (Central Management Console) versions ENTERPRISE 430, 2025 et 2027 sans le dernier correctif de sécurité | ||
| SAP | N/A | Strategic Enterprise Management (Balanced Scorecard in BSP Application) versions SEM-BW 600, 700, 602, 603, 604, 605, 634, 736, 746, 747, 748 et 800 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver et ABAP | NetWeaver Application Server ABAP (applications based on GUI for HTML) versions KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.12 et 9.14 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver et ABAP | NetWeaver Application Server Java version LMNWABASICAPPS 7.50 sans le dernier correctif de sécurité |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "S/4HANA Defense \u0026 Security (Disconnected Operations) versions EA-DFPS 600, 603, 604, 605, 606, 616, 617, 618, 619, 800, 801, 802, 803, 804, 805, 806, 807, 808 et 809 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "S/4HANA",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects Business Intelligence Platform (AdminTools) versions ENTERPRISE 430, 2025 et 2027 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Business Objects Business Intelligence Platform",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects BI Platform versions ENTERPRISE 430, 2025 et 2027 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Business Objects Business Intelligence Platform",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects Business Intelligence Platform versions ENTERPRISE 430, 2025 et 2027 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Business Objects Business Intelligence Platform",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Support Tools Plug-In versions ST-PI 2008_1_700, 2008_1_710, 740 et 758 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver (JMS service) version J2EE-FRMW 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver et ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "ABAP based systems versions ST-PI 2005_1_700, 2008_1_710, 740 et 758 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver et ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Document Management System versions SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 600, 602, 603, 604, 605, 606 et 617 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver AS ABAP and ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 804, SAP_BASIS 916, SAP_BASIS 917 et SAP_BASIS 918 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver et ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "CRM et S/4HANA (Scripting Editor) versions S4FND 102, 103, 104, 105, 106, 107, 108, 109, SAP_ABA 700, WEBCUIF 700, 701, 730, 731, 746, 747, 748, 800 et 801 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "S/4HANA",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Business One (B1 Client Memory Dump Files) versions B1_ON_HANA 10.0 et SAP-M-BO 10.0 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Business One (SLD)",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Supply Chain Management versions SCMAPO 713, 714, SCM 700, 701, 702 et 712 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Fiori App (Manage Service Entry Sheets - Lean Services) versions S4CORE 102, 103, 104, 105, 106 et 107 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Fiori App",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Business Workflow versions SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 816 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server ABAP and S/4HANA versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 816 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver et ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Business Server Pages Application (TAF_APPLAUNCHER) versions ST-PI 2008_1_700, 2008_1_710, 740 et 758 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Commerce Cloud versions HY_COM 2205, COM_CLOUD 2211 et 2211-JDK21 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Commerce Cloud",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver and ABAP Platform (Application Server ABAP) versions [KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, 8.04, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 8.04, 9.16, 9.17 et 9.18] sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver et ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Commerce Cloud versions HY_COM 2205, COM_CLOUD 2211 et COM_CLOUD 2211-JDK21 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Commerce Cloud",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server ABAP and ABAP Platform versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18 et 9.19 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver et ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Solution Tools Plug-In (ST-PI) versions ST-PI 2008_1_700, 2008_1_710, 740 et 758 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects Enterprise (Central Management Console) versions ENTERPRISE 430, 2025 et 2027 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Strategic Enterprise Management (Balanced Scorecard in BSP Application) versions SEM-BW 600, 700, 602, 603, 604, 605, 634, 736, 746, 747, 748 et 800 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server ABAP (applications based on GUI for HTML) versions KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.12 et 9.14 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver et ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server Java version LMNWABASICAPPS 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver et ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-23681",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23681"
},
{
"name": "CVE-2026-24326",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24326"
},
{
"name": "CVE-2026-24320",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24320"
},
{
"name": "CVE-2026-23688",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23688"
},
{
"name": "CVE-2026-24319",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24319"
},
{
"name": "CVE-2026-24321",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24321"
},
{
"name": "CVE-2026-0485",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0485"
},
{
"name": "CVE-2026-24324",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24324"
},
{
"name": "CVE-2026-0509",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0509"
},
{
"name": "CVE-2026-0508",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0508"
},
{
"name": "CVE-2025-12383",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12383"
},
{
"name": "CVE-2026-24312",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24312"
},
{
"name": "CVE-2026-0486",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0486"
},
{
"name": "CVE-2026-23684",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23684"
},
{
"name": "CVE-2025-0059",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0059"
},
{
"name": "CVE-2026-23689",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23689"
},
{
"name": "CVE-2026-0484",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0484"
},
{
"name": "CVE-2026-24325",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24325"
},
{
"name": "CVE-2026-0488",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0488"
},
{
"name": "CVE-2026-0490",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0490"
},
{
"name": "CVE-2026-23687",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23687"
},
{
"name": "CVE-2026-24322",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24322"
},
{
"name": "CVE-2026-23686",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23686"
},
{
"name": "CVE-2026-23685",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23685"
},
{
"name": "CVE-2026-24323",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24323"
},
{
"name": "CVE-2026-0505",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0505"
},
{
"name": "CVE-2026-24328",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24328"
},
{
"name": "CVE-2026-24327",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24327"
}
],
"initial_release_date": "2026-02-10T00:00:00",
"last_revision_date": "2026-02-10T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0141",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-02-10T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
"vendor_advisories": [
{
"published_at": "2026-02-10",
"title": "Bulletin de s\u00e9curit\u00e9 SAP february-2026",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2026.html"
}
]
}
CERTFR-2025-AVI-0027
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SAP | N/A | GUI pour Java version BC-FES-JAV 7.80 sans le dernier correctif de sécurité | ||
| SAP | N/A | GUI pour Windows version BC-FES-GUI 8.0 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver AS pour ABAP et ABAP Platform (Internet Communication Framework) versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 912, SAP_BASIS 913 et SAP_BASIS 914 sans le dernier correctif de sécurité | ||
| SAP | N/A | SAPSetup version LMSAPSETUP 9.0 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver Application Server pour ABAP et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756 et SAP_BASIS 757 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver Application Server ABAP (applications basé sur GUI pour HTML) versions KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.12 et 9.14 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver Application Server Java version WD-RUNTIME 7.50 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver Application Server pour ABAP et ABAP Platform versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, 8.04, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 7.97, 8.04, 9.12, 9.13 et 9.14 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver AS JAVA (User Admin Application) versions ENGINEAPI 7.50, SERVERCORE 7.50 et UMEADMIN 7.50 sans le dernier correctif de sécurité | ||
| SAP | N/A | Business Workflow et Flexible Workflow versions SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 912, SAP_BASIS 913 et SAP_BASIS 914 sans le dernier correctif de sécurité | ||
| SAP | N/A | BusinessObjects Business Intelligence Platform (Crystal Reports pour Enterprise) version ENTERPRISE 430 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver Application Server ABAP versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver AS ABAP et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de sécurité | ||
| SAP | N/A | BusinessObjects Business Intelligence Platform versions ENTERPRISE 420, 430 et 2025 sans le dernier correctif de sécurité |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "GUI pour Java version BC-FES-JAV 7.80 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "GUI pour Windows version BC-FES-GUI 8.0 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver AS pour ABAP et ABAP Platform (Internet Communication Framework) versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 912, SAP_BASIS 913 et SAP_BASIS 914 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "SAPSetup version LMSAPSETUP 9.0 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server pour ABAP et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756 et SAP_BASIS 757 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server ABAP (applications bas\u00e9 sur GUI pour HTML) versions KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.12 et 9.14 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server Java version WD-RUNTIME 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server pour ABAP et ABAP Platform versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, 8.04, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 7.97, 8.04, 9.12, 9.13 et 9.14 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver AS JAVA (User Admin Application) versions ENGINEAPI 7.50, SERVERCORE 7.50 et UMEADMIN 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Business Workflow et Flexible Workflow versions SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 912, SAP_BASIS 913 et SAP_BASIS 914 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects Business Intelligence Platform (Crystal Reports pour Enterprise) version ENTERPRISE 430 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server ABAP versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver AS ABAP et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects Business Intelligence Platform versions ENTERPRISE 420, 430 et 2025 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-0055",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0055"
},
{
"name": "CVE-2025-0057",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0057"
},
{
"name": "CVE-2025-0056",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0056"
},
{
"name": "CVE-2025-0060",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0060"
},
{
"name": "CVE-2025-0058",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0058"
},
{
"name": "CVE-2024-29131",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29131"
},
{
"name": "CVE-2025-0068",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0068"
},
{
"name": "CVE-2025-0053",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0053"
},
{
"name": "CVE-2025-0059",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0059"
},
{
"name": "CVE-2025-0069",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0069"
},
{
"name": "CVE-2024-29133",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29133"
},
{
"name": "CVE-2025-0070",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0070"
},
{
"name": "CVE-2025-0066",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0066"
},
{
"name": "CVE-2025-0061",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0061"
},
{
"name": "CVE-2025-0067",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0067"
},
{
"name": "CVE-2025-0063",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0063"
}
],
"links": [],
"reference": "CERTFR-2025-AVI-0027",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-01-14T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
"vendor_advisories": [
{
"published_at": "2025-01-14",
"title": "Bulletin de s\u00e9curit\u00e9 SAP january-2025",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/january-2025.html"
}
]
}
CERTFR-2025-AVI-0867
Vulnerability from certfr_avis - Published: 2025-10-14 - Updated: 2025-10-14
De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SAP | SAP NetWeaver AS Java | NetWeaver AS Java version SERVERCORE 7.50 sans le dernier correctif de sécurité | ||
| SAP | Financial Service Claims Management | Financial Service Claims Management versions INSURANCE 803, 804, 805, 806, S4CEXT 107, 108 et 109 sans le dernier correctif de sécurité | ||
| SAP | Print Service | Print Service versions SAPSPRINT 8.00 et 8.10 sans le dernier correctif de sécurité | ||
| SAP | Data Hub Integration Suite | Data Hub Integration Suite version CX_DATAHUB_INT_PACK 2205 sans le dernier correctif de sécurité | ||
| SAP | BusinessObjects | BusinessObjects versions ENTERPRISE 430, 2025 et 2027 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver Application Server pour ABAP | Application Server pour ABAP versions KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93 et 9.16 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver | NetWeaver versions SAP_ABA 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H et 75I sans le dernier correctif de sécurité | ||
| SAP | S/4HANA | S/4HANA versions S4CORE 104, 105, 106, 107, 108 et 109 sans le dernier correctif de sécurité | ||
| SAP | Cloud Appliance Library Appliances | Cloud Appliance Library Appliances version TITANIUM_WEBAPP 4.0 sans le dernier correctif de sécurité | ||
| SAP | Commerce Cloud | Commerce Cloud versions HY_COM 2205, COM_CLOUD 2211 et 2211-JDK21 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver Application Server pour ABAP | Application Server pour ABAP versions SAP_BASIS 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758 et 816 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver Application Server ABAP et ABAP Platform | NetWeaver Application Server ABAP and ABAP Platform versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.14, 9.15 et 9.16 sans le dernier correctif de sécurité | ||
| SAP | Supplier Relationship Management | Supplier Relationship Management versions SRMNXP01 100 et 150 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver Application Server ABAP | NetWeaver Application Server ABAP versions RNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.12 et 9.14 sans le dernier correctif de sécurité |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "NetWeaver AS Java version SERVERCORE 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "SAP NetWeaver AS Java",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Financial Service Claims Management versions INSURANCE 803, 804, 805, 806, S4CEXT 107, 108 et 109 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Financial Service Claims Management",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Print Service versions SAPSPRINT 8.00 et 8.10 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Print Service",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Data Hub Integration Suite version CX_DATAHUB_INT_PACK 2205 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Data Hub Integration Suite",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects versions ENTERPRISE 430, 2025 et 2027 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "BusinessObjects",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Application Server pour ABAP versions KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93 et 9.16 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver Application Server pour ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver versions SAP_ABA 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H et 75I sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "S/4HANA versions S4CORE 104, 105, 106, 107, 108 et 109 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "S/4HANA",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Cloud Appliance Library Appliances version TITANIUM_WEBAPP 4.0 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Cloud Appliance Library Appliances",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Commerce Cloud versions HY_COM 2205, COM_CLOUD 2211 et 2211-JDK21 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Commerce Cloud",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Application Server pour ABAP versions SAP_BASIS 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758 et 816 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver Application Server pour ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server ABAP and ABAP Platform versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.14, 9.15 et 9.16 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver Application Server ABAP et ABAP Platform",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Supplier Relationship Management versions SRMNXP01 100 et 150 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Supplier Relationship Management",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server ABAP versions RNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.12 et 9.14 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver Application Server ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-42944",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42944"
},
{
"name": "CVE-2025-42906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42906"
},
{
"name": "CVE-2025-42902",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42902"
},
{
"name": "CVE-2025-42903",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42903"
},
{
"name": "CVE-2025-42910",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42910"
},
{
"name": "CVE-2025-42909",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42909"
},
{
"name": "CVE-2025-5115",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5115"
},
{
"name": "CVE-2025-42984",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42984"
},
{
"name": "CVE-2025-42908",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42908"
},
{
"name": "CVE-2025-42937",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42937"
},
{
"name": "CVE-2025-0059",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0059"
},
{
"name": "CVE-2025-48913",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48913"
},
{
"name": "CVE-2025-42939",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42939"
},
{
"name": "CVE-2025-31672",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31672"
},
{
"name": "CVE-2025-31331",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31331"
},
{
"name": "CVE-2025-42901",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-42901"
}
],
"initial_release_date": "2025-10-14T00:00:00",
"last_revision_date": "2025-10-14T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0867",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-10-14T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
"vendor_advisories": [
{
"published_at": "2025-10-14",
"title": "Bulletin de s\u00e9curit\u00e9 SAP october-2025",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/october-2025.html"
}
]
}
CERTFR-2026-AVI-0141
Vulnerability from certfr_avis - Published: 2026-02-10 - Updated: 2026-02-10
De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SAP | S/4HANA | S/4HANA Defense & Security (Disconnected Operations) versions EA-DFPS 600, 603, 604, 605, 606, 616, 617, 618, 619, 800, 801, 802, 803, 804, 805, 806, 807, 808 et 809 sans le dernier correctif de sécurité | ||
| SAP | Business Objects Business Intelligence Platform | BusinessObjects Business Intelligence Platform (AdminTools) versions ENTERPRISE 430, 2025 et 2027 sans le dernier correctif de sécurité | ||
| SAP | Business Objects Business Intelligence Platform | BusinessObjects BI Platform versions ENTERPRISE 430, 2025 et 2027 sans le dernier correctif de sécurité | ||
| SAP | Business Objects Business Intelligence Platform | BusinessObjects Business Intelligence Platform versions ENTERPRISE 430, 2025 et 2027 sans le dernier correctif de sécurité | ||
| SAP | N/A | Support Tools Plug-In versions ST-PI 2008_1_700, 2008_1_710, 740 et 758 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver et ABAP | NetWeaver (JMS service) version J2EE-FRMW 7.50 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver et ABAP | ABAP based systems versions ST-PI 2005_1_700, 2008_1_710, 740 et 758 sans le dernier correctif de sécurité | ||
| SAP | N/A | Document Management System versions SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 600, 602, 603, 604, 605, 606 et 617 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver et ABAP | NetWeaver AS ABAP and ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 804, SAP_BASIS 916, SAP_BASIS 917 et SAP_BASIS 918 sans le dernier correctif de sécurité | ||
| SAP | S/4HANA | CRM et S/4HANA (Scripting Editor) versions S4FND 102, 103, 104, 105, 106, 107, 108, 109, SAP_ABA 700, WEBCUIF 700, 701, 730, 731, 746, 747, 748, 800 et 801 sans le dernier correctif de sécurité | ||
| SAP | Business One (SLD) | Business One (B1 Client Memory Dump Files) versions B1_ON_HANA 10.0 et SAP-M-BO 10.0 sans le dernier correctif de sécurité | ||
| SAP | N/A | Supply Chain Management versions SCMAPO 713, 714, SCM 700, 701, 702 et 712 sans le dernier correctif de sécurité | ||
| SAP | Fiori App | Fiori App (Manage Service Entry Sheets - Lean Services) versions S4CORE 102, 103, 104, 105, 106 et 107 sans le dernier correctif de sécurité | ||
| SAP | N/A | Business Workflow versions SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 816 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver et ABAP | NetWeaver Application Server ABAP and S/4HANA versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 816 sans le dernier correctif de sécurité | ||
| SAP | N/A | Business Server Pages Application (TAF_APPLAUNCHER) versions ST-PI 2008_1_700, 2008_1_710, 740 et 758 sans le dernier correctif de sécurité | ||
| SAP | Commerce Cloud | Commerce Cloud versions HY_COM 2205, COM_CLOUD 2211 et 2211-JDK21 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver et ABAP | NetWeaver and ABAP Platform (Application Server ABAP) versions [KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, 8.04, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 8.04, 9.16, 9.17 et 9.18] sans le dernier correctif de sécurité | ||
| SAP | Commerce Cloud | Commerce Cloud versions HY_COM 2205, COM_CLOUD 2211 et COM_CLOUD 2211-JDK21 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver et ABAP | NetWeaver Application Server ABAP and ABAP Platform versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18 et 9.19 sans le dernier correctif de sécurité | ||
| SAP | N/A | Solution Tools Plug-In (ST-PI) versions ST-PI 2008_1_700, 2008_1_710, 740 et 758 sans le dernier correctif de sécurité | ||
| SAP | N/A | BusinessObjects Enterprise (Central Management Console) versions ENTERPRISE 430, 2025 et 2027 sans le dernier correctif de sécurité | ||
| SAP | N/A | Strategic Enterprise Management (Balanced Scorecard in BSP Application) versions SEM-BW 600, 700, 602, 603, 604, 605, 634, 736, 746, 747, 748 et 800 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver et ABAP | NetWeaver Application Server ABAP (applications based on GUI for HTML) versions KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.12 et 9.14 sans le dernier correctif de sécurité | ||
| SAP | NetWeaver et ABAP | NetWeaver Application Server Java version LMNWABASICAPPS 7.50 sans le dernier correctif de sécurité |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "S/4HANA Defense \u0026 Security (Disconnected Operations) versions EA-DFPS 600, 603, 604, 605, 606, 616, 617, 618, 619, 800, 801, 802, 803, 804, 805, 806, 807, 808 et 809 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "S/4HANA",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects Business Intelligence Platform (AdminTools) versions ENTERPRISE 430, 2025 et 2027 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Business Objects Business Intelligence Platform",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects BI Platform versions ENTERPRISE 430, 2025 et 2027 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Business Objects Business Intelligence Platform",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects Business Intelligence Platform versions ENTERPRISE 430, 2025 et 2027 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Business Objects Business Intelligence Platform",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Support Tools Plug-In versions ST-PI 2008_1_700, 2008_1_710, 740 et 758 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver (JMS service) version J2EE-FRMW 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver et ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "ABAP based systems versions ST-PI 2005_1_700, 2008_1_710, 740 et 758 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver et ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Document Management System versions SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 600, 602, 603, 604, 605, 606 et 617 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver AS ABAP and ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 804, SAP_BASIS 916, SAP_BASIS 917 et SAP_BASIS 918 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver et ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "CRM et S/4HANA (Scripting Editor) versions S4FND 102, 103, 104, 105, 106, 107, 108, 109, SAP_ABA 700, WEBCUIF 700, 701, 730, 731, 746, 747, 748, 800 et 801 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "S/4HANA",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Business One (B1 Client Memory Dump Files) versions B1_ON_HANA 10.0 et SAP-M-BO 10.0 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Business One (SLD)",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Supply Chain Management versions SCMAPO 713, 714, SCM 700, 701, 702 et 712 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Fiori App (Manage Service Entry Sheets - Lean Services) versions S4CORE 102, 103, 104, 105, 106 et 107 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Fiori App",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Business Workflow versions SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 816 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server ABAP and S/4HANA versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 816 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver et ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Business Server Pages Application (TAF_APPLAUNCHER) versions ST-PI 2008_1_700, 2008_1_710, 740 et 758 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Commerce Cloud versions HY_COM 2205, COM_CLOUD 2211 et 2211-JDK21 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Commerce Cloud",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver and ABAP Platform (Application Server ABAP) versions [KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, 8.04, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 8.04, 9.16, 9.17 et 9.18] sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver et ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Commerce Cloud versions HY_COM 2205, COM_CLOUD 2211 et COM_CLOUD 2211-JDK21 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Commerce Cloud",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server ABAP and ABAP Platform versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18 et 9.19 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver et ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Solution Tools Plug-In (ST-PI) versions ST-PI 2008_1_700, 2008_1_710, 740 et 758 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects Enterprise (Central Management Console) versions ENTERPRISE 430, 2025 et 2027 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Strategic Enterprise Management (Balanced Scorecard in BSP Application) versions SEM-BW 600, 700, 602, 603, 604, 605, 634, 736, 746, 747, 748 et 800 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server ABAP (applications based on GUI for HTML) versions KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.12 et 9.14 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver et ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server Java version LMNWABASICAPPS 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "NetWeaver et ABAP",
"vendor": {
"name": "SAP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-23681",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23681"
},
{
"name": "CVE-2026-24326",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24326"
},
{
"name": "CVE-2026-24320",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24320"
},
{
"name": "CVE-2026-23688",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23688"
},
{
"name": "CVE-2026-24319",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24319"
},
{
"name": "CVE-2026-24321",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24321"
},
{
"name": "CVE-2026-0485",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0485"
},
{
"name": "CVE-2026-24324",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24324"
},
{
"name": "CVE-2026-0509",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0509"
},
{
"name": "CVE-2026-0508",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0508"
},
{
"name": "CVE-2025-12383",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12383"
},
{
"name": "CVE-2026-24312",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24312"
},
{
"name": "CVE-2026-0486",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0486"
},
{
"name": "CVE-2026-23684",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23684"
},
{
"name": "CVE-2025-0059",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0059"
},
{
"name": "CVE-2026-23689",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23689"
},
{
"name": "CVE-2026-0484",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0484"
},
{
"name": "CVE-2026-24325",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24325"
},
{
"name": "CVE-2026-0488",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0488"
},
{
"name": "CVE-2026-0490",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0490"
},
{
"name": "CVE-2026-23687",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23687"
},
{
"name": "CVE-2026-24322",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24322"
},
{
"name": "CVE-2026-23686",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23686"
},
{
"name": "CVE-2026-23685",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23685"
},
{
"name": "CVE-2026-24323",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24323"
},
{
"name": "CVE-2026-0505",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0505"
},
{
"name": "CVE-2026-24328",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24328"
},
{
"name": "CVE-2026-24327",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24327"
}
],
"initial_release_date": "2026-02-10T00:00:00",
"last_revision_date": "2026-02-10T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0141",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-02-10T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
"vendor_advisories": [
{
"published_at": "2026-02-10",
"title": "Bulletin de s\u00e9curit\u00e9 SAP february-2026",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2026.html"
}
]
}
BDU:2025-00577
Vulnerability from fstec - Published: 13.01.2025
VLAI
Title
Уязвимость программного обеспечения разработки и выполнения приложений на языке ABAP SAP NetWeaver Application Server ABAP, связанная с раскрытием системных данных неавторизованной для контролируемой области, позволяющая нарушителю раскрыть защищаемую информацию
Description
Уязвимость программного обеспечения разработки и выполнения приложений на языке ABAP SAP NetWeaver Application Server ABAP связана с раскрытием системных данных неавторизованной для контролируемой области. Эксплуатация уязвимости может позволить нарушителю раскрыть защищаемую информацию
Severity
Vendor
SAP
Software Name
SAP NetWeaver Application Server
Software Version
kernel 7.53 (SAP NetWeaver Application Server), krnl64uc 7.53 (SAP NetWeaver Application Server), 7.54 (SAP NetWeaver Application Server), 7.77 (SAP NetWeaver Application Server), 7.89 (SAP NetWeaver Application Server), 7.93 (SAP NetWeaver Application Server), 9.12 (SAP NetWeaver Application Server), 9.14 (SAP NetWeaver Application Server)
Possible Mitigations
Использование рекомендаций производителя:
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/january-2025.html
Reference
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/january-2025.html
CWE
CWE-497
{
"CVSS 2.0": "AV:L/AC:L/Au:S/C:C/I:N/A:N",
"CVSS 3.0": "AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "SAP",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "kernel 7.53 (SAP NetWeaver Application Server), krnl64uc 7.53 (SAP NetWeaver Application Server), 7.54 (SAP NetWeaver Application Server), 7.77 (SAP NetWeaver Application Server), 7.89 (SAP NetWeaver Application Server), 7.93 (SAP NetWeaver Application Server), 9.12 (SAP NetWeaver Application Server), 9.14 (SAP NetWeaver Application Server)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\nhttps://support.sap.com/en/my-support/knowledge-base/security-notes-news/january-2025.html",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "13.01.2025",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "22.01.2025",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "22.01.2025",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2025-00577",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2025-0059",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "SAP NetWeaver Application Server",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 \u043d\u0430 \u044f\u0437\u044b\u043a\u0435 ABAP SAP NetWeaver Application Server ABAP, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435\u043c \u0441\u0438\u0441\u0442\u0435\u043c\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 \u043d\u0435\u0430\u0432\u0442\u043e\u0440\u0438\u0437\u043e\u0432\u0430\u043d\u043d\u043e\u0439 \u0434\u043b\u044f \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u0435\u043c\u043e\u0439 \u043e\u0431\u043b\u0430\u0441\u0442\u0438, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0420\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435 \u0441\u0438\u0441\u0442\u0435\u043c\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 \u043d\u0435\u0430\u0432\u0442\u043e\u0440\u0438\u0437\u043e\u0432\u0430\u043d\u043d\u043e\u0439 \u0434\u043b\u044f \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u0435\u043c\u043e\u0439 \u043e\u0431\u043b\u0430\u0441\u0442\u0438 (CWE-497)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 \u043d\u0430 \u044f\u0437\u044b\u043a\u0435 ABAP SAP NetWeaver Application Server ABAP \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435\u043c \u0441\u0438\u0441\u0442\u0435\u043c\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 \u043d\u0435\u0430\u0432\u0442\u043e\u0440\u0438\u0437\u043e\u0432\u0430\u043d\u043d\u043e\u0439 \u0434\u043b\u044f \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u0435\u043c\u043e\u0439 \u043e\u0431\u043b\u0430\u0441\u0442\u0438. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0441\u0431\u043e\u0440 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/january-2025.html",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-497",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 4,6)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6)"
}
CNVD-2025-05565
Vulnerability from cnvd - Published: 2025-03-14
VLAI
Title
SAP NetWeaver Application Server信息泄露漏洞
Description
SAP NetWeaver Application Server是德国思爱普(SAP)公司的一款应用程序服务器。
SAP NetWeaver Application Server ABAP存在信息泄露漏洞,具有管理权限或用户目录权限的攻击者可利用该漏洞泄露数据并影响程序的机密性。
Severity
中
Patch Name
SAP NetWeaver Application Server信息泄露漏洞的补丁
Patch Description
SAP NetWeaver Application Server是德国思爱普(SAP)公司的一款应用程序服务器。
SAP NetWeaver Application Server ABAP存在信息泄露漏洞,具有管理权限或用户目录权限的攻击者可利用该漏洞泄露数据并影响程序的机密性。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: https://me.sap.com/notes/3503138
Reference
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0059
Impacted products
| Name | SAP NetWeaver Application Server |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2025-0059",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-0059"
}
},
"description": "SAP NetWeaver Application Server\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u5e94\u7528\u7a0b\u5e8f\u670d\u52a1\u5668\u3002\n\nSAP NetWeaver Application Server ABAP\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u5177\u6709\u7ba1\u7406\u6743\u9650\u6216\u7528\u6237\u76ee\u5f55\u6743\u9650\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6cc4\u9732\u6570\u636e\u5e76\u5f71\u54cd\u7a0b\u5e8f\u7684\u673a\u5bc6\u6027\u3002",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\nhttps://me.sap.com/notes/3503138",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2025-05565",
"openTime": "2025-03-14",
"patchDescription": "SAP NetWeaver Application Server\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u5e94\u7528\u7a0b\u5e8f\u670d\u52a1\u5668\u3002\r\n\r\nSAP NetWeaver Application Server ABAP\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u5177\u6709\u7ba1\u7406\u6743\u9650\u6216\u7528\u6237\u76ee\u5f55\u6743\u9650\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6cc4\u9732\u6570\u636e\u5e76\u5f71\u54cd\u7a0b\u5e8f\u7684\u673a\u5bc6\u6027\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "SAP NetWeaver Application Server\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "SAP NetWeaver Application Server"
},
"referenceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0059",
"serverity": "\u4e2d",
"submitTime": "2025-03-14",
"title": "SAP NetWeaver Application Server\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}
FKIE_CVE-2025-0059
Vulnerability from fkie_nvd - Published: 2025-01-14 01:15 - Updated: 2026-04-15 00:35
Severity
Summary
Applications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in the local browser storage to improve usability. An attacker with administrative privileges or access to the victim�s user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the disclosed data could range from non-critical data to highly sensitive data, causing high impact on confidentiality of the application.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Applications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in the local browser storage to improve usability. An attacker with administrative privileges or access to the victim\ufffds user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the disclosed data could range from non-critical data to highly sensitive data, causing high impact on confidentiality of the application."
},
{
"lang": "es",
"value": " Las aplicaciones basadas en SAP GUI para HTML en SAP NetWeaver Application Server ABAP almacenan la informaci\u00f3n ingresada por el usuario en el almacenamiento local del navegador para mejorar la usabilidad. Un atacante con privilegios administrativos o acceso al directorio de usuarios de la v\u00edctima en el nivel del sistema operativo podr\u00eda leer estos datos. Dependiendo de la informaci\u00f3n ingresada por el usuario en las transacciones, los datos divulgados podr\u00edan variar desde datos no cr\u00edticos hasta datos altamente sensibles, lo que causa un alto impacto en la confidencialidad de la aplicaci\u00f3n."
}
],
"id": "CVE-2025-0059",
"lastModified": "2026-04-15T00:35:42.020",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.5,
"impactScore": 4.0,
"source": "cna@sap.com",
"type": "Secondary"
}
]
},
"published": "2025-01-14T01:15:16.190",
"references": [
{
"source": "cna@sap.com",
"url": "https://me.sap.com/notes/3503138"
},
{
"source": "cna@sap.com",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-497"
}
],
"source": "cna@sap.com",
"type": "Secondary"
}
]
}
GHSA-VRFF-9QRR-6VQR
Vulnerability from github – Published: 2025-01-14 03:31 – Updated: 2025-01-14 03:31
VLAI
Details
Applications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in the local browser storage to improve usability. An attacker with administrative privileges or access to the victim�s user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the disclosed data could range from non-critical data to highly sensitive data, causing high impact on confidentiality of the application.
Severity
6.0 (Medium)
{
"affected": [],
"aliases": [
"CVE-2025-0059"
],
"database_specific": {
"cwe_ids": [
"CWE-497"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-14T01:15:16Z",
"severity": "MODERATE"
},
"details": "Applications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in the local browser storage to improve usability. An attacker with administrative privileges or access to the victim\ufffds user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the disclosed data could range from non-critical data to highly sensitive data, causing high impact on confidentiality of the application.",
"id": "GHSA-vrff-9qrr-6vqr",
"modified": "2025-01-14T03:31:41Z",
"published": "2025-01-14T03:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0059"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3503138"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…