Filtered by vendor Sap
Subscriptions
Filtered by product Netweaver Application Server Java
Subscriptions
Total
61 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-12637 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-14 | 7.5 High |
| Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657. | ||||
| CVE-2023-42480 | 1 Sap | 1 Netweaver Application Server Java | 2023-11-20 | 5.3 Medium |
| The unauthenticated attacker in NetWeaver AS Java Logon application - version 7.50, can brute force the login functionality to identify the legitimate user ids. This will have an impact on confidentiality but there is no other impact on integrity or availability. | ||||
| CVE-2022-41262 | 1 Sap | 1 Netweaver Application Server Java | 2023-11-07 | 6.1 Medium |
| Due to insufficient input validation, SAP NetWeaver AS Java (HTTP Provider Service) - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. On successful exploitation, an attacker can view or modify information causing a limited impact on the confidentiality and integrity of the application. | ||||
| CVE-2023-42477 | 1 Sap | 1 Netweaver Application Server Java | 2023-10-16 | 6.5 Medium |
| SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50, allows an attacker to send a crafted request from a vulnerable web application, causing limited impact on confidentiality and integrity of the application. | ||||
| CVE-2023-40308 | 1 Sap | 9 Commoncryptolib, Content Server, Extended Application Services And Runtime and 6 more | 2023-09-15 | 7.5 High |
| SAP CommonCryptoLib allows an unauthenticated attacker to craft a request, which when submitted to an open port causes a memory corruption error in a library which in turn causes the target component to crash making it unavailable. There is no ability to view or modify any information. | ||||
| CVE-2023-40309 | 1 Sap | 9 Commoncryptolib, Content Server, Extended Application Services And Runtime and 6 more | 2023-09-15 | 9.8 Critical |
| SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data. | ||||
| CVE-2023-24526 | 1 Sap | 1 Netweaver Application Server Java | 2023-04-11 | 5.3 Medium |
| SAP NetWeaver Application Server Java for Classload Service - version 7.50, does not perform any authentication checks for functionalities that require user identity, resulting in escalation of privileges. This failure has a low impact on confidentiality of the data such that an unassigned user can read non-sensitive server data. | ||||
| CVE-2022-22533 | 1 Sap | 1 Netweaver Application Server Java | 2022-10-27 | 7.5 High |
| Due to improper error handling in SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an attacker could submit multiple HTTP server requests resulting in errors, such that it consumes the memory buffer. This could result in system shutdown rendering the system unavailable. | ||||
| CVE-2021-27598 | 1 Sap | 1 Netweaver Application Server Java | 2022-10-07 | 5.3 Medium |
| SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet. | ||||
| CVE-2022-22532 | 1 Sap | 1 Netweaver Application Server Java | 2022-09-30 | 9.8 Critical |
| In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory buffer handling. This could allow the malicious payload to be executed and hence execute functions that could be impersonating the victim or even steal the victim's logon session. | ||||
| CVE-2021-21485 | 1 Sap | 1 Netweaver Application Server Java | 2022-07-12 | 6.5 Medium |
| An unauthorized attacker may be able to entice an administrator to invoke telnet commands of an SAP NetWeaver Application Server for Java that allow the attacker to gain NTLM hashes of a privileged user. | ||||
| CVE-2021-33670 | 1 Sap | 1 Netweaver Application Server Java | 2022-05-12 | 7.5 High |
| SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability. | ||||
| CVE-2021-33687 | 1 Sap | 1 Netweaver Application Server Java | 2022-05-03 | 4.9 Medium |
| SAP NetWeaver AS JAVA (Enterprise Portal), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 reveals sensitive information in one of their HTTP requests, an attacker can use this in conjunction with other attacks such as XSS to steal this information. | ||||
| CVE-2016-9563 | 1 Sap | 1 Netweaver Application Server Java | 2022-04-29 | 6.5 Medium |
| BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909. | ||||
| CVE-2016-3976 | 1 Sap | 1 Netweaver Application Server Java | 2022-04-29 | 7.5 High |
| Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971. | ||||
| CVE-2020-6287 | 1 Sap | 1 Netweaver Application Server Java | 2022-04-28 | 10.0 Critical |
| SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check. | ||||
| CVE-2022-26103 | 1 Sap | 1 Netweaver Application Server Java | 2022-03-18 | 5.3 Medium |
| Under certain conditions, SAP NetWeaver (Real Time Messaging Framework) - version 7.50, allows an attacker to access information which could lead to information gathering for further exploits and attacks. | ||||
| CVE-2020-26820 | 1 Sap | 1 Netweaver Application Server Java | 2022-01-01 | 7.2 High |
| SAP NetWeaver AS JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker who is authenticated as an administrator to use the administrator console, to expose unauthenticated access to the file system and upload a malicious file. The attacker or another user can then use a separate mechanism to execute OS commands through the uploaded file leading to Privilege Escalation and completely compromise the confidentiality, integrity and availability of the server operating system and any application running on it. | ||||
| CVE-2021-37535 | 1 Sap | 1 Netweaver Application Server Java | 2021-09-23 | 9.8 Critical |
| SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for user privileges. | ||||
| CVE-2019-0275 | 1 Sap | 1 Netweaver Application Server Java | 2021-09-09 | 5.4 Medium |
| SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server (J2EE-APPS), versions 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50, does not sufficiently encode user-controlled inputs, which results in cross-site scripting (XSS) vulnerability. | ||||