121 matches found
CVE-2019-0391
Under certain conditions SAP NetWeaver AS Java corrected in 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 allows an attacker to access information which would otherwise be restricted...
CVE-2019-0391
The CVE-2019-0391 issue affects SAP NetWeaver AS Java and enables information disclosure. Multiple sources confirm affected SAP NetWeaver AS Java versions: 7.10, 7.20, 7.30, 7.31, 7.40, and 7.50. Root cause and impact are described as an information-disclosure vulnerability that could allow attac...
SAP NetWeaver AS Java CVE-2019-0391 Information Disclosure Vulnerability
Description SAP NetWeaver AS Java is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks. SAP NetWeaver AS Java versions 7.10, 7.20, 7.30, 7.31, 7.4 and 7.5 are vulnerable. Technologies Affect...
CVE-2019-0318
CVE-2019-0318 affects SAP NetWeaver Application Server for Java (Startup Framework) versions 7.21, 7.22, 7.45, 7.49 and 7.53. Under certain conditions, an attacker can access information that would be restricted (information disclosure). The Connected documents reiterate the same affected product...
CVE-2018-2504
SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation or Cross-Site Scripting XSS vulnerability. This is fixed in versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50...
CVE-2018-2504
CVE-2018-2504 affects SAP NetWeaver AS Java Web Container. The issue arises because the HTTP Host header is not validated against a whitelist, enabling potential HTTP Host Header Manipulation and related XSS . Root cause: missing host header whitelisting in the web container. Impact is mitigated ...
CVE-2018-2503
The CVE-2018-2503 entry concerns SAP NetWeaver AS Java keystore service, where access to protected resources was not sufficiently restricted, enabling information disclosure. Public documents confirm this vulnerability exists in the SAP NetWeaver AS Java keystore service and that the issue has be...
CVE-2018-2492
CVE-2018-2492 affects SAP NetWeaver AS Java where the SAML 2.0 functionality does not sufficiently validate XML documents from an untrusted source. The issue is resolved by updating to versions 7.2, 7.30, 7.31, 7.40 or 7.50. The description notes the vulnerability and its remediation, but the pro...
CVE-2018-2371
CVE-2018-2371 affects SAP NetWeaver AS Java Web Application (SAML 2.0 SP) 7.50. The issue is insufficient encoding of user-controlled inputs, causing Cross-Site Scripting (XSS). CVSSv3 base 6.1 (NETWORK, LOW ATTACK COMPLEXITY, UI REQUIRED, CHANGED SCOPE; CONFIDENTIALITY/INTEGRITY LOW) and CVSSv2 ...
CVE-2017-14581
CVE-2017-14581 involves SAP NetWeaver AS JAVA, affected in the Host Control web service for versions 7.0–7.5. The issue allows remote attackers to cause a denial of service (service crash) via a crafted request (as noted in SAP Security Note 2389181). The available references confirm the DoS impa...
CVE-2017-11457
XML external entity XXE vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery SSRF attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249...
Server side request forgery (ssrf)
XML external entity XXE vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery SSRF attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249...
CVE-2017-11457
XML external entity XXE vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery SSRF attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249...
CVE-2017-8913
The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity XXE attacks via a crafted XML document in a request to irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default, aka SAP Security Note 2386873...
CVE-2017-8913
The CVE-2017-8913 vulnerability affects SAP NetWeaver AS JAVA 7.5, specifically the Visual Composer VC70RUNTIME component. Affected files/components include VC70RUNTIME (7.30–7.50) and VCFRAMEWORK/VCFLEX7.00 as listed in public advisories. The issue is an XML External Entity (XXE) vulnerability t...
Log injection in SAP NetWeaver AS Java using basic auth
Application: SAP NetWeaver AS Java Versions Affected: ENGINEAPI 7.10-7.50 Vendor URL: SAP Bug: Log Injection Reported: 17.05.2017 Vendor response: 18.05.2017 Date of Public Advisory: 14.11.2017 Reference: SAP Security Note 2485208 Author: Vahagn Vardanyan ERPScan VULNERABILITY INFORMATION Class:...
Sql injection
SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2356504...
CVE-2017-7717
The CVE-2017-7717 entry concerns SAP NetWeaver AS Java 7.4, specifically the ES UDDI component. The vulnerability arises in the getUserUddiElements method, described as an SQL injection that permits remote authenticated users to execute arbitrary SQL commands via unspecified vectors. This is supp...
CVE-2017-7696
CVE-2017-7696 affects SAP AS JAVA SSO Authentication Library versions 2.0–3.0. A remote attacker can trigger a denial-of-service by sending a request that causes the server to generate a very large image via otp_logon_ui_resources/qr (e.g., width/height parameters). The issue is a memory exhausti...
CVE-2016-10304
The CVE-2016-10304 entry concerns SAP NetWeaver AS JAVA 7.5, specifically the EP-RUNTIME component. Affected component: SAP EP-RUNTIME within SAP NetWeaver AS JAVA 7.5. Root cause: remote authenticated users can trigger a denial of service via a crafted serialized Java object, as demonstrated by ...