Netweaver Application Server Java@7.50 Security Vulnerabilities and Issues — Netweaver Application Server Java@7.50 CVE List

Lucene search

SapNetweaver Application Server Java7.50

45 matches found

CVE•added 2020/07/14 1:15 p.m.•1199 views

CVE-2020-6287

SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create ...

10CVSS10AI score0.94395EPSS

CVE•added 2016/11/23 2:59 a.m.•985 views

CVE-2016-9563

BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909.

6.5CVSS6.4AI score0.41099EPSS

CVE•added 2020/07/14 1:15 p.m.•214 views

CVE-2020-6286

The insufficient input path validation of certain parameter in the web service of SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to exploit a method to download zip files to a specific directory, leading to Path Traversal.

5.3CVSS7AI score0.86913EPSS

CVE•added 2017/08/07 8:29 p.m.•197 views

CVE-2017-12637

Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657.

7.5CVSS7.4AI score0.91938EPSS

CVE•added 2019/07/10 8:15 p.m.•147 views

CVE-2019-0327

SAP NetWeaver for Java Application Server - Web Container, (engineapi, versions 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5), (servercode, versions 7.2, 7.3, 7.31, 7.4, 7.5), allows an attacker to upload files (including script files) without proper file format validation.

7.2CVSS7AI score0.00756EPSS

CVE•added 2021/07/14 12:15 p.m.•94 views

CVE-2021-33670

SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to deni...

7.5CVSS7.4AI score0.01845EPSS

CVE•added 2022/03/10 5:47 p.m.•77 views

CVE-2022-26103

Under certain conditions, SAP NetWeaver (Real Time Messaging Framework) - version 7.50, allows an attacker to access information which could lead to information gathering for further exploits and attacks.

5.3CVSS5.2AI score0.00176EPSS

CVE•added 2020/03/10 9:15 p.m.•73 views

CVE-2020-6202

SAP NetWeaver Application Server Java (User Management Engine), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; does not sufficiently validate the LDAP data source configuration XML document accepted from an untrusted source, leading to Missing XML Validation.

7.2CVSS7AI score0.00476EPSS

CVE•added 2019/09/10 5:15 p.m.•71 views

CVE-2019-0355

SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the app...

7.2CVSS7AI score0.00471EPSS

CVE•added 2020/10/15 3:15 a.m.•67 views

CVE-2020-6365

SAP NetWeaver AS Java, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, Start Page allows an unauthenticated remote attacker to redirect users to a malicious site due to insufficient reverse tabnabbing URL validation. The attacker could execute phishing attacks to steal credentials of the victi...

6.1CVSS6.4AI score0.00212EPSS

CVE•added 2022/12/12 10:15 p.m.•67 views

CVE-2022-41262

Due to insufficient input validation, SAP NetWeaver AS Java (HTTP Provider Service) - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. On successful exploitation, an attacker can view or modify information causing a limited impact on the confidentiality...

6.1CVSS6.2AI score0.00563EPSS

CVE•added 2021/09/14 12:15 p.m.•64 views

CVE-2021-37535

SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for user privileges.

10CVSS9.4AI score0.00337EPSS

CVE•added 2020/02/12 8:15 p.m.•63 views

CVE-2020-6190

Certain vulnerable endpoints in SAP NetWeaver AS Java (Heap Dump Application), versions 7.30, 7.31, 7.40, 7.50, provide valuable information about the system like hostname, server node and installation path that could be misused by an attacker leading to Information Disclosure.

5.8CVSS5.4AI score0.00261EPSS

CVE•added 2021/04/13 7:15 p.m.•60 views

CVE-2021-21492

SAP NetWeaver Application Server Java(HTTP Service), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate logon group in URLs, resulting in a content spoofing vulnerability when directory listing is enabled.

4.3CVSS5AI score0.00161EPSS

CVE•added 2023/03/14 5:15 a.m.•59 views

CVE-2023-24526

SAP NetWeaver Application Server Java for Classload Service - version 7.50, does not perform any authentication checks for functionalities that require user identity, resulting in escalation of privileges. This failure has a low impact on confidentiality of the data such that an unassigned user can...

5.3CVSS5.6AI score0.00252EPSS

CVE•added 2021/04/13 7:15 p.m.•57 views

CVE-2021-21485

An unauthorized attacker may be able to entice an administrator to invoke telnet commands of an SAP NetWeaver Application Server for Java that allow the attacker to gain NTLM hashes of a privileged user.

7.4CVSS6.5AI score0.00274EPSS

CVE•added 2020/11/10 5:15 p.m.•55 views

CVE-2020-26820

SAP NetWeaver AS JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker who is authenticated as an administrator to use the administrator console, to expose unauthenticated access to the file system and upload a malicious file. The attacker or another user can then use a separate mechani...

9.1CVSS7.2AI score0.03156EPSS

CVE•added 2023/11/14 1:15 a.m.•55 views

CVE-2023-42480

The unauthenticated attacker in NetWeaver AS Java Logon application - version 7.50, can brute force the login functionality to identify the legitimate user ids. This will have an impact on confidentiality but there is no other impact on integrity or availability.

5.3CVSS5.5AI score0.00104EPSS

CVE•added 2020/06/10 1:15 p.m.•54 views

CVE-2020-6263

Standalone clients connecting to SAP NetWeaver AS Java via P4 Protocol, versions (SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not perform any authentication checks for operations that requ...

9.8CVSS9.5AI score0.00224EPSS

CVE•added 2020/08/12 2:15 p.m.•54 views

CVE-2020-6309

SAP NetWeaver AS JAVA, versions - (ENGINEAPI 7.10; WSRM 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; J2EE-FRMW 7.10, 7.11), does not perform any authentication checks for a web service allowing the attacker to send several payloads and leading to complete denial of service.

7.8CVSS7.6AI score0.00606EPSS

CVE•added 2020/04/14 7:15 p.m.•53 views

CVE-2020-6224

SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker with administrator privileges to access user sensitive data such as passwords in trace files, when the user logs in and sends request with login credentials, leading to Information Disclosure...

6.2CVSS6.4AI score0.00285EPSS

CVE•added 2020/10/15 2:15 a.m.•53 views

CVE-2020-6319

SAP NetWeaver Application Server Java, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, and 7.50 allows an unauthenticated attacker to include JavaScript blocks in any web page or URL with different symbols which are otherwise not allowed. On successful exploitation an attacker can steal authenticati...

6.1CVSS6.3AI score0.00322EPSS

CVE•added 2020/12/09 5:15 p.m.•52 views

CVE-2020-26829

SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows arbitrary connections from processes because of missing authentication check, that are outside the cluster and even outside the network segment dedicated for the internal cluster communication. ...

10CVSS9.6AI score0.01906EPSS

CVE•added 2021/04/13 7:15 p.m.•51 views

CVE-2021-27601

SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the atta...

5.4CVSS5.5AI score0.00162EPSS

CVE•added 2021/04/13 7:15 p.m.•50 views

CVE-2021-27598

SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet.

6.5CVSS5.3AI score0.00183EPSS

CVE•added 2017/07/25 6:29 p.m.•49 views

CVE-2017-11457

XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249.

6.5CVSS6.2AI score0.00587EPSS

CVE•added 2024/02/13 2:15 a.m.•49 views

CVE-2024-22126

The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and ...

8.8CVSS6.2AI score0.00323EPSS

CVE•added 2019/08/14 2:15 p.m.•47 views

CVE-2019-0345

A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7.30, 7.31, 7.40, 7.50, by sending a specially crafted XML file and trick the application server into leaking authentication credentials for its own SAP M...

9.8CVSS9.5AI score0.01025EPSS

CVE•added 2020/12/09 5:15 p.m.•46 views

CVE-2020-26826

Process Integration Monitoring of SAP NetWeaver AS JAVA, versions - 7.31, 7.40, 7.50, allows an attacker to upload any file (including script files) without proper file format validation, leading to Unrestricted File Upload.

6.5CVSS6.5AI score0.00448EPSS

CVE•added 2021/07/14 12:15 p.m.•46 views

CVE-2021-33687

SAP NetWeaver AS JAVA (Enterprise Portal), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 reveals sensitive information in one of their HTTP requests, an attacker can use this in conjunction with other attacks such as XSS to steal this information.

4.9CVSS4.7AI score0.00448EPSS

CVE•added 2021/07/14 12:15 p.m.•46 views

CVE-2021-33689

When user with insufficient privileges tries to access any application in SAP NetWeaver Administrator (Administrator applications), version - 7.50, no security audit log is created. Therefore, security audit log Integrity is impacted.

4.3CVSS4.8AI score0.00336EPSS

CVE•added 2024/02/13 3:15 a.m.•45 views

CVE-2024-24743

SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. There are expansion limits in place so...

8.6CVSS8.4AI score0.00202EPSS

CVE•added 2019/03/12 10:29 p.m.•44 views

CVE-2019-0275

SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server (J2EE-APPS), versions 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50, does not sufficiently encode user-controlled inputs, which results in cross-site scripting (XSS) vulnerability.

5.4CVSS5.2AI score0.00252EPSS

CVE•added 2023/10/10 2:15 a.m.•44 views

CVE-2023-42477

SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50, allows an attacker to send a crafted request from a vulnerable web application, causing limited impact on confidentiality and integrity of the application.

6.5CVSS6.4AI score0.00092EPSS

CVE•added 2018/09/11 3:29 p.m.•43 views

CVE-2018-2452

The logon application of SAP NetWeaver AS Java 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user-controlled inputs, resulting in a cross-site scripting (XSS) vulnerability.

6.1CVSS5.9AI score0.0059EPSS

CVE•added 2020/12/09 5:15 p.m.•43 views

CVE-2020-26816

SAP AS JAVA (Key Storage Service), versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50, has the key material which is stored in the SAP NetWeaver AS Java Key Storage service stored in the database in the DER encoded format and is not encrypted. This enables an attacker who has administrator access ...

5.4CVSS5.2AI score0.0002EPSS

CVE•added 2021/03/10 3:15 p.m.•43 views

CVE-2021-21491

SAP Netweaver Application Server Java (Applications based on WebDynpro Java) versions 7.00, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allow an attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.

6.1CVSS6.2AI score0.00133EPSS

CVE•added 2018/12/11 11:0 p.m.•42 views

CVE-2018-2504

SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation or Cross-Site Scripting (XSS) vulnerability. This is fixed in versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50.

6.1CVSS5.9AI score0.00391EPSS

CVE•added 2018/12/11 11:0 p.m.•41 views

CVE-2018-2492

SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. This is fixed in versions 7.2, 7.30, 7.31, 7.40 and 7.50.

7.1CVSS6.8AI score0.00385EPSS

CVE•added 2019/11/13 10:15 p.m.•41 views

CVE-2019-0391

Under certain conditions SAP NetWeaver AS Java (corrected in 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) allows an attacker to access information which would otherwise be restricted.

4.3CVSS4.4AI score0.00272EPSS

CVE•added 2020/07/14 1:15 p.m.•40 views

CVE-2020-6282

SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, and SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send a crafted request from a vulnerable web application. It is usual...

5.8CVSS5.6AI score0.00137EPSS

CVE•added 2020/09/09 1:15 p.m.•38 views

CVE-2020-6313

SAP NetWeaver Application Server JAVA(XML Forms) versions 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user controlled inputs, which allows an authenticated User with special roles to store malicious content, that when accessed by a victim, can perform malicious actions by executing JavaScri...

6.5CVSS6.1AI score0.00296EPSS

CVE•added 2018/12/11 11:0 p.m.•37 views

CVE-2018-2503

By default, the SAP NetWeaver AS Java keystore service does not sufficiently restrict the access to resources that should be protected. This has been fixed in SAP NetWeaver AS Java (ServerCore versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50).

7.4CVSS7.3AI score0.00197EPSS

CVE•added 2017/05/23 4:29 a.m.•35 views

CVE-2017-8913

The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default, aka SAP Security Note 2386873.

8.8CVSS8.1AI score0.00552EPSS

CVE•added 2017/04/10 2:59 p.m.•33 views

CVE-2016-10304

The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788.

6.5CVSS6.1AI score0.00893EPSS