CVE-2025-42965

SAP CMC Promotion Management allows an authenticated attacker to enumerate internal network systems by submitting crafted requests during job source configuration. By analysing response times for various IP addresses and ports, the attacker can infer valid network endpoints. Successful exploitation may lead to information disclosure. This vulnerability does not impact the integrity or availability of the application.

CVSS v3 4.1 MEDIUM

4.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://me.sap.com/notes/3598118
https://url.sap/sapsecuritypatchday

Configurations

No configuration.

History

08 Jul 2025, 16:18

Type	Values Removed	Values Added
Summary		(es) SAP CMC Promotion Management permite a un atacante autenticado enumerar sistemas de red internos mediante el envío de solicitudes manipuladas durante la configuración del origen del trabajo. Al analizar los tiempos de respuesta de diversas direcciones IP y puertos, el atacante puede inferir endpoints de red válidos. Una explotación exitosa puede conllevar la divulgación de información. Esta vulnerabilidad no afecta la integridad ni la disponibilidad de la aplicación.

08 Jul 2025, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-08 01:15

Updated : 2025-07-08 16:18

NVD link : CVE-2025-42965

Mitre link : CVE-2025-42965

CVE.ORG link : CVE-2025-42965

JSON object : View

Products Affected

No product.

CWE

CWE-918

Server-Side Request Forgery (SSRF)

4.1 /10