Total
64 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-22532 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory buffer handling. This could allow the malicious payload to be executed and hence execute functions that could be impersonating the victim or even steal the victim's logon session. | |||||
| CVE-2022-26103 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 4.3 MEDIUM | 5.3 MEDIUM |
| Under certain conditions, SAP NetWeaver (Real Time Messaging Framework) - version 7.50, allows an attacker to access information which could lead to information gathering for further exploits and attacks. | |||||
| CVE-2022-22533 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| Due to improper error handling in SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an attacker could submit multiple HTTP server requests resulting in errors, such that it consumes the memory buffer. This could result in system shutdown rendering the system unavailable. | |||||
| CVE-2021-37535 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for user privileges. | |||||
| CVE-2021-21485 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| An unauthorized attacker may be able to entice an administrator to invoke telnet commands of an SAP NetWeaver Application Server for Java that allow the attacker to gain NTLM hashes of a privileged user. | |||||
| CVE-2021-21492 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 4.3 MEDIUM | 4.3 MEDIUM |
| SAP NetWeaver Application Server Java(HTTP Service), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate logon group in URLs, resulting in a content spoofing vulnerability when directory listing is enabled. | |||||
| CVE-2021-33689 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| When user with insufficient privileges tries to access any application in SAP NetWeaver Administrator (Administrator applications), version - 7.50, no security audit log is created. Therefore, security audit log Integrity is impacted. | |||||
| CVE-2021-27598 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet. | |||||
| CVE-2021-33687 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 4.0 MEDIUM | 4.9 MEDIUM |
| SAP NetWeaver AS JAVA (Enterprise Portal), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 reveals sensitive information in one of their HTTP requests, an attacker can use this in conjunction with other attacks such as XSS to steal this information. | |||||
| CVE-2021-27601 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
| SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attacker does not have control over kind or degree. | |||||
| CVE-2021-33670 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability. | |||||
| CVE-2020-26829 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 9.0 HIGH | 10.0 CRITICAL |
| SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows arbitrary connections from processes because of missing authentication check, that are outside the cluster and even outside the network segment dedicated for the internal cluster communication. As result, an unauthenticated attacker can invoke certain functions that would otherwise be restricted to system administrators only, including access to system administration functions or shutting down the system completely. | |||||
| CVE-2020-6365 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver AS Java, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, Start Page allows an unauthenticated remote attacker to redirect users to a malicious site due to insufficient reverse tabnabbing URL validation. The attacker could execute phishing attacks to steal credentials of the victim or to redirect users to untrusted web pages containing malware or similar malicious exploits. | |||||
| CVE-2020-6319 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver Application Server Java, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, and 7.50 allows an unauthenticated attacker to include JavaScript blocks in any web page or URL with different symbols which are otherwise not allowed. On successful exploitation an attacker can steal authentication information of the user, such as data relating to his or her current session and limitedly impact confidentiality and integrity of the application, leading to Reflected Cross Site Scripting. | |||||
| CVE-2020-26820 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 9.0 HIGH | 7.2 HIGH |
| SAP NetWeaver AS JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker who is authenticated as an administrator to use the administrator console, to expose unauthenticated access to the file system and upload a malicious file. The attacker or another user can then use a separate mechanism to execute OS commands through the uploaded file leading to Privilege Escalation and completely compromise the confidentiality, integrity and availability of the server operating system and any application running on it. | |||||
| CVE-2020-26816 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 2.7 LOW | 4.5 MEDIUM |
| SAP AS JAVA (Key Storage Service), versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50, has the key material which is stored in the SAP NetWeaver AS Java Key Storage service stored in the database in the DER encoded format and is not encrypted. This enables an attacker who has administrator access to the SAP NetWeaver AS Java to decode the keys because of missing encryption and get some application data and client credentials of adjacent systems. This highly impacts Confidentiality as information disclosed could contain client credentials of adjacent systems. | |||||
| CVE-2021-21491 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| SAP Netweaver Application Server Java (Applications based on WebDynpro Java) versions 7.00, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allow an attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities. | |||||
| CVE-2020-26826 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| Process Integration Monitoring of SAP NetWeaver AS JAVA, versions - 7.31, 7.40, 7.50, allows an attacker to upload any file (including script files) without proper file format validation, leading to Unrestricted File Upload. | |||||
| CVE-2020-6282 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 5.0 MEDIUM | 5.8 MEDIUM |
| SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, and SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send a crafted request from a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. | |||||
| CVE-2020-6313 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| SAP NetWeaver Application Server JAVA(XML Forms) versions 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user controlled inputs, which allows an authenticated User with special roles to store malicious content, that when accessed by a victim, can perform malicious actions by executing JavaScript, leading to Stored Cross-Site Scripting. | |||||