Vulnerabilities (CVE)

Filtered by vendor Sap Subscribe
Filtered by product Netweaver Application Server Java
Total 64 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-26816 1 Sap 1 Netweaver Application Server Java 2024-02-04 2.7 LOW 4.5 MEDIUM
SAP AS JAVA (Key Storage Service), versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50, has the key material which is stored in the SAP NetWeaver AS Java Key Storage service stored in the database in the DER encoded format and is not encrypted. This enables an attacker who has administrator access to the SAP NetWeaver AS Java to decode the keys because of missing encryption and get some application data and client credentials of adjacent systems. This highly impacts Confidentiality as information disclosed could contain client credentials of adjacent systems.
CVE-2021-21491 1 Sap 1 Netweaver Application Server Java 2024-02-04 5.8 MEDIUM 6.1 MEDIUM
SAP Netweaver Application Server Java (Applications based on WebDynpro Java) versions 7.00, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allow an attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.
CVE-2020-26826 1 Sap 1 Netweaver Application Server Java 2024-02-04 4.0 MEDIUM 6.5 MEDIUM
Process Integration Monitoring of SAP NetWeaver AS JAVA, versions - 7.31, 7.40, 7.50, allows an attacker to upload any file (including script files) without proper file format validation, leading to Unrestricted File Upload.
CVE-2020-6282 1 Sap 1 Netweaver Application Server Java 2024-02-04 5.0 MEDIUM 5.8 MEDIUM
SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, and SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send a crafted request from a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability.
CVE-2020-6313 1 Sap 1 Netweaver Application Server Java 2024-02-04 4.0 MEDIUM 6.5 MEDIUM
SAP NetWeaver Application Server JAVA(XML Forms) versions 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user controlled inputs, which allows an authenticated User with special roles to store malicious content, that when accessed by a victim, can perform malicious actions by executing JavaScript, leading to Stored Cross-Site Scripting.
CVE-2020-6263 1 Sap 1 Netweaver Application Server Java 2024-02-04 7.5 HIGH 9.8 CRITICAL
Standalone clients connecting to SAP NetWeaver AS Java via P4 Protocol, versions (SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not perform any authentication checks for operations that require user identity leading to Authentication Bypass.
CVE-2020-6286 1 Sap 1 Netweaver Application Server Java 2024-02-04 5.0 MEDIUM 5.3 MEDIUM
The insufficient input path validation of certain parameter in the web service of SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to exploit a method to download zip files to a specific directory, leading to Path Traversal.
CVE-2020-6224 1 Sap 1 Netweaver Application Server Java 2024-02-04 3.5 LOW 6.2 MEDIUM
SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker with administrator privileges to access user sensitive data such as passwords in trace files, when the user logs in and sends request with login credentials, leading to Information Disclosure.
CVE-2020-6287 1 Sap 1 Netweaver Application Server Java 2024-02-04 10.0 HIGH 10.0 CRITICAL
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
CVE-2020-6309 1 Sap 1 Netweaver Application Server Java 2024-02-04 7.8 HIGH 7.5 HIGH
SAP NetWeaver AS JAVA, versions - (ENGINEAPI 7.10; WSRM 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; J2EE-FRMW 7.10, 7.11), does not perform any authentication checks for a web service allowing the attacker to send several payloads and leading to complete denial of service.
CVE-2019-0389 1 Sap 1 Netweaver Application Server Java 2024-02-04 6.5 MEDIUM 8.8 HIGH
An administrator of SAP NetWeaver Application Server Java (J2EE-Framework), (corrected in versions 7.1, 7.2, 7.3, 7.31, 7.4, 7.5), may change privileges for all or some functions in Java Server, and enable users to execute functions, they are not allowed to execute otherwise.
CVE-2019-0391 1 Sap 1 Netweaver Application Server Java 2024-02-04 4.0 MEDIUM 4.3 MEDIUM
Under certain conditions SAP NetWeaver AS Java (corrected in 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) allows an attacker to access information which would otherwise be restricted.
CVE-2020-6202 1 Sap 1 Netweaver Application Server Java 2024-02-04 6.5 MEDIUM 7.2 HIGH
SAP NetWeaver Application Server Java (User Management Engine), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; does not sufficiently validate the LDAP data source configuration XML document accepted from an untrusted source, leading to Missing XML Validation.
CVE-2020-6190 1 Sap 1 Netweaver Application Server Java 2024-02-04 5.0 MEDIUM 5.8 MEDIUM
Certain vulnerable endpoints in SAP NetWeaver AS Java (Heap Dump Application), versions 7.30, 7.31, 7.40, 7.50, provide valuable information about the system like hostname, server node and installation path that could be misused by an attacker leading to Information Disclosure.
CVE-2019-0355 1 Sap 1 Netweaver Application Server Java 2024-02-04 6.5 MEDIUM 7.2 HIGH
SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application.
CVE-2019-0318 1 Sap 1 Netweaver Application Server Java 2024-02-04 3.5 LOW 5.3 MEDIUM
Under certain conditions SAP NetWeaver Application Server for Java (Startup Framework), versions 7.21, 7.22, 7.45, 7.49, and 7.53, allows an attacker to access information which would otherwise be restricted.
CVE-2019-0275 1 Sap 1 Netweaver Application Server Java 2024-02-04 3.5 LOW 5.4 MEDIUM
SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server (J2EE-APPS), versions 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50, does not sufficiently encode user-controlled inputs, which results in cross-site scripting (XSS) vulnerability.
CVE-2019-0345 1 Sap 1 Netweaver Application Server Java 2024-02-04 5.0 MEDIUM 9.8 CRITICAL
A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7.30, 7.31, 7.40, 7.50, by sending a specially crafted XML file and trick the application server into leaking authentication credentials for its own SAP Management console, resulting in Server-Side Request Forgery.
CVE-2019-0327 1 Sap 1 Netweaver Application Server Java 2024-02-04 6.5 MEDIUM 7.2 HIGH
SAP NetWeaver for Java Application Server - Web Container, (engineapi, versions 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5), (servercode, versions 7.2, 7.3, 7.31, 7.4, 7.5), allows an attacker to upload files (including script files) without proper file format validation.
CVE-2018-2503 1 Sap 1 Netweaver Application Server Java 2024-02-04 3.3 LOW 7.4 HIGH
By default, the SAP NetWeaver AS Java keystore service does not sufficiently restrict the access to resources that should be protected. This has been fixed in SAP NetWeaver AS Java (ServerCore versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50).