CVE-2019-0345 — Server-Side Request Forgery in SE SAP Netweaver Application Server FOR Java

CWE-918 — Server-Side Request Forgery3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

1.0%

top 22.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver Application Server FOR Java SAP Netweaver Application Server Java

Timeline

PublishedAug 14

Latest updateMay 24

Description

A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7.30, 7.31, 7.40, 7.50, by sending a specially crafted XML file and trick the application server into leaking authentication credentials for its own SAP Management console, resulting in Server-Side Request Forgery.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_application_server_for_java< 7.30+3

▶NVDsap/netweaver_application4 versions+3

🔴Vulnerability Details

GHSA

GHSA-mm29-rwhq-2g82: A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7↗2022-05-24

▶

CVEList

CVE-2019-0345: A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7↗2019-08-14

▶