CVE-2024-41732 — Improper Access Control in SE SAP Netweaver Application Server Abap

CWE-284 — Improper Access Control3 documents3 sources

Severity

5.4MEDIUMNVD

CNA4.7

EPSS

0.1%

top 69.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver Application Server Abap SAP Netweaver Application Server Abap

Timeline

PublishedAug 13

Description

SAP NetWeaver Application Server ABAP allows an unauthenticated attacker to craft a URL link that could bypass allowlist controls. Depending on the web applications provided by this server, the attacker might inject CSS code or links into the web application that could allow the attacker to read or modify information. There is no impact on availability of application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_application_server_abap10 versions+9

▶NVDsap/netweaver_application10 versions+9

🔴Vulnerability Details

GHSA

GHSA-5hhx-v396-wch6: SAP NetWeaver Application Server ABAP allows an unauthenticated attacker to craft a URL link that could bypass allowlist controls↗2024-08-13

▶

CVEList

Improper Access Control in SAP Netweaver Application Server ABAP↗2024-08-13

▶