CVE-2025-42884Improper Neutralization of Special Elements in Data Query Logic in SE SAP Netweaver Enterprise Portal

CWE-943Improper Neutralization of Special Elements in Data Query Logic3 documents3 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 70.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
SAP SE SAP Netweaver Enterprise Portal
Timeline
PublishedNov 11

Description

SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject JNDI environment properties or pass a URL used during JNDI lookup operations, enabling access to an unintended JNDI provider.�This could further lead to disclosure or modification of information about the server. There is no impact on availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages1 packages

CVEListV5sap_se/sap_netweaver_enterprise_portalEP-BASIS 7.50, EP-RUNTIME 7.50+1

🔴Vulnerability Details

2
CVEList
JNDI Injection vulnerability in SAP NetWeaver Enterprise Portal2025-11-11
GHSA
GHSA-gpv6-m7fj-wr5v: SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject JNDI environment properties or pass a URL used during JNDI lookup operati2025-11-11
CVE-2025-42884 — MEDIUM severity | cvebase