CVE-2025-42934HTTP Request/Response Splitting in SE SAP S 4hana

CWE-113HTTP Request/Response SplittingCWE-862Missing Authorization4 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.0%
top 90.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
SAP SE SAP S 4hana
Timeline
PublishedAug 12

Description

SAP S/4HANA Supplier invoice is vulnerable to CRLF Injection. An attacker with user-level privileges can bypass the allowlist and insert untrusted sites into the 'Trusted Sites' configuration by injecting line feed (LF) characters into application inputs. This vulnerability has a low impact on the application's integrity and no impact on confidentiality or availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

CVEListV5sap_se/sap_s_4hana8 versions+7

🔴Vulnerability Details

2
GHSA
GHSA-hcg5-jj2p-p5vq: SAP S/4HANA Supplier invoice is vulnerable to CRLF Injection2025-08-12
CVEList
CRLF Injection vulnerability in SAP S/4HANA (Supplier invoice)2025-08-12

📋Vendor Advisories

1
Microsoft
OpenIPMI before 2.0.36 has an out-of-bounds array access (for authentication type) in the ipmi_sim simulator resulting in denial of service or (with very low probability) authentication bypass or code2024-10-08
CVE-2025-42934 — HTTP Request/Response Splitting | cvebase