Sap Netweaver Application Server Java vulnerabilities

CVE-2026-23686 [LOW] CWE-113 CVE-2026-23686: Due to a CRLF Injection vulnerability in SAP NetWeaver Application Server Java, an authenticated att Due to a CRLF Injection vulnerability in SAP NetWeaver Application Server Java, an authenticated attacker with administrative access could submit specially crafted content to the application. If processed by the application, this content enables injection of untrusted entries into generated configuration, allowing manipulation of application-controlled

CVE-2025-42926 [MEDIUM] CWE-306 CVE-2025-42926: SAP NetWeaver Application Server Java does not perform an authentication check when an attacker atte SAP NetWeaver Application Server Java does not perform an authentication check when an attacker attempts to access internal files within the web application.Upon successfully exploitation, an unauthenticated attacker could access these files to gather additional sensitive information about the system.This vulnerability has a low impact on confidenti

CVE-2024-34688 [HIGH] CWE-400 CVE-2024-34688: Due to unrestricted access to the Meta Model Repository services in SAP NetWeaver AS Java, attackers Due to unrestricted access to the Meta Model Repository services in SAP NetWeaver AS Java, attackers can perform DoS attacks on the application, which may prevent legitimate users from accessing it. This can result in no impact on confidentiality and integrity but a high impact on the availability of the application.

CVE-2024-28164 [MEDIUM] CWE-200 CVE-2024-28164: SAP NetWeaver AS Java (CAF - Guided Procedures) allows an unauthenticated user to access non-sensiti SAP NetWeaver AS Java (CAF - Guided Procedures) allows an unauthenticated user to access non-sensitive information about the server which would otherwise be restricted causing low impact on confidentiality of the application.

CVE-2024-22127 [CRITICAL] CWE-77 CVE-2024-22127: SAP NetWeaver Administrator AS Java (Administrator Log Viewer plug-in) - version 7.50, allows an att SAP NetWeaver Administrator AS Java (Administrator Log Viewer plug-in) - version 7.50, allows an attacker with high privileges to upload potentially dangerous files which leads to command injection vulnerability. This would enable the attacker to run commands which can cause high impact on confidentiality, integrity and availability of the applicat

CVE-2024-24743 [HIGH] CWE-611 CVE-2024-24743: SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker t SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. There are expansion limits in place so that availability is not affected.

CVE-2024-22126 [MEDIUM] CWE-79 CVE-2024-22126: The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.

CVE-2023-42480 [MEDIUM] CWE-307 CVE-2023-42480: The unauthenticated attacker in NetWeaver AS Java Logon application - version 7.50, can brute force The unauthenticated attacker in NetWeaver AS Java Logon application - version 7.50, can brute force the login functionality to identify the legitimate user ids. This will have an impact on confidentiality but there is no other impact on integrity or availability.

CVE-2023-42477 [MEDIUM] CWE-918 CVE-2023-42477: SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50, allows an attacker to send a craf SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50, allows an attacker to send a crafted request from a vulnerable web application, causing limited impact on confidentiality and integrity of the application.

CVE-2023-40309 [CRITICAL] CWE-863 CVE-2023-40309: SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as r

CVE-2023-40308 [HIGH] CWE-787 CVE-2023-40308: SAP CommonCryptoLib allows an unauthenticated attacker to craft a request, which when submitted to a SAP CommonCryptoLib allows an unauthenticated attacker to craft a request, which when submitted to an open port causes a memory corruption error in a library which in turn causes the target component to crash making it unavailable. There is no ability to view or modify any information.

CVE-2023-24526 [MEDIUM] CWE-306 CVE-2023-24526: SAP NetWeaver Application Server Java for Classload Service - version 7.50, does not perform any aut SAP NetWeaver Application Server Java for Classload Service - version 7.50, does not perform any authentication checks for functionalities that require user identity, resulting in escalation of privileges. This failure has a low impact on confidentiality of the data such that an unassigned user can read non-sensitive server data.

CVE-2022-41262 [MEDIUM] CWE-79 CVE-2022-41262: Due to insufficient input validation, SAP NetWeaver AS Java (HTTP Provider Service) - version 7.50, Due to insufficient input validation, SAP NetWeaver AS Java (HTTP Provider Service) - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. On successful exploitation, an attacker can view or modify information causing a limited impact on the confidentiality and integrity of the application.

CVE-2022-26103 [MEDIUM] CWE-862 CVE-2022-26103: Under certain conditions, SAP NetWeaver (Real Time Messaging Framework) - version 7.50, allows an at Under certain conditions, SAP NetWeaver (Real Time Messaging Framework) - version 7.50, allows an attacker to access information which could lead to information gathering for further exploits and attacks.

CVE-2022-22532 [CRITICAL] CWE-444 CVE-2022-22532: In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7 In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory buffer handling. This could allow the malicious payload to be executed and hence execute functi

CVE-2022-22533 [HIGH] CWE-416 CVE-2022-22533: Due to improper error handling in SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7 Due to improper error handling in SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an attacker could submit multiple HTTP server requests resulting in errors, such that it consumes the memory buffer. This could result in system shutdown rendering the system un

CVE-2021-37535 [CRITICAL] CWE-862 CVE-2021-37535: SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.4 SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for user privileges.

CVE-2021-33670 [HIGH] CVE-2021-33670: SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability.

CVE-2021-33689 [MEDIUM] CWE-778 CVE-2021-33689: When user with insufficient privileges tries to access any application in SAP NetWeaver Administrato When user with insufficient privileges tries to access any application in SAP NetWeaver Administrator (Administrator applications), version - 7.50, no security audit log is created. Therefore, security audit log Integrity is impacted.

CVE-2021-33687 [MEDIUM] CWE-200 CVE-2021-33687: SAP NetWeaver AS JAVA (Enterprise Portal), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 reveals sen SAP NetWeaver AS JAVA (Enterprise Portal), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 reveals sensitive information in one of their HTTP requests, an attacker can use this in conjunction with other attacks such as XSS to steal this information.