Sap Se Sap Netweaver As For Java vulnerabilities

CVE-2024-47578 [CRITICAL] CWE-918 CVE-2024-47578: Adobe Document Service allows an attacker with administrator privileges to send a crafted request fr Adobe Document Service allows an attacker with administrator privileges to send a crafted request from a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. On successful exploita

CVE-2024-47580 [MEDIUM] CWE-538 CVE-2024-47580: An attacker authenticated as an administrator can use an exposed webservice to create a PDF with an An attacker authenticated as an administrator can use an exposed webservice to create a PDF with an embedded attachment. By specifying the file to be an internal server file and subsequently downloading the generated PDF, the attacker can read any file on the server with no effect on integrity or availability.

CVE-2024-47579 [MEDIUM] CWE-538 CVE-2024-47579: An attacker authenticated as an administrator can use an exposed webservice to upload or download a An attacker authenticated as an administrator can use an exposed webservice to upload or download a custom PDF font file on the system server. Using the upload functionality to copy an internal file into a font file and subsequently using the download functionality to retrieve that file allows the attacker to read any file on the server with no effec

CVE-2024-45283 [MEDIUM] CWE-256 CVE-2024-45283: SAP NetWeaver AS for Java allows an authorized attacker to obtain sensitive information. The attacke SAP NetWeaver AS for Java allows an authorized attacker to obtain sensitive information. The attacker could obtain the username and password when creating an RFC destination. After successful exploitation, an attacker can read the sensitive information but cannot modify or delete the data.

CVE-2023-31405 [MEDIUM] CWE-117 CVE-2023-31405: SAP NetWeaver AS for Java - versions ENGINEAPI 7.50, SERVERCORE 7.50, J2EE-APPS 7.50, allows an unau SAP NetWeaver AS for Java - versions ENGINEAPI 7.50, SERVERCORE 7.50, J2EE-APPS 7.50, allows an unauthenticated attacker to craft a request over the network which can result in unwarranted modifications to a system log without user interaction. There is no ability to view any information or any effect on availability.

CVE-2021-33670 [HIGH] CVE-2021-33670: SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability.

CVE-2021-27621 [MEDIUM] CVE-2021-27621: Information Disclosure vulnerability in UserAdmin application in SAP NetWeaver Application Server fo Information Disclosure vulnerability in UserAdmin application in SAP NetWeaver Application Server for Java, versions - 7.11,7.20,7.30,7.31,7.40 and 7.50 allows attackers to access restricted information by entering malicious server name.

CVE-2021-27635 [MEDIUM] CWE-611 CVE-2021-27635: SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the application because of missing XML Validation, this vulnerability enables attacker to fully compromise confidentiality by allowing them to read any file on t

CVE-2021-21492 [MEDIUM] CWE-290 CVE-2021-21492: SAP NetWeaver Application Server Java(HTTP Service), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, SAP NetWeaver Application Server Java(HTTP Service), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate logon group in URLs, resulting in a content spoofing vulnerability when directory listing is enabled.

CVE-2021-21485 [MEDIUM] CVE-2021-21485: An unauthorized attacker may be able to entice an administrator to invoke telnet commands of an SAP An unauthorized attacker may be able to entice an administrator to invoke telnet commands of an SAP NetWeaver Application Server for Java that allow the attacker to gain NTLM hashes of a privileged user.

CVE-2021-27598 [MEDIUM] CWE-284 CVE-2021-27598: SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet.

CVE-2021-27601 [MEDIUM] CWE-79 CVE-2021-27601: SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacke SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attacker does not have control over kind or degree.