Sap Se Sap Netweaver As Java vulnerabilities

CVE-2025-42922 [CRITICAL] CWE-94 CVE-2025-42922: SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file. This file when executed can lead to a full compromise of confidentiality, integrity and availability of the system.

CVE-2025-42925 [MEDIUM] CWE-341 CVE-2025-42925: Due to the lack of randomness in assigning Object Identifiers in the SAP NetWeaver AS JAVA IIOP serv Due to the lack of randomness in assigning Object Identifiers in the SAP NetWeaver AS JAVA IIOP service, an authenticated attacker with low privileges could predict the identifiers by conducting a brute force search. By leveraging knowledge of several identifiers generated close to the same time, the attacker could determine a desired identifier whi

CVE-2025-42927 [LOW] CWE-1395 CVE-2025-42927: SAP NetWeaver AS Java application uses Adobe Document Service, installed with a vulnerable version o SAP NetWeaver AS Java application uses Adobe Document Service, installed with a vulnerable version of OpenSSL.Successful exploitation of known vulnerabilities in the outdated OpenSSL library would allow user with high system privileges to access and modify system information.This vulnerability has a low impact on confidentiality and integrity, with no

CVE-2025-0057 [MEDIUM] CWE-434 CVE-2025-0057: SAP NetWeaver AS JAVA (User Admin Application) is vulnerable to stored cross site scripting vulnerab SAP NetWeaver AS JAVA (User Admin Application) is vulnerable to stored cross site scripting vulnerability. An attacker posing as an admin can upload a photo with malicious JS content. When a victim visits the vulnerable component, the attacker can read and modify information within the scope of victim's web browser.

CVE-2024-47582 [MEDIUM] CWE-611 CVE-2024-47582: Due to missing validation of XML input, an unauthenticated attacker could send malicious input to an Due to missing validation of XML input, an unauthenticated attacker could send malicious input to an endpoint which leads to XML Entity Expansion attack. This causes limited impact on availability of the application.

CVE-2024-42372 [MEDIUM] CWE-862 CVE-2024-42372: Due to missing authorization check in SAP NetWeaver AS Java (System Landscape Directory) an unauthor Due to missing authorization check in SAP NetWeaver AS Java (System Landscape Directory) an unauthorized user can read and modify some restricted global SLD configurations causing low impact on confidentiality and integrity of the application.

CVE-2024-45280 [MEDIUM] CWE-79 CVE-2024-45280: Due to insufficient encoding of user-controlled inputs, SAP NetWeaver AS Java allows malicious scrip Due to insufficient encoding of user-controlled inputs, SAP NetWeaver AS Java allows malicious scripts to be executed in the login application. This has a limited impact on confidentiality and integrity of the application. There is no impact on availability.

CVE-2024-34688 [HIGH] CWE-400 CVE-2024-34688: Due to unrestricted access to the Meta Model Repository services in SAP NetWeaver AS Java, attackers Due to unrestricted access to the Meta Model Repository services in SAP NetWeaver AS Java, attackers can perform DoS attacks on the application, which may prevent legitimate users from accessing it. This can result in no impact on confidentiality and integrity but a high impact on the availability of the application.

CVE-2024-28164 [MEDIUM] CWE-200 CVE-2024-28164: SAP NetWeaver AS Java (CAF - Guided Procedures) allows an unauthenticated user to access non-sensiti SAP NetWeaver AS Java (CAF - Guided Procedures) allows an unauthenticated user to access non-sensitive information about the server which would otherwise be restricted causing low impact on confidentiality of the application.

CVE-2024-22127 [CRITICAL] CWE-77 CVE-2024-22127: SAP NetWeaver Administrator AS Java (Administrator Log Viewer plug-in) - version 7.50, allows an att SAP NetWeaver Administrator AS Java (Administrator Log Viewer plug-in) - version 7.50, allows an attacker with high privileges to upload potentially dangerous files which leads to command injection vulnerability. This would enable the attacker to run commands which can cause high impact on confidentiality, integrity and availability of the applicat

CVE-2024-22126 [HIGH] CWE-79 CVE-2024-22126: The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.

CVE-2024-24743 [HIGH] CWE-611 CVE-2024-24743: SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker t SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. There are expansion limits in place so that availability is not affected.

CVE-2023-42477 [MEDIUM] CWE-918 CVE-2023-42477: SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50, allows an attacker to send a craf SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50, allows an attacker to send a crafted request from a vulnerable web application, causing limited impact on confidentiality and integrity of the application.

CVE-2021-33689 [MEDIUM] CWE-778 CVE-2021-33689: When user with insufficient privileges tries to access any application in SAP NetWeaver Administrato When user with insufficient privileges tries to access any application in SAP NetWeaver Administrator (Administrator applications), version - 7.50, no security audit log is created. Therefore, security audit log Integrity is impacted.

CVE-2021-33687 [MEDIUM] CWE-200 CVE-2021-33687: SAP NetWeaver AS JAVA (Enterprise Portal), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 reveals sen SAP NetWeaver AS JAVA (Enterprise Portal), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 reveals sensitive information in one of their HTTP requests, an attacker can use this in conjunction with other attacks such as XSS to steal this information.

CVE-2021-21481 [HIGH] CWE-863 CVE-2021-21481: The MigrationService, which is part of SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7. The MigrationService, which is part of SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform an authorization check. This might allow an unauthorized attacker to access configuration objects, including such that grant administrative privileges. This could result in complete compromise of system confidentiality, integrity, a

CVE-2020-26829 [CRITICAL] CWE-306 CVE-2020-26829: SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, al SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows arbitrary connections from processes because of missing authentication check, that are outside the cluster and even outside the network segment dedicated for the internal cluster communication. As result, an unauthenticated attacker can invoke

CVE-2020-26816 [MEDIUM] CWE-312 CVE-2020-26816: SAP AS JAVA (Key Storage Service), versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50, has the key SAP AS JAVA (Key Storage Service), versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50, has the key material which is stored in the SAP NetWeaver AS Java Key Storage service stored in the database in the DER encoded format and is not encrypted. This enables an attacker who has administrator access to the SAP NetWeaver AS Java to decode the keys becau

CVE-2020-26826 [MEDIUM] CWE-434 CVE-2020-26826: Process Integration Monitoring of SAP NetWeaver AS JAVA, versions - 7.31, 7.40, 7.50, allows an atta Process Integration Monitoring of SAP NetWeaver AS JAVA, versions - 7.31, 7.40, 7.50, allows an attacker to upload any file (including script files) without proper file format validation, leading to Unrestricted File Upload.

CVE-2020-26820 [HIGH] CWE-434 CVE-2020-26820: SAP NetWeaver AS JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker who is authentica SAP NetWeaver AS JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker who is authenticated as an administrator to use the administrator console, to expose unauthenticated access to the file system and upload a malicious file. The attacker or another user can then use a separate mechanism to execute OS commands through the uploaded file le