Multiple vulnerabilities in SAP NetWeaver AS JAVA
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2024-42372 CVE-2024-47588 CVE-2024-47592 |
| CWE-ID | CWE-862 CWE-256 CWE-203 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
SAP NetWeaver AS JAVA Server applications / Application servers |
| Vendor | SAP |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Missing Authorization
EUVDB-ID: #VU100241
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-42372
CWE-ID:
CWE-862 - Missing Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to missing authorization within the System Landscape Directory component. A remote non-authenticated attacker can read and modify some restricted global SLD configuration.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSAP NetWeaver AS JAVA: 7.50
CPE2.3 External linkshttps://me.sap.com/notes/3335394
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/november-2024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Unprotected storage of credentials
EUVDB-ID: #VU100246
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-47588
CWE-ID:
CWE-256 - Unprotected Storage of Credentials
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to other users' credentials.
The vulnerability exists due to the Software Update Manager 1.1 stored credentials in plain text in a log file on the system when a software upgrade encounters errors. A local user can view contents of the configuration file and gain access to passwords for 3rd party integration.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSAP NetWeaver AS JAVA: All versions
CPE2.3 External linkshttps://me.sap.com/notes/3522953
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/november-2024.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Observable discrepancy
EUVDB-ID: #VU100245
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-47592
CWE-ID:
CWE-203 - Observable discrepancy
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to brute-force account logins.
The vulnerability exists due to the application returns different responses based on the existence of the provided login name. A remote attacker can perform a brute-force attack and obtain valid account names.
Install updates from vendor's website.
Vulnerable software versionsSAP NetWeaver AS JAVA: 7.50
CPE2.3 External linkshttps://me.sap.com/notes/3393899
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/november-2024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
