Multiple vulnerabilities in SAP ABAP Platform and SAP NetWeaver AS ABAP
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2024-47593 CVE-2024-47586 |
| CWE-ID | CWE-200 CWE-476 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
ABAP Platform Server applications / Application servers SAP NetWeaver AS ABAP Server applications / Application servers |
| Vendor | SAP |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU100243
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-47593
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an unspecified error in the application when reading. A remote attacker can read certain files from the server.
Note, the vulnerability exploitation is possible only if a Web Dispatcher or some sort of Proxy Server is in use and the file in question was previously opened or downloaded in an application based on SAP GUI for HTML Technology.
MitigationInstall updates from vendor's website.
Vulnerable software versionsABAP Platform: 7.53
SAP NetWeaver AS ABAP: 753 - 912
CPE2.3- cpe:2.3:a:sap:abap_platform:7.53:*:*:*:*:*:*:*
- cpe:2.3:a:sap:sap_netweaver_as_abap:753:*:*:*:*:*:*:*
- cpe:2.3:a:sap:sap_netweaver_as_abap:754:*:*:*:*:*:*:*
- cpe:2.3:a:sap:sap_netweaver_as_abap:777:*:*:*:*:*:*:*
https://me.sap.com/notes/3508947
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/november-2024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) NULL pointer dereference
EUVDB-ID: #VU100242
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-47586
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the kernel. A remote non-authenticated attacker can send a specially crafted HTTP request to the application and perform a denial of service attack.
Install update from vendor's website.
Vulnerable software versionsSAP NetWeaver AS ABAP: 722 - 913
ABAP Platform: KRNL32UC 7.22EXT - 8.04
CPE2.3- cpe:2.3:a:sap:sap_netweaver_as_abap:722:*:*:*:*:*:*:*
- cpe:2.3:a:sap:sap_netweaver_as_abap:753:*:*:*:*:*:*:*
- cpe:2.3:a:sap:sap_netweaver_as_abap:754:*:*:*:*:*:*:*
- cpe:2.3:a:sap:abap_platform:KRNL32UC 7.22EXT:*:*:*:*:*:*:*
- cpe:2.3:a:sap:abap_platform:KRNL32UC 7.22:*:*:*:*:*:*:*
- cpe:2.3:a:sap:abap_platform:KRNL64NUC 7.22EXT:*:*:*:*:*:*:*
https://me.sap.com/notes/3504390
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/november-2024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
