CVSS: 6.3EPSS: 0%CPEs: 13EXPL: 0CVE-2024-33005 – Missing Authorization check in SAP NetWeaver Application Server (ABAP and Java),SAP Web Dispatcher and SAP Content Server
https://notcve.org/view.php?id=CVE-2024-33005
13 Aug 2024 — Due to the missing authorization checks in the local systems, the admin users of SAP Web Dispatcher, SAP NetWeaver Application Server (ABAP and Java), and SAP Content Server can impersonate other users and may perform some unintended actions. This could lead to a low impact on confidentiality and a high impact on the integrity and availability of the applications. Due to the missing authorization checks in the local systems, the admin users of SAP Web Dispatcher, SAP NetWeaver Application Server (ABAP and J... • https://me.sap.com/notes/3438085 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 47EXPL: 0CVE-2023-40309 – Missing Authorization check in SAP CommonCryptoLib
https://notcve.org/view.php?id=CVE-2023-40309
12 Sep 2023 — SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data. SAP CommonCryptoLib no realiza las comprobaciones de autenticación necesarias, lo que puede dar como resultado comprobacione... • https://me.sap.com/notes/3340576 • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 0%CPEs: 47EXPL: 0CVE-2023-40308 – Memory Corruption vulnerability in SAP CommonCryptoLib
https://notcve.org/view.php?id=CVE-2023-40308
12 Sep 2023 — SAP CommonCryptoLib allows an unauthenticated attacker to craft a request, which when submitted to an open port causes a memory corruption error in a library which in turn causes the target component to crash making it unavailable. There is no ability to view or modify any information. SAP CommonCryptoLib permite que un atacante no autenticado cree una solicitud que, cuando se envía a un puerto abierto, provoca un error de corrupción de memoria en una librería, lo que a su vez provoca que el componente de t... • https://me.sap.com/notes/3327896 • CWE-476: NULL Pointer Dereference CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2022-22533
https://notcve.org/view.php?id=CVE-2022-22533
09 Feb 2022 — Due to improper error handling in SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an attacker could submit multiple HTTP server requests resulting in errors, such that it consumes the memory buffer. This could result in system shutdown rendering the system unavailable. Debido a un manejo inapropiado de errores en SAP NetWeaver Application Server Java - versiones KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EX... • https://launchpad.support.sap.com/#/notes/3123427 • CWE-416: Use After Free •
CVSS: 9.8EPSS: 1%CPEs: 9EXPL: 0CVE-2022-22532
https://notcve.org/view.php?id=CVE-2022-22532
09 Feb 2022 — In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory buffer handling. This could allow the malicious payload to be executed and hence execute functions that could be impersonating the victim or even steal the victim's logon session. En SAP NetWeaver Application Server Java - versiones KRNL64NUC 7.22, 7.22EXT, ... • https://launchpad.support.sap.com/#/notes/3123427 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 10.0EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37535
https://notcve.org/view.php?id=CVE-2021-37535
14 Sep 2021 — SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for user privileges. SAP NetWeaver Application Server Java (JMS Connector Service) - versiones 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, no realiza las comprobaciones de autorización necesarias para los privilegios de los usuarios • https://launchpad.support.sap.com/#/notes/3078609 • CWE-862: Missing Authorization •
CVSS: 4.9EPSS: 0%CPEs: 6EXPL: 0CVE-2021-33687 – SAP Enterprise Portal Sensitive Data Disclosure
https://notcve.org/view.php?id=CVE-2021-33687
14 Jul 2021 — SAP NetWeaver AS JAVA (Enterprise Portal), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 reveals sensitive information in one of their HTTP requests, an attacker can use this in conjunction with other attacks such as XSS to steal this information. SAP NetWeaver AS JAVA (Enterprise Portal), versiones - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, revela información confidencial en una de sus peticiones HTTP, un atacante puede usar esto en conjunto con otros ataques como de tipo XSS para robar esta información SAP Ent... • http://packetstormsecurity.com/files/164600/SAP-Enterprise-Portal-Sensitive-Data-Disclosure.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 1%CPEs: 7EXPL: 0CVE-2021-33670 – SAP NetWeaver Java Denial of Service
https://notcve.org/view.php?id=CVE-2021-33670
14 Jul 2021 — SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability. SAP NetWeaver AS for Java (Http Service Monitoring Filter), versiones - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, permite a un atacante enviar múltiples peticiones HTTP con diferentes ... • http://packetstormsecurity.com/files/166965/SAP-NetWeaver-Java-Denial-Of-Service.html •
CVSS: 7.4EPSS: 0%CPEs: 6EXPL: 0CVE-2021-21485
https://notcve.org/view.php?id=CVE-2021-21485
13 Apr 2021 — An unauthorized attacker may be able to entice an administrator to invoke telnet commands of an SAP NetWeaver Application Server for Java that allow the attacker to gain NTLM hashes of a privileged user. Un atacante no autorizado puede ser capaz de atraer a un administrador para que invoque comandos telnet de SAP NetWeaver Application Server para Java que permitan al atacante obtener hashes NTLM de un usuario privilegiado • https://launchpad.support.sap.com/#/notes/3001824 •
CVSS: 5.4EPSS: 0%CPEs: 6EXPL: 0CVE-2021-27601
https://notcve.org/view.php?id=CVE-2021-27601
13 Apr 2021 — SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attacker does not have control over kind or degree. SAP NetWeaver AS Java (Aplicaciones basadas en HTMLB para Java) permite a un atacante autorizado de nivel básico almacenar un archivo malicioso en el servidor. ... • https://launchpad.support.sap.com/#/notes/2963592 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •