CVE-2020-6202
https://notcve.org/view.php?id=CVE-2020-6202
SAP NetWeaver Application Server Java (User Management Engine), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; does not sufficiently validate the LDAP data source configuration XML document accepted from an untrusted source, leading to Missing XML Validation. SAP NetWeaver Application Server Java (User Management Engine), versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; no comprueba suficientemente el documento XML de configuración de la fuente de datos LDAP aceptado desde una fuente no segura , conllevando a una Falta de Comprobación XML. • https://launchpad.support.sap.com/#/notes/2847787 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305 • CWE-20: Improper Input Validation •
CVE-2020-6190
https://notcve.org/view.php?id=CVE-2020-6190
Certain vulnerable endpoints in SAP NetWeaver AS Java (Heap Dump Application), versions 7.30, 7.31, 7.40, 7.50, provide valuable information about the system like hostname, server node and installation path that could be misused by an attacker leading to Information Disclosure. Determinados endpoints vulnerables en SAP NetWeaver AS Java (Heap Dump Application), versiones 7.30, 7.31, 7.40, 7.50, proporcionan información valiosa sobre el sistema tal y como el nombre de host, el nodo del servidor y la ruta de instalación que podría ser usada inapropiadamente por parte de un atacante, conllevando a una Divulgación de Información. • https://launchpad.support.sap.com/#/notes/2838835 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2019-0391
https://notcve.org/view.php?id=CVE-2019-0391
Under certain conditions SAP NetWeaver AS Java (corrected in 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) allows an attacker to access information which would otherwise be restricted. Bajo determinadas condiciones, SAP NetWeaver AS Java (corregido en versiones 7.10, 7.20, 7.30, 7.31, 7.40, 7.50), permite a un atacante acceder a información que de otro modo estaría restringida. • https://launchpad.support.sap.com/#/notes/2835226 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528880390 •
CVE-2019-0355
https://notcve.org/view.php?id=CVE-2019-0355
SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application. SAP NetWeaver Application Server Java Web Container, ENGINEAPI (versiones anteriores a 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) y SAP-JEECOR (versiones anteriores a 6.40, 7.0, 7.01), permiten a un atacante inyectar código que puede ser ejecutado por la aplicación. Un atacante podría de este modo controlar el comportamiento de la aplicación. • https://launchpad.support.sap.com/#/notes/2798336 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2019-0345
https://notcve.org/view.php?id=CVE-2019-0345
A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7.30, 7.31, 7.40, 7.50, by sending a specially crafted XML file and trick the application server into leaking authentication credentials for its own SAP Management console, resulting in Server-Side Request Forgery. Un atacante remoto no autenticado puede abusar de un servicio web en SAP NetWeaver Application Server for Java (Administrator System Overview), versiones 7.30, 7.31, 7.40, 7.50, enviando un archivo XML especialmente diseñado y engañando al servidor de aplicaciones al filtrar credenciales de autenticación para su propia consola de SAP Management, resultando en un ataque de tipo Server-Side Request Forgery. • https://launchpad.support.sap.com/#/notes/2813811 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017 • CWE-918: Server-Side Request Forgery (SSRF) •