CVE-2024-24743 – XXE vulnerability in SAP NetWeaver AS Java (Guided Procedures)
https://notcve.org/view.php?id=CVE-2024-24743
SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. There are expansion limits in place so that availability is not affected. SAP NetWeaver AS Java (CAF - Procedimientos guiados): versión 7.50, permite a un atacante no autenticado enviar una solicitud maliciosa con un archivo XML manipulado a través de la red, que cuando se analiza le permitirá acceder a archivos y datos confidenciales, pero no modificarlos. Existen límites de expansión establecidos para que la disponibilidad no se vea afectada. • https://me.sap.com/notes/3426111 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2021-33671
https://notcve.org/view.php?id=CVE-2021-33671
SAP NetWeaver Guided Procedures (Administration Workset), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. The impact of missing authorization could result to abuse of functionality restricted to a particular user group, and could allow unauthorized users to read, modify or delete restricted data. SAP NetWeaver Guided Procedures (Administration Workset), versiones - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, no lleva a cabo las comprobaciones de autorización necesarias para un usuario autenticado, resultando en una escalada de privilegios. El impacto de la falta de autorización podría resultar en el abuso de la funcionalidad restringida a un grupo de usuarios en particular, y podría permitir a usuarios no autorizados a leer, modificar o eliminar los datos restringidos • https://launchpad.support.sap.com/#/notes/3059446 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506 • CWE-862: Missing Authorization •
CVE-2020-6187
https://notcve.org/view.php?id=CVE-2020-6187
SAP NetWeaver (Guided Procedures), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate an XML document input from a compromised admin, leading to Denial of Service. SAP NetWeaver (Guided Procedures), versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, no comprueba suficientemente la entrada de un documento XML de un administrador comprometido, conllevando a una Denegación de Servicio. • https://launchpad.support.sap.com/#/notes/2864415 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812 • CWE-611: Improper Restriction of XML External Entity Reference •