CVE-2024-27899
Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine
Severity Score
8.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
Self-Registration and Modify your own profile in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer. This can be leveraged by an attacker to cause profound impact on confidentiality and low impact on both integrity and availability.
Self-Registration and Modify your own profile en User Admin Application de NetWeaver AS Java no exige requisitos de seguridad adecuados para el contenido de la respuesta de seguridad recién definida. Un atacante puede aprovechar esto para causar un profundo impacto en la confidencialidad y un bajo impacto tanto en la integridad como en la disponibilidad.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-02-27 CVE Reserved
- 2024-04-09 CVE Published
- 2024-04-09 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-640: Weak Password Recovery Mechanism for Forgotten Password
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://me.sap.com/notes/3434839 | ||
| https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| SAP SE Search vendor "SAP SE" | SAP NetWeaver AS Java User Management Engine Search vendor "SAP SE" for product "SAP NetWeaver AS Java User Management Engine" | 7.50 Search vendor "SAP SE" for product "SAP NetWeaver AS Java User Management Engine" and version "7.50" | en |
Affected
| ||||||
| SAP SE Search vendor "SAP SE" | SAP NetWeaver AS Java User Management Engine Search vendor "SAP SE" for product "SAP NetWeaver AS Java User Management Engine" | 7.50 Search vendor "SAP SE" for product "SAP NetWeaver AS Java User Management Engine" and version "7.50" | en |
Affected
| ||||||