Search
Total
9 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-6287 | 1 Sap | 1 Netweaver Application Server Java | 2022-04-28 | 10.0 HIGH | 10.0 CRITICAL |
| SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check. | |||||
| CVE-2022-22532 | 1 Sap | 1 Netweaver Application Server Java | 2022-02-11 | 7.5 HIGH | 9.8 CRITICAL |
| In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory buffer handling. This could allow the malicious payload to be executed and hence execute functions that could be impersonating the victim or even steal the victim's logon session. | |||||
| CVE-2021-37535 | 1 Sap | 1 Netweaver Application Server Java | 2021-09-23 | 7.5 HIGH | 9.8 CRITICAL |
| SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for user privileges. | |||||
| CVE-2020-26829 | 1 Sap | 1 Netweaver Application Server Java | 2021-07-21 | 9.0 HIGH | 10.0 CRITICAL |
| SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows arbitrary connections from processes because of missing authentication check, that are outside the cluster and even outside the network segment dedicated for the internal cluster communication. As result, an unauthenticated attacker can invoke certain functions that would otherwise be restricted to system administrators only, including access to system administration functions or shutting down the system completely. | |||||
| CVE-2020-6263 | 1 Sap | 1 Netweaver Application Server Java | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| Standalone clients connecting to SAP NetWeaver AS Java via P4 Protocol, versions (SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not perform any authentication checks for operations that require user identity leading to Authentication Bypass. | |||||
| CVE-2016-2386 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079. | |||||
| CVE-2016-3974 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 6.4 MEDIUM | 9.1 CRITICAL |
| XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access arbitrary files via a crafted XML request to _tc~monitoring~webservice~web/ServerNodesWSService, aka SAP Security Note 2235994. | |||||
| CVE-2010-5326 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 10.0 HIGH | 10.0 CRITICAL |
| The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack. | |||||
| CVE-2019-0345 | 1 Sap | 1 Netweaver Application Server Java | 2019-08-23 | 5.0 MEDIUM | 9.8 CRITICAL |
| A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7.30, 7.31, 7.40, 7.50, by sending a specially crafted XML file and trick the application server into leaking authentication credentials for its own SAP Management console, resulting in Server-Side Request Forgery. | |||||