Lucene search

[email protected]CVE-2024-27899

HistoryApr 09, 2024 - 1:15 a.m.

CVE-2024-27899

2024-04-0901:15:48

CWE-640

[email protected]

web.nvd.nist.gov

cve-2024-27899

self-registration

modify profile

security requirements

security answer

confidentiality

integrity

availability

netweaver as java

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

6.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Self-Registration and Modify your own profile in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer. This can be leveraged by an attacker to cause profound impact on confidentiality and low impact on both integrity and availability.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "SAP NetWeaver AS Java User Management Engine",
    "vendor": "SAP_SE",
    "versions": [
      {
        "status": "affected",
        "version": "SERVERCORE 7.50"
      },
      {
        "status": "affected",
        "version": "J2EE-APPS 7.50"
      },
      {
        "status": "affected",
        "version": "UMEADMIN 7.50"
      }
    ]
  }
]

References

me.sap.com/notes/3434839

support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364