Detections
Analytics

SAP NetWeaver AS Java Multiple Vulnerabilities (Feb 2024)

high Nessus Plugin ID 190609

Language:

Synopsis

The remote SAP NetWeaver application server is affected by multiple vulnerabilities.

Description

SAP NetWeaver Application Server for Java is affected by multiple vulnerabilities, including the following:

 - The User Admin application of SAP NetWeaver AS for Java insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.
 (CVE-2024-22126)

 - SAP NetWeaver AS Java (CAF - Guided Procedures) allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. There are expansion limits in place so that availability is not affected. (CVE-2024-24743)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Apply the appropriate patch according to the vendor advisory.

See Also

http://www.nessus.org/u?89707ebf

https://me.sap.com/notes/3417627

https://me.sap.com/notes/3426111

Plugin Details

Severity: High

ID: 190609

File Name: sap_netweaver_as_java_nov_2024.nasl

Version: 1.1

Type: remote

Family: Web Servers

Published: 2/16/2024

Updated: 2/19/2024

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:P/A:P

CVSS Score Source: CVE-2024-22126

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:sap:netweaver_application_server

Required KB Items: installed_sw/SAP Netweaver Application Server (AS), Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 2/13/2024

Vulnerability Publication Date: 2/13/2024

Reference Information

CVE: CVE-2024-22126, CVE-2024-24743

IAVA: 2024-A-0084