Detections
Analytics

SAP NetWeaver AS Java Multiple Vulnerabilities (Feb 2025)

medium Nessus Plugin ID 216270

Language:

Synopsis

The remote SAP NetWeaver application server is affected by multiple vulnerabilities.

Description

SAP NetWeaver Application Server for Java is affected by multiple vulnerabilities, including the following:

 - The User Admin application of SAP NetWeaver AS for Java insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.
 This vulnerability was reported and a initial patch was provided in 2024, but that patch is considered obsolete and is fully fixed with the patch released in Febuary of 2025.
 (CVE-2024-22126)

 - SAP NetWeaver AS Java (Deploy Service) does not perform any access control checks for functionalities that require user identity enabling an unauthenticated attacker to attach to an open interface and make use of an open naming and directory api to access a service which will enable them to access but not modify server settings and data (CVE-2023-24527)

 - SAP NetWeaver AS Java (Application Server Java) allows an attacker to access an endpoint that can disclose information about deployed server components, including their XML definitions. This information should ideally be restricted to customer administrators, even though they may not need it. These XML files are not entirely SAP-internal as they are deployed with the server. In such a scenario, sensitive information could be exposed (CVE-2025-24869)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Apply the appropriate patch according to the vendor advisory.

See Also

http://www.nessus.org/u?1505493e

https://me.sap.com/notes/3550027

https://me.sap.com/notes/3287784

https://me.sap.com/notes/3557138

https://me.sap.com/notes/3417627

Plugin Details

Severity: Medium

ID: 216270

File Name: sap_netweaver_as_java_feb_2025.nasl

Version: 1.2

Type: remote

Family: Web Servers

Published: 2/14/2025

Updated: 2/19/2025

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2024-22126

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:sap:netweaver_application_server

Required KB Items: installed_sw/SAP Netweaver Application Server (AS), Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 2/11/2025

Vulnerability Publication Date: 2/11/2025

Reference Information

CVE: CVE-2023-24527, CVE-2024-22126, CVE-2025-24869

IAVA: 2025-A-0112