SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HSap Netweaver Application Server Java
APPSap7.307.317.407.50
CISA KEV — detailsi
- Vendori
- SAP
- Producti
- NetWeaver
- Added to KEVi
- November 3, 2021
- Remediation deadline (US Federal)i
- May 3, 2022(overdue)
Apply updates per vendor instructions.
SAP NetWeaver Application Server Java Platforms contains a missing authentication for critical function vulnerability allowing unauthenticated access to execute configuration tasks and create administrative users.
Related vulnerabilities
The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require ...
SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to ex...
SAP NetWeaver AS Java – command injection przez upload pliku w Log Viewer
SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong aut...
In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7....