CVE-2019-0345

Summary

A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7.30, 7.31, 7.40, 7.50, by sending a specially crafted XML file and trick the application server into leaking authentication credentials for its own SAP Management console, resulting in Server-Side Request Forgery.

Affected Software

VendorProductVersion RangeStatus
SAP SESAP NetWeaver Application Server for Java (Administrator System Overview)< 7.30affected
SAP SESAP NetWeaver Application Server for Java (Administrator System Overview)< 7.31affected
SAP SESAP NetWeaver Application Server for Java (Administrator System Overview)< 7.40affected
SAP SESAP NetWeaver Application Server for Java (Administrator System Overview)< 7.50affected

Weaknesses

  • Server-Side Request Forgery

ADP Enrichment

CVE Program Container

Additional References

References