SAP NetWeaver Administrator AS Java Vulnerability Could Lead to Command Injection
CVE-2024-22127

9.1CRITICAL

Key Information:

Vendor: SAP
Status: SAP Netweaver As Java (administrator Log Viewer Plug-in)
Vendor: CVE Published:; 12 March 2024

Summary

The vulnerability in SAP NetWeaver Administrator AS Java's Administrator Log Viewer plug-in permits an attacker, who possesses high privileges, to upload potentially harmful files. This exploit leads to a command injection vulnerability, allowing the attacker to execute arbitrary commands within the application. Such unauthorized command execution presents serious risks, potentially compromising the confidentiality, integrity, and availability of the application's data and services. Organizations utilizing affected versions of SAP NetWeaver are urged to apply the necessary patches to mitigate these risks effectively.

Affected Version(s)

SAP NetWeaver AS Java (Administrator Log Viewer plug-in) 7.50

References

https://me.sap.com/notes/3433192

https://support.sap.com/en/my-support/knowledge-base/secu...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Mar 12, 2024