Security Vulnerability in Self-Registration and Profile Modification in NetWeaver AS Java
CVE-2024-27899

8.8HIGH

Key Information:

Vendor: SAP
Status: SAP Netweaver As Java User Management Engine
Vendor: CVE Published:; 9 April 2024

Badges

📰 News Worthy

Summary

A vulnerability exists within the User Admin Application of SAP's NetWeaver AS Java that fails to enforce adequate security measures for newly defined security answers during self-registration and profile modifications. This oversight presents an opportunity for attackers to exploit the system, potentially compromising user confidentiality, and posing a risk to integrity and availability. Users are advised to review security settings and apply necessary updates to mitigate these risks.

Affected Version(s)

SAP NetWeaver AS Java User Management Engine SERVERCORE 7.50

SAP NetWeaver AS Java User Management Engine J2EE-APPS 7.50

SAP NetWeaver AS Java User Management Engine UMEADMIN 7.50

News Articles

prophaze.com

CVE-2024-27899

CVE-2024-27899 : SAP NETWEAVER AS JAVA USER MANAGEMENT ENGINE 7.50 USER ADMIN APPLICATION PASSWORD RECOVERY - Cloud WAF

CVE-2024-27899 : Self-Registration and Modify your own profile in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer.

References

https://me.sap.com/notes/3434839

https://support.sap.com/en/my-support/knowledge-base/secu...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

📰
First article discovered by prophaze.com
Apr 9, 2024
Vulnerability published
Apr 9, 2024