PDF Font File Attack
CVE-2024-47579

6.8MEDIUM

Key Information:

Vendor: SAP
Status: SAP Netweaver As For Java (adobe Document Services)
Vendor: CVE Published:; 10 December 2024

Summary

An attacker authenticated as an administrator can use an exposed webservice to upload or download a custom PDF font file on the system server. Using the upload functionality to copy an internal file into a font file and subsequently using the download functionality to retrieve that file allows the attacker to read any file on the server with no effect on integrity or availability

Affected Version(s)

SAP NetWeaver AS for JAVA (Adobe Document Services) ADSSSAP 7.50

References

https://me.sap.com/notes/3536965

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 10, 2024
Vulnerability Reserved
Sep 27, 2024