SAP NetWeaver Administrator Vulnerability Allows HTTP Endpoint Enumeration and SSRF Attacks
CVE-2024-54197

7.2HIGH

Key Information:

Vendor: SAP
Status: SAP Netweaver Administrator(system Overview)
Vendor: CVE Published:; 10 December 2024

Summary

The vulnerability in SAP NetWeaver Administrator allows an authenticated attacker to perform HTTP endpoint enumeration within the internal network by crafting specific HTTP requests. This exploitation could lead to Server-Side Request Forgery (SSRF), potentially compromising data confidentiality and integrity. The vulnerability does not affect the application's availability, but the resultant SSRF could allow attackers to interact with internal services, increasing the risk of broader network exploitation. Early mitigation is crucial to safeguard sensitive data and prevent unauthorized access.

Affected Version(s)

SAP NetWeaver Administrator(System Overview) LM-CORE 7.50

References

https://me.sap.com/notes/3542543

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 10, 2024
Vulnerability Reserved
Dec 2, 2024