CVE-2024-22127

SAP NetWeaver Administrator AS Java (Administrator Log Viewer plug-in) - version 7.50, allows an attacker with high privileges to upload potentially dangerous files which leads to command injection vulnerability. This would enable the attacker to run commands which can cause high impact on confidentiality, integrity and availability of the application.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://me.sap.com/notes/3433192	Permissions Required
https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364	Vendor Advisory
https://me.sap.com/notes/3433192	Permissions Required
https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sap:netweaver_application_server_java:7.5:*:*:*:*:*:*:*

History

07 Feb 2025, 17:25

Type	Values Removed	Values Added
References	~~() https://me.sap.com/notes/3433192 -~~	() https://me.sap.com/notes/3433192 - Permissions Required
References	~~() https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364 -~~	() https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364 - Vendor Advisory
CPE		cpe:2.3:a:sap:netweaver_application_server_java:7.5:::::::*
First Time		Sap netweaver Application Server Java Sap

Information

Published : 2024-03-12 01:15

Updated : 2025-02-07 17:25

NVD link : CVE-2024-22127

Mitre link : CVE-2024-22127

CVE.ORG link : CVE-2024-22127

JSON object : View

Products Affected

sap

netweaver_application_server_java

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

{"id": "CVE-2024-22127", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2024-03-12T01:15:49.060", "references": [{"url": "https://me.sap.com/notes/3433192", "tags": ["Permissions Required"], "source": "cna@sap.com"}, {"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}, {"url": "https://me.sap.com/notes/3433192", "tags": ["Permissions Required"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-77"}]}], "descriptions": [{"lang": "en", "value": "SAP NetWeaver Administrator AS Java (Administrator Log Viewer plug-in) - version 7.50, allows an attacker with high privileges to upload potentially dangerous files\u00a0which leads to command injection vulnerability. This would enable the attacker to run commands which can cause high impact on confidentiality, integrity and availability of the application."}, {"lang": "es", "value": "SAP NetWeaver Administrator AS Java (complemento Administrator Log Viewer): versi\u00f3n 7.50, permite a un atacante con altos privilegios cargar archivos potencialmente peligrosos, lo que conduce a una vulnerabilidad de inyecci\u00f3n de comandos. Esto permitir\u00eda al atacante ejecutar comandos que pueden causar un gran impacto en la confidencialidad, integridad y disponibilidad de la aplicaci\u00f3n."}], "lastModified": "2025-02-07T17:25:17.913", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_application_server_java:7.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CFF5713B-C0C4-4062-BC6F-0BBD1E6FF620"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}