CVE-2025-26654

SAP Commerce Cloud (Public Cloud) does not allow to disable unencrypted HTTP (port 80) entirely, but instead allows a redirect from port 80 to 443 (HTTPS). As a result, Commerce normally communicates securely over HTTPS. However, the confidentiality and integrity of data sent on the first request before the redirect may be impacted if the client is configured to use HTTP and sends confidential data on the first request before the redirect.

CVSS v3 6.8 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.2

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://me.sap.com/notes/3543274
https://url.sap/sapsecuritypatchday

Configurations

No configuration.

History

08 Apr 2025, 18:13

Type	Values Removed	Values Added
Summary		(es) SAP Commerce Cloud (Nube Pública) no permite deshabilitar por completo el protocolo HTTP sin cifrar (puerto 80), sino que permite una redirección del puerto 80 al 443 (HTTPS). Como resultado, Commerce normalmente se comunica de forma segura mediante HTTPS. Sin embargo, la confidencialidad e integridad de los datos enviados en la primera solicitud antes de la redirección pueden verse afectadas si el cliente está configurado para usar HTTP y envía datos confidenciales en la primera solicitud antes de la redirección.

08 Apr 2025, 08:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-08 08:15

Updated : 2025-04-08 18:13

NVD link : CVE-2025-26654

Mitre link : CVE-2025-26654

CVE.ORG link : CVE-2025-26654

JSON object : View

Products Affected

No product.

CWE

CWE-319

Cleartext Transmission of Sensitive Information

6.8 /10