VYPR

Netweaver Application Server Java

by SAP

CVEs (57)

  • CVE-2016-2386CriKEVFeb 16, 2016
    risk 0.84cvss 9.8epss 0.71

    SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.

  • CVE-2010-5326CriKEVMay 13, 2016
    risk 0.78cvss 10.0epss 0.17

    The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour"…

  • CVE-2017-12637HigKEVAug 7, 2017
    risk 0.68cvss 7.5epss 0.95

    Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security…

  • CVE-2016-3976HigKEVApr 7, 2016
    risk 0.67cvss 7.5epss 0.47

    Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971.

  • CVE-2016-3974CriApr 7, 2016
    risk 0.63cvss 9.1epss 0.15

    XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access arbitrary files via a crafted XML request to…

  • CVE-2026-40128CriJun 9, 2026
    risk 0.59cvss 9.0epss 0.00

    SAP NetWeaver Application Server Java (Web Container) allows an unauthenticated attacker to craft a malicious HTTP logon request that manipulates file inclusion parameters, enabling path traversal and processing of the included file. Processing the included file could allow the…

  • CVE-2025-42963CriJul 8, 2025
    risk 0.59cvss 9.1epss 0.01

    A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control…

  • CVE-2024-27899HigApr 9, 2024
    risk 0.57cvss 8.8epss 0.00

    Self-Registration and Modify your own profile in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer. This can be leveraged by an attacker to cause profound impact on confidentiality and…

  • CVE-2017-8913HigMay 23, 2017
    risk 0.57cvss 8.8epss 0.01

    The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default, aka SAP Security…

  • CVE-2017-7717HigApr 14, 2017
    risk 0.57cvss 8.8epss 0.02

    SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2356504.

  • CVE-2015-8840HigApr 8, 2016
    risk 0.57cvss 8.8epss 0.01

    The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote authenticated users to obtain sensitive information, gain privileges, or possibly have unspecified other impact via requests to (1) webcontent/cas/cas_enter.jsp,…

  • CVE-2016-9563MedKEVNov 23, 2016
    risk 0.56cvss 6.5epss 0.24

    BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909.

  • CVE-2016-2388MedKEVFeb 16, 2016
    risk 0.54cvss 5.3epss 0.52

    The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846.

  • CVE-2017-14581HigSep 19, 2017
    risk 0.49cvss 7.5epss 0.02

    The Host Control web service in SAP NetWeaver AS JAVA 7.0 through 7.5 allows remote attackers to cause a denial of service (service crash) via a crafted request, aka SAP Security Note 2389181.

  • CVE-2016-9562HigNov 23, 2016
    risk 0.49cvss 7.5epss 0.04

    SAP NetWeaver AS JAVA 7.4 allows remote attackers to cause a Denial of Service (null pointer exception and icman outage) via an HTTPS request to the sap.com~P4TunnelingApp!web/myServlet URI, aka SAP Security Note 2313835.

  • CVE-2016-3980HigApr 8, 2016
    risk 0.49cvss 7.5epss 0.07

    The Java Startup Framework (aka jstart) in SAP JAVA AS 7.2 through 7.4 allows remote attackers to cause a denial of service (process crash) via a crafted HTTP request, aka SAP Security Note 2259547.

  • CVE-2017-11457MedJul 25, 2017
    risk 0.42cvss 6.5epss 0.01

    XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249.

  • CVE-2016-10304MedApr 10, 2017
    risk 0.42cvss 6.5epss 0.02

    The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788.

  • CVE-2025-0067MedJan 14, 2025
    risk 0.41cvss 6.3epss 0.00

    Due to a missing authorization check on service endpoints in the SAP NetWeaver Application Server Java, an attacker with standard user role can create JCo connection entries, which are used for remote function calls from or to the application server. This could lead to low…

  • CVE-2026-27674MedApr 14, 2026
    risk 0.40cvss 6.1epss 0.00

    Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled content. If a victim accesses the…

Page 1 of 3