This page lists publicly disclosed CVE vulnerabilities affecting sap netweaver_application_server_java (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2020-6190 | Certain vulnerable endpoints in SAP NetWeaver AS Java (Heap Dump Application), versions 7.30, 7.31, 7.40, 7.50, provide valuable information about the system like hostname, server node and installation path that could be misused by an attacker leading to Information Disclosure. | [email protected] | 5.8 | 0.87% | 2020-02-12 | 2024-11-21 |
| CVE-2019-0391 | Under certain conditions SAP NetWeaver AS Java (corrected in 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) allows an attacker to access information which would otherwise be restricted. | [email protected] | 4.3 | 0.89% | 2019-11-13 | 2024-11-21 |
| CVE-2019-0389 | An administrator of SAP NetWeaver Application Server Java (J2EE-Framework), (corrected in versions 7.1, 7.2, 7.3, 7.31, 7.4, 7.5), may change privileges for all or some functions in Java Server, and enable users to execute functions, they are not allowed to execute otherwise. | [email protected] | 8.8 | 1.35% | 2019-11-13 | 2024-11-21 |
| CVE-2019-0355 | SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application. | [email protected] | 7.2 | 1.56% | 2019-09-10 | 2024-11-21 |
| CVE-2019-0345 | A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7.30, 7.31, 7.40, 7.50, by sending a specially crafted XML file and trick the application server into leaking authentication credentials for its own SAP Management console, resulting in Server-Side Request Forgery. | [email protected] | 9.8 | 2.33% | 2019-08-14 | 2024-11-21 |
| CVE-2019-0327 | SAP NetWeaver for Java Application Server - Web Container, (engineapi, versions 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5), (servercode, versions 7.2, 7.3, 7.31, 7.4, 7.5), allows an attacker to upload files (including script files) without proper file format validation. | [email protected] | 7.2 | 2.10% | 2019-07-10 | 2024-11-21 |
| CVE-2019-0318 | Under certain conditions SAP NetWeaver Application Server for Java (Startup Framework), versions 7.21, 7.22, 7.45, 7.49, and 7.53, allows an attacker to access information which would otherwise be restricted. | [email protected] | 5.3 | 1.36% | 2019-07-10 | 2024-11-21 |
| CVE-2019-0275 | SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server (J2EE-APPS), versions 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50, does not sufficiently encode user-controlled inputs, which results in cross-site scripting (XSS) vulnerability. | [email protected] | 5.4 | 0.79% | 2019-03-12 | 2024-11-21 |
| CVE-2018-2504 | SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation or Cross-Site Scripting (XSS) vulnerability. This is fixed in versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50. | [email protected] | 6.1 | 1.06% | 2018-12-11 | 2024-11-21 |
| CVE-2018-2503 | By default, the SAP NetWeaver AS Java keystore service does not sufficiently restrict the access to resources that should be protected. This has been fixed in SAP NetWeaver AS Java (ServerCore versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50). | [email protected] | 7.4 | 0.55% | 2018-12-11 | 2024-11-21 |
| CVE-2018-2492 | SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. This is fixed in versions 7.2, 7.30, 7.31, 7.40 and 7.50. | [email protected] | 7.1 | 1.14% | 2018-12-11 | 2024-11-21 |
| CVE-2018-2452 | The logon application of SAP NetWeaver AS Java 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user-controlled inputs, resulting in a cross-site scripting (XSS) vulnerability. | [email protected] | 6.1 | 1.40% | 2018-09-11 | 2024-11-21 |
| CVE-2017-14581 | The Host Control web service in SAP NetWeaver AS JAVA 7.0 through 7.5 allows remote attackers to cause a denial of service (service crash) via a crafted request, aka SAP Security Note 2389181. | [email protected] | 7.5 | 1.71% | 2017-09-19 | 2026-05-13 |
| CVE-2017-12637 KEV | Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657. | [email protected] | 7.5 | 94.56% | 2017-08-07 | 2026-04-22 |
| CVE-2017-11458 | Cross-site scripting (XSS) vulnerability in the ctcprotocol/Protocol servlet in SAP NetWeaver AS JAVA 7.3 allows remote attackers to inject arbitrary web script or HTML via the sessionID parameter, aka SAP Security Note 2406783. | [email protected] | 6.1 | 0.97% | 2017-07-25 | 2026-05-13 |
| CVE-2017-11457 | XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249. | [email protected] | 6.5 | 1.37% | 2017-07-25 | 2026-05-13 |
| CVE-2017-8913 | The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default, aka SAP Security Note 2386873. | [email protected] | 8.8 | 1.39% | 2017-05-23 | 2026-05-13 |
| CVE-2017-7717 | SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2356504. | [email protected] | 8.8 | 1.87% | 2017-04-14 | 2026-05-13 |
| CVE-2016-10304 | The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788. | [email protected] | 6.5 | 1.58% | 2017-04-10 | 2026-05-13 |
| CVE-2016-9563 KEV | BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909. | [email protected] | 6.5 | 23.80% | 2016-11-23 | 2026-04-21 |