The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of SAP NetWeaver

computer vulnerability note CVE-2016-6256

SAP: multiples vulnerabilities of May 2017

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SAP products.
Impacted products: Business Objects, Crystal Enterprise, SAP ERP, NetWeaver, ASE.
Severity: 2/4.
Creation date: 09/05/2017.
Revisions dates: 12/05/2017, 16/05/2017.
Identifiers: CORE-2017-0001, CVE-2016-6256, ERPSCAN-17-027, ERPSCAN-17-028, VIGILANCE-VUL-22669.

Description of the vulnerability

An attacker can use several vulnerabilities of SAP products.

A detailed analysis was not performed for this bulletin.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2017-7691

SAP: multiples vulnerabilities of April 2017

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SAP products.
Impacted products: SAP ERP, NetWeaver, ASE.
Severity: 4/4.
Creation date: 11/04/2017.
Revisions dates: 12/04/2017, 09/05/2017.
Identifiers: CVE-2017-7691, ERPSCAN-17-016, ERPSCAN-17-017, ERPSCAN-17-018, ERPSCAN-17-019, VIGILANCE-VUL-22410.

Description of the vulnerability

An attacker can use several vulnerabilities of SAP products.

A detailed analysis was not performed for this bulletin.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2017-6950

SAP: multiples vulnerabilities of March 2017

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SAP products.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity: 3/4.
Creation date: 14/03/2017.
Revisions dates: 15/03/2017, 22/03/2017.
Identifiers: CVE-2017-6950, ERPSCAN-17-010, ERPSCAN-17-011, ERPSCAN-17-012, ERPSCAN-17-013, ERPSCAN-17-014, ERPSCAN-17-015, VIGILANCE-VUL-22115.

Description of the vulnerability

An attacker can use several vulnerabilities of SAP products.

A detailed analysis was not performed for this bulletin.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2017-5997 CVE-2017-8913 CVE-2017-8914

SAP: multiples vulnerabilities of February 2017

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SAP products.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity: 3/4.
Creation date: 14/02/2017.
Revisions dates: 15/02/2017, 03/03/2017.
Identifiers: CVE-2017-5997, CVE-2017-8913, CVE-2017-8914, CVE-2017-8915, ERPSCAN-17-007, ERPSCAN-17-008, ERPSCAN-17-009, VIGILANCE-VUL-21826.

Description of the vulnerability

An attacker can use several vulnerabilities of SAP products.

A detailed analysis was not performed for this bulletin.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2016-6143 CVE-2016-6818 CVE-2017-7696

SAP: multiples vulnerabilities of January 2017

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SAP products.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity: 3/4.
Creation date: 10/01/2017.
Revision date: 11/01/2017.
Identifiers: CVE-2016-6143, CVE-2016-6818, CVE-2017-7696, ERPSCAN-16-036, ERPSCAN-16-037, ERPSCAN-17-001, ERPSCAN-17-002, ERPSCAN-17-003, ERPSCAN-17-004, VIGILANCE-VUL-21534.

Description of the vulnerability

An attacker can use several vulnerabilities of SAP products.

A detailed analysis was not performed for this bulletin.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2016-10005 CVE-2016-3684 CVE-2016-3685

SAP: multiples vulnerabilities of December 2016

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SAP products.
Impacted products: Business Objects, Crystal Enterprise, Crystal Reports, SAP ERP, NetWeaver, ASE.
Severity: 3/4.
Creation date: 13/12/2016.
Identifiers: CVE-2016-10005, CVE-2016-3684, CVE-2016-3685, ERPSCAN-16-041, VIGILANCE-VUL-21362.

Description of the vulnerability

An attacker can use several vulnerabilities of SAP products.

A detailed analysis was not performed for this bulletin.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2014-9569

SAP NetWeaver Business Client for HTML 3.0: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of SAP NetWeaver Business Client for HTML 3.0, in order to execute JavaScript code in the context of the web site.
Impacted products: SAP ERP, NetWeaver.
Severity: 2/4.
Creation date: 08/01/2015.
Identifiers: 2051285, CVE-2014-9569, SOS-14-005, VIGILANCE-VUL-15932.

Description of the vulnerability

The SAP NetWeaver Business Client for HTML 3.0 product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of SAP NetWeaver Business Client for HTML 3.0, in order to execute JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2014-8592

SAP NetWeaver: denial of service via POST

Synthesis of the vulnerability

An attacker can send a malicious POST query to SAP NetWeaver, in order to trigger a denial of service.
Impacted products: SAP ERP, NetWeaver.
Severity: 2/4.
Creation date: 24/10/2014.
Identifiers: 1986725, CVE-2014-8592, ERPSCAN-14-017, ERPSCAN-14-018, ERPSCAN-14-020, ERPSCAN-14-021, VIGILANCE-VUL-15537.

Description of the vulnerability

The SAP NetWeaver product has a web service.

However, when a partial HTTP POST query is received, a fatal error occurs.

An attacker can therefore send a malicious POST query to SAP NetWeaver HTTPd, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2014-8591

SAP NetWeaver HTTPd: denial of service via POST

Synthesis of the vulnerability

An attacker can send a malicious POST query to SAP NetWeaver HTTPd, in order to trigger a denial of service.
Impacted products: SAP ERP, NetWeaver.
Severity: 2/4.
Creation date: 24/10/2014.
Identifiers: 1966655, CVE-2014-8591, ERPSCAN-14-016, VIGILANCE-VUL-15536.

Description of the vulnerability

The SAP NetWeaver product has an HTTPd service.

However, when a partial HTTP POST query is received, a fatal error occurs.

An attacker can therefore send a malicious POST query to SAP NetWeaver HTTPd, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2014-8590

SAP NetWeaver AS Java: external XML entity injection

Synthesis of the vulnerability

An attacker can transmit malicious XML data to SAP NetWeaver AS Java, in order to read a file, scan sites, or trigger a denial of service.
Impacted products: SAP ERP, NetWeaver.
Severity: 2/4.
Creation date: 24/10/2014.
Identifiers: 2045176, CVE-2014-8590, ERPSCAN-14-015, VIGILANCE-VUL-15535.

Description of the vulnerability

XML data can contain external entities (DTD):
  <!ENTITY name SYSTEM "file">
  <!ENTITY name SYSTEM "http://server/file">
A program which reads these XML data can replace these entities by data coming from the indicated file. When the program uses XML data coming from an untrusted source, this behavior leads to:
 - content disclosure from files of the server
 - private web site scan
 - a denial of service by opening a blocking file
This feature must be disabled to process XML data coming from an untrusted source.

However, the SAP NetWeaver AS Java parser allows external entities.

An attacker can therefore transmit malicious XML data to SAP NetWeaver AS Java, in order to read a file, scan sites, or trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about SAP NetWeaver: