Description
In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These credentials can then be further exploited to completely compromise the remote service, potentially resulting in a significant impact on the confidentiality, integrity, and availability of the application.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Affected products
- SAP_SE / SAP NetWeaver Application Server ABAPKRNL64NUC 7.22 – KRNL64NUC 7.22
- SAP_SE / SAP NetWeaver Application Server ABAP7.22EXT – 7.22EXT
- SAP_SE / SAP NetWeaver Application Server ABAPKRNL64UC 7.22 – KRNL64UC 7.22
- SAP_SE / SAP NetWeaver Application Server ABAP7.53 – 7.53
- SAP_SE / SAP NetWeaver Application Server ABAPKERNEL 7.22 – KERNEL 7.22
- SAP_SE / SAP NetWeaver Application Server ABAP7.54 – 7.54
- SAP_SE / SAP NetWeaver Application Server ABAP7.77 – 7.77
- SAP_SE / SAP NetWeaver Application Server ABAP7.89 – 7.89
- SAP_SE / SAP NetWeaver Application Server ABAP7.93 – 7.93