Search
Find a vulnerability
Search criteria
6 vulnerabilities found for SAP NetWeaver AS for JAVA (Adobe Document Services) by SAP_SE
CVE-2024-47580 (GCVE-0-2024-47580)
Vulnerability from nvd – Published: 2024-12-10 00:12 – Updated: 2024-12-16 19:16
VLAI
Title
Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services)
Summary
An attacker authenticated as an administrator can use an exposed webservice to create a PDF with an embedded attachment. By specifying the file to be an internal server file and subsequently downloading the generated PDF, the attacker can read any file on the server with no effect on integrity or availability.
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SAP_SE | SAP NetWeaver AS for JAVA (Adobe Document Services) |
Affected:
ADSSSAP 7.50
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47580",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-16T19:16:02.459320Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T19:16:09.928Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver AS for JAVA (Adobe Document Services)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "ADSSSAP 7.50"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn attacker authenticated as an administrator can use an exposed webservice to create a PDF with an embedded attachment. By specifying the file to be an internal server file and subsequently downloading the generated PDF, the attacker can read any file on the server with no effect on integrity or availability.\u003c/p\u003e"
}
],
"value": "An attacker authenticated as an administrator can use an exposed webservice to create a PDF with an embedded attachment. By specifying the file to be an internal server file and subsequently downloading the generated PDF, the attacker can read any file on the server with no effect on integrity or availability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-538",
"description": "CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T00:12:11.655Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3536965"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-47580",
"datePublished": "2024-12-10T00:12:11.655Z",
"dateReserved": "2024-09-27T20:05:49.543Z",
"dateUpdated": "2024-12-16T19:16:09.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47579 (GCVE-0-2024-47579)
Vulnerability from nvd – Published: 2024-12-10 00:12 – Updated: 2024-12-16 19:16
VLAI
Title
Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services)
Summary
An attacker authenticated as an administrator can use an exposed webservice to upload or download a custom PDF font file on the system server. Using the upload functionality to copy an internal file into a font file and subsequently using the download functionality to retrieve that file allows the attacker to read any file on the server with no effect on integrity or availability
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SAP_SE | SAP NetWeaver AS for JAVA (Adobe Document Services) |
Affected:
ADSSSAP 7.50
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47579",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-16T19:16:28.266414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T19:16:35.048Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver AS for JAVA (Adobe Document Services)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "ADSSSAP 7.50"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn attacker authenticated as an administrator can use an exposed webservice to upload or download a custom PDF font file on the system server. Using the upload functionality to copy an internal file into a font file and subsequently using the download functionality to retrieve that file allows the attacker to read any file on the server with no effect on integrity or availability\u003c/p\u003e"
}
],
"value": "An attacker authenticated as an administrator can use an exposed webservice to upload or download a custom PDF font file on the system server. Using the upload functionality to copy an internal file into a font file and subsequently using the download functionality to retrieve that file allows the attacker to read any file on the server with no effect on integrity or availability"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-538",
"description": "CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T00:12:05.039Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3536965"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-47579",
"datePublished": "2024-12-10T00:12:05.039Z",
"dateReserved": "2024-09-27T20:05:49.543Z",
"dateUpdated": "2024-12-16T19:16:35.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47578 (GCVE-0-2024-47578)
Vulnerability from nvd – Published: 2024-12-10 00:11 – Updated: 2024-12-10 17:15
VLAI
Title
Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services)
Summary
Adobe Document Service allows an attacker with administrator privileges to send a crafted request from a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. On successful exploitation, the attacker can read or modify any file and/or make the entire system unavailable.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SAP_SE | SAP NetWeaver AS for JAVA (Adobe Document Services) |
Affected:
ADSSSAP 7.50
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47578",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-10T15:41:02.864066Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T17:15:02.722Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver AS for JAVA (Adobe Document Services)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "ADSSSAP 7.50"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAdobe Document Service allows an attacker with administrator privileges to send a crafted request from a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. On successful exploitation, the attacker can read or modify any file and/or make the entire system unavailable.\u003c/p\u003e"
}
],
"value": "Adobe Document Service allows an attacker with administrator privileges to send a crafted request from a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. On successful exploitation, the attacker can read or modify any file and/or make the entire system unavailable."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T00:11:57.435Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3536965"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-47578",
"datePublished": "2024-12-10T00:11:57.435Z",
"dateReserved": "2024-09-27T20:05:49.543Z",
"dateUpdated": "2024-12-10T17:15:02.722Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47580 (GCVE-0-2024-47580)
Vulnerability from cvelistv5 – Published: 2024-12-10 00:12 – Updated: 2024-12-16 19:16
VLAI
Title
Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services)
Summary
An attacker authenticated as an administrator can use an exposed webservice to create a PDF with an embedded attachment. By specifying the file to be an internal server file and subsequently downloading the generated PDF, the attacker can read any file on the server with no effect on integrity or availability.
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SAP_SE | SAP NetWeaver AS for JAVA (Adobe Document Services) |
Affected:
ADSSSAP 7.50
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47580",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-16T19:16:02.459320Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T19:16:09.928Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver AS for JAVA (Adobe Document Services)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "ADSSSAP 7.50"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn attacker authenticated as an administrator can use an exposed webservice to create a PDF with an embedded attachment. By specifying the file to be an internal server file and subsequently downloading the generated PDF, the attacker can read any file on the server with no effect on integrity or availability.\u003c/p\u003e"
}
],
"value": "An attacker authenticated as an administrator can use an exposed webservice to create a PDF with an embedded attachment. By specifying the file to be an internal server file and subsequently downloading the generated PDF, the attacker can read any file on the server with no effect on integrity or availability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-538",
"description": "CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T00:12:11.655Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3536965"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-47580",
"datePublished": "2024-12-10T00:12:11.655Z",
"dateReserved": "2024-09-27T20:05:49.543Z",
"dateUpdated": "2024-12-16T19:16:09.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47579 (GCVE-0-2024-47579)
Vulnerability from cvelistv5 – Published: 2024-12-10 00:12 – Updated: 2024-12-16 19:16
VLAI
Title
Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services)
Summary
An attacker authenticated as an administrator can use an exposed webservice to upload or download a custom PDF font file on the system server. Using the upload functionality to copy an internal file into a font file and subsequently using the download functionality to retrieve that file allows the attacker to read any file on the server with no effect on integrity or availability
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SAP_SE | SAP NetWeaver AS for JAVA (Adobe Document Services) |
Affected:
ADSSSAP 7.50
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47579",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-16T19:16:28.266414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T19:16:35.048Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver AS for JAVA (Adobe Document Services)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "ADSSSAP 7.50"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn attacker authenticated as an administrator can use an exposed webservice to upload or download a custom PDF font file on the system server. Using the upload functionality to copy an internal file into a font file and subsequently using the download functionality to retrieve that file allows the attacker to read any file on the server with no effect on integrity or availability\u003c/p\u003e"
}
],
"value": "An attacker authenticated as an administrator can use an exposed webservice to upload or download a custom PDF font file on the system server. Using the upload functionality to copy an internal file into a font file and subsequently using the download functionality to retrieve that file allows the attacker to read any file on the server with no effect on integrity or availability"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-538",
"description": "CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T00:12:05.039Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3536965"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-47579",
"datePublished": "2024-12-10T00:12:05.039Z",
"dateReserved": "2024-09-27T20:05:49.543Z",
"dateUpdated": "2024-12-16T19:16:35.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47578 (GCVE-0-2024-47578)
Vulnerability from cvelistv5 – Published: 2024-12-10 00:11 – Updated: 2024-12-10 17:15
VLAI
Title
Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services)
Summary
Adobe Document Service allows an attacker with administrator privileges to send a crafted request from a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. On successful exploitation, the attacker can read or modify any file and/or make the entire system unavailable.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SAP_SE | SAP NetWeaver AS for JAVA (Adobe Document Services) |
Affected:
ADSSSAP 7.50
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47578",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-10T15:41:02.864066Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T17:15:02.722Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver AS for JAVA (Adobe Document Services)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "ADSSSAP 7.50"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAdobe Document Service allows an attacker with administrator privileges to send a crafted request from a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. On successful exploitation, the attacker can read or modify any file and/or make the entire system unavailable.\u003c/p\u003e"
}
],
"value": "Adobe Document Service allows an attacker with administrator privileges to send a crafted request from a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. On successful exploitation, the attacker can read or modify any file and/or make the entire system unavailable."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T00:11:57.435Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3536965"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-47578",
"datePublished": "2024-12-10T00:11:57.435Z",
"dateReserved": "2024-09-27T20:05:49.543Z",
"dateUpdated": "2024-12-10T17:15:02.722Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}