Vulnerabilities > CVE-2018-2503 - Missing Authorization vulnerability in SAP Netweaver Application Server Java

CVSS 7.4 - HIGH

Attack vector

ADJACENT_NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

low complexity

sap

CWE-862

NVD

Published: 2018-12-11

Updated: 2021-09-09

Summary

By default, the SAP NetWeaver AS Java keystore service does not sufficiently restrict the access to resources that should be protected. This has been fixed in SAP NetWeaver AS Java (ServerCore versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50).

Vulnerable Configurations

Part	Description	Count
Application	Sap SAP Netweaver Application Server Java 7.20 SAP Netweaver Application Server Java 7.30 SAP Netweaver Application Server Java 7.31 SAP Netweaver Application Server Java 7.40 SAP Netweaver Application Server Java 7.50 SAP Netweaver Application Server Java 7.11	6

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699
https://launchpad.support.sap.com/#/notes/2658279
http://www.securityfocus.com/bid/106156