SAP NetWeaver Application Server for Java is affected by multiple vulnerabilities, including the following:

– SAP NetWeaver Application Server Java for Classload Service – version 7.50, does not perform any authentication checks for functionalities that require user identity, resulting in escalation of privileges. This failure has a low impact on confidentiality of the data such that an unassigned user can read non-sensitive server data. (CVE-2023-24526)

– Cache Management Service in SAP NetWeaver Application Server for Java – version 7.50, does not perform any authentication checks for functionalities that require user identity. (CVE-2023-26460)

– SAP NetWeaver AS Java (Object Analyzing Service) – version 7.50, does not perform necessary authorization checks, allowing an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a service which will enable them to access but not modify server settings and data with no effect on availability., resulting in escalation of privileges. (CVE-2023-27268)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.Read More