CVE-2019-0345

Name of the Vulnerable Software and Affected Versions SAP NetWeaver Application Server for Java versions 7.30 through 7.50

Description A remote unauthenticated attacker can exploit a web service in the SAP NetWeaver Application Server for Java by sending a specially crafted XML file. This can trick the application server into leaking authentication credentials for its own SAP Management console, resulting in Server-Side Request Forgery. The issue is related to insufficient request validation on the server side, which can allow an attacker to disclose privileged user credentials using the specially crafted XML file.

Recommendations For versions 7.30 through 7.50, consider restricting access to the vulnerable web service until a patch is available. As a temporary workaround, avoid using the web service in SAP NetWeaver Application Server for Java until the issue is resolved. Restrict access to the SAP Management console to minimize the risk of exploitation.