CVE-2024-27899 HIGH

CVE-2024-27899: Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine

Vendor Sap_Se

Product SAP NetWeaver AS Java User Management Engine

Weakness CWE-640 · Weak password recovery

Published April 9, 2024

Last update August 27, 2025

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

What the vulnerability does

Description

Self-Registration and Modify your own profile in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer. This can be leveraged by an attacker to cause profound impact on confidentiality and low impact on both integrity and availability.

Key dates

Disclosure timeline

April 9, 2024 CVE published

August 27, 2025 Record updated

Identifiers

CVE CVE-2024-27899

CWE CWE-640

CVSS 8.8 / HIGH

Affected versions

Vendor Sap_Se

Product SAP NetWeaver AS Java User Management Engine

Affected SERVERCORE 7.50

Vendor Sap_Se

Product SAP NetWeaver AS Java User Management Engine

Affected J2EE-APPS 7.50

Vendor Sap_Se

Product SAP NetWeaver AS Java User Management Engine

Affected UMEADMIN 7.50