CVE-2024-47580 MEDIUM

CVE-2024-47580: Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services)

Vendor Sap_Se

Product SAP NetWeaver AS for JAVA (Adobe Document Services)

Weakness CWE-538

Published December 10, 2024

Last update December 16, 2024

View on NVD All CVEs

CVSS base score

6.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

Description

An attacker authenticated as an administrator can use an exposed webservice to create a PDF with an embedded attachment. By specifying the file to be an internal server file and subsequently downloading the generated PDF, the attacker can read any file on the server with no effect on integrity or availability.

Key dates

Disclosure timeline

December 10, 2024 CVE published

December 16, 2024 Record updated

Identifiers

CVE CVE-2024-47580

CWE CWE-538

CVSS 6.8 / MEDIUM

Affected versions

Vendor Sap_Se

Product SAP NetWeaver AS for JAVA (Adobe Document Services)

Affected ADSSSAP 7.50