CVE-2024-47588 MEDIUM

CVE-2024-47588: Information Disclosure vulnerability in SAP NetWeaver Java (Software Update Manager)

Vendor Sap_Se

Product SAP NetWeaver Java (Software Update Manager)

Weakness CWE-522 · Insufficiently protected credentials

Published November 12, 2024

Last update November 12, 2024

View on NVD All CVEs

CVSS base score

4.7/10

Attack vector Local

Attack complexity High

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

Description

In SAP NetWeaver Java (Software Update Manager 1.1), under certain conditions when a software upgrade encounters errors, credentials are written in plaintext to a log file. An attacker with local access to the server, authenticated as a non-administrative user, can acquire the credentials from the logs. This leads to a high impact on confidentiality, with no impact on integrity or availability.

Key dates

Disclosure timeline

November 12, 2024 CVE published

November 12, 2024 Record updated

Identifiers

CVE CVE-2024-47588

CWE CWE-522

CVSS 4.7 / MEDIUM

Affected versions

Vendor Sap_Se

Product SAP NetWeaver Java (Software Update Manager)

Affected SUM 1.1