NetWeaver AS Java User Admin App Lets Self-Register via Improper Security Answer
CVE-2024-27899 Published on April 9, 2024
Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine
Self-Registration and Modify your own profile in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer. This can be leveraged by an attacker to cause profound impact on confidentiality and low impact on both integrity and availability.
Vulnerability Analysis
CVE-2024-27899 can be exploited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Weak Password Recovery Mechanism for Forgotten Password
The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Affected Versions
SAP_SE SAP NetWeaver AS Java User Management Engine:- Version SERVERCORE 7.50 is affected.
- Version J2EE-APPS 7.50 is affected.
- Version UMEADMIN 7.50 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.