CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-27899: Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine

8.8 CVSS

Description

Self-Registration and Modify your own profile in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer. This can be leveraged by an attacker to cause profound impact on confidentiality and low impact on both integrity and availability.

Classification

CVE ID: CVE-2024-27899

CVSS Base Severity: HIGH

CVSS Base Score: 8.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

Problem Types

CWE-640: Weak Password Recovery Mechanism

Affected Products

Vendor: SAP_SE

Product: SAP NetWeaver AS Java User Management Engine

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.23% (probability of being exploited)

EPSS Percentile: 42.33% (scored less or equal to compared to others)

EPSS Date: 2025-03-27 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-27899
https://me.sap.com/notes/3434839
https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364

Timeline

2025-02-26 19:40:24 UTC
CVE

Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine