📦

netweaver_application_server_java

Vendor: sap

Actively Exploited 7 CISA KEV List

PoC / Exploits 6 Code Available

Total RCEs 6 Remote Access

Total CVEs 184 Total Indexed

Avg. EPSS 8.55% Exploit Prob.

Latest CVE CVE-2026-27674 Apr 14

Security Vulnerability Index

Page 5 / 19

5.8 CVSS

CVE-2020-6190

Certain vulnerable endpoints in SAP NetWeaver AS Java (Heap Dump Application), versions 7.30, 7.31, 7.40, 7.50, provide valuable information about the system like hostname, server node and installation path that could be misused by an attacker leading to Information Disclosure.

EPSS: 0.26%

Severity: MEDIUM

Feb 12, 2020

4.3 CVSS

CVE-2019-0391

Under certain conditions SAP NetWeaver AS Java (corrected in 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) allows an attacker to access information which would otherwise be restricted.

EPSS: 0.27%

Severity: MEDIUM

Nov 13, 2019

8.8 CVSS

CVE-2019-0389

An administrator of SAP NetWeaver Application Server Java (J2EE-Framework), (corrected in versions 7.1, 7.2, 7.3, 7.31, 7.4, 7.5), may change privileges for all or some functions in Java Server, and enable users to execute functions, they are not allowed to execute otherwise.

EPSS: 0.43%

Severity: HIGH

Nov 13, 2019

7.2 CVSS

CVE-2019-0355

RCE

SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application.

EPSS: 0.45%

Severity: HIGH

Sep 10, 2019

9.8 CVSS

CVE-2019-0345

A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7.30, 7.31, 7.40, 7.50, by sending a specially crafted XML file and trick the application server into leaking authentication credentials for its own SAP Management console, resulting in Server-Side Request Forgery.

EPSS: 1.03%

Severity: CRITICAL

Aug 14, 2019

7.2 CVSS

CVE-2019-0327

RCE

SAP NetWeaver for Java Application Server - Web Container, (engineapi, versions 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5), (servercode, versions 7.2, 7.3, 7.31, 7.4, 7.5), allows an attacker to upload files (including script files) without proper file format validation.

EPSS: 0.70%

Severity: HIGH

Jul 10, 2019

5.3 CVSS

CVE-2019-0318

Under certain conditions SAP NetWeaver Application Server for Java (Startup Framework), versions 7.21, 7.22, 7.45, 7.49, and 7.53, allows an attacker to access information which would otherwise be restricted.

EPSS: 0.33%

Severity: MEDIUM

Jul 10, 2019

5.4 CVSS

CVE-2019-0275

SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server (J2EE-APPS), versions 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50, does not sufficiently encode user-controlled inputs, which results in cross-site scripting (XSS) vulnerability.

EPSS: 0.24%

Severity: MEDIUM

Mar 12, 2019

6.1 CVSS

CVE-2018-2504

SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation or Cross-Site Scripting (XSS) vulnerability. This is fixed in versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50.

EPSS: 0.37%

Severity: MEDIUM

Dec 11, 2018

7.4 CVSS

CVE-2018-2503

By default, the SAP NetWeaver AS Java keystore service does not sufficiently restrict the access to resources that should be protected. This has been fixed in SAP NetWeaver AS Java (ServerCore versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50).

EPSS: 0.19%

Severity: HIGH

Dec 11, 2018

Displaying 10 of 184 Total Entries

3 4 5 6 7 ... 19

Total 19 Sections