Critical SAP NetWeaver & CX Commerce

Three vulnerabilities associated with CSS injection, file upload, and remote code execution have been discovered in the SAP Customer Experience (CX) commerce cloud and SAP Netweaver Application.

These two vulnerabilities have been assigned with CVE-2019-17495 and CVE-2022-36364

The severity of these vulnerabilities is CVE-2019-17495 – 9.8 (Critical) and CVE-2022-36364 8.8 (High), respectively.

CVE-2019-17495 exists in the Swagger UI library, and CVE-2022-36364 exists in the Apache Calcite Avatica library used in SAP Commerce Cloud.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

However, the File upload vulnerability CVE-2024-33006 exists in the SAP Netweaver application server ABAP and ABAP (Advanced Business Application Programming) platform.

The severity for this vulnerability has been given as 9.8 (Critical).

All of these vulnerabilities have been patched as part of the HotNews update for May 2024 by SAP.

Vulnerability Analysis

CVE-2019-17495: Cascading Style Sheets (CSS) Injection Vulnerability In Swagger UI

This vulnerability which exists in the Swagger UI can be exploited by a threat actor which allows the use of the Relative Path Overwrite (RPO) technique.

This, in turn, allows them to perform CSS-based input field value exfiltration like the exfiltration of a CSRF token value

To explain further, Swagger UI intentionally allows the embedding of untrusted JSON data from remote servers.

Nevertheless, it was not known previously that <style>@import in the JSON data can be used in an attack vector.

This vulnerability affects Swagger UI versions before 3.23.11. The latest version of Swagger UI is 5.17.9.

CVE-2022-36364: Remote Code Execution Vulnerability In Apache Calcite Avatica Library

This vulnerability exists in the Apache Calcite Avatica JDBC (Java Database Connectivity) driver, which creates HTTP client instances based on the class names provided by the ‘httpclient_impl’ connection property.

However, before representing, the JDBC driver does not verify whether it implements the expected interface.

This particular behavior can lead to code execution via arbitrary classes and, in some cases, remote code execution.

In order to exploit this vulnerability, a threat actor must have some level of privileges, and there must be a vulnerable class in the classpath.

This vulnerability affects Apache Calcite Avatica library versions before 1.18.0. The latest version of this library is 1.20.0.

CVE-2024-33006: File Upload Vulnerability In SAP NetWeaver Application Server ABAP And ABAP Platform

This vulnerability exists due to a missing signature check for two content repositories which allows an unauthenticated attacker to upload a malicious file to the server. When victims access this file, the threat actor can compromise the system completely. 

It has been mentioned that “SAP provides a secure default configuration with the support packages …….this [vulnerability] only affects new installations and therefore, administrators are required to apply manual configuration changes after upgrading to the respective support package level.”

To prevent the exploitation of these vulnerabilities, users of these products are recommended to upgrade their products to the latest versions and apply necessary patches.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.