Date of Release: February 13, 2024
Advisory ID: CVE-2024-22126
Affected Software: SAP NetWeaver Application Server for Java (AS Java) User Admin Application
Versions Affected: J2EE ENGINE APPLICATIONS 7.50, specifically:
- SP026000005
- SP027000003
- SP028000003
- SP029000000
Vulnerability Summary: A critical Cross-Site Scripting (XSS) vulnerability, CVE-2024-22126, has been discovered in the User Admin application of SAP NetWeaver AS for Java. The vulnerability arises due to insufficient validation and improper encoding of incoming URL parameters before including them in the redirect URL. This flaw can lead to a significant compromise of confidentiality, with a lesser impact on integrity and availability.
CVSS Score: 8.8 (High)
PoC:
POST /useradmin/index.jsp HTTP/1.1
Host: SAP-Server:50000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 34“><img src%3dx onerror%3dalert(1)>
CVSS Vector:
- Attack Vector (AV): Network
- Attack Complexity (AC): Low
- Privileges Required (PR): None
- User Interaction (UI): Required
- Scope (S): Changed
- Confidentiality Impact (C): High
- Integrity Impact (I): Low
- Availability Impact (A): Low
Symptom: Attackers can exploit this vulnerability by crafting malicious URL parameters that are reflected back to the user’s browser, leading to XSS attacks. This could result in unauthorized access to user sessions and personal data, posing a severe security risk.
Cause: The vulnerability is introduced after applying SAP Note 3251396, which inadequately validates and encodes URL parameters for redirects, allowing for the XSS vulnerability.
Solution: Users are urged to apply the corrective measures provided in the “Validity” and “Support Packages & Patches” sections of the SAP Security Note related to CVE-2024-22126. It is also recommended to review SAP Note 1974464 for information on SCA Dependency Analysis for Java download objects to avoid system incompatibilities.
Mitigation: Until patches can be applied, it is advised to monitor and possibly restrict incoming URL parameters to the User Admin application to mitigate the risk of exploitation.
References:
- SAP Security Note [CVE-2024-22126]
- SAP Note 3251396
- SAP Note 1974464
The signature of this vulnerability has been added to the RedRays Security Platform.