CVE-2023-26459— Server Side Request Forgery (SSRF) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform

CVSS 7.4 · High EPSS 0.24% · P47 Updated Feb 28, 2025

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-26459

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Server Side Request Forgery (SSRF) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform

Source: NVD (National Vulnerability Database)

Vulnerability Description

Due to improper input controls In SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, an attacker authenticated as a non-administrative user can craft a request which will trigger the application server to send a request to an arbitrary URL which can reveal, modify or make unavailable non-sensitive information, leading to low impact on Confidentiality, Integrity and Availability.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Source: NVD (National Vulnerability Database)

Vulnerability Type

服务端请求伪造(SSRF)

Source: NVD (National Vulnerability Database)

Vulnerability Title

SAP NetWeaver AS 代码问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

SAP NetWeaver AS是德国思爱普（SAP）公司的一款SAP网络应用服务器。它不仅能提供网络服务，且还是SAP软件的基本平台。 SAP NetWeaver AS存在代码问题漏洞，该漏洞源于不正确的输入控制，攻击者利用该漏洞可以显示、修改或使非敏感信息不可用。以下产品和版本受到影响：SAP NetWeaver AS 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791版本。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
SAP	NetWeaver AS for ABAP and ABAP Platform	700	-

II. Public POCs for CVE-2023-26459

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2023-26459

请登录查看更多情报信息。

Same Patch Batch · SAP · 2023-03-14 · 21 CVEs total

CVE-2023-23857	9.9 CRITICAL	Improper Access Control in SAP NetWeaver AS for Java
CVE-2023-25616	9.9 CRITICAL	Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC)
CVE-2023-27500	9.6 CRITICAL	Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
CVE-2023-27269	9.6 CRITICAL	Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
CVE-2023-25617	9.0 CRITICAL	OS Command Execution vulnerability in SAP Business Objects Business Intelligence Platform
CVE-2023-27893	8.8 HIGH	Arbitrary Code Execution in SAP Solution Manager and ABAP managed systems (ST-PI)
CVE-2023-27501	8.7 HIGH	Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
CVE-2023-27498	7.2 HIGH	Memory Corruption vulnerability in SAP Host Agent (SAPOSCOL)
CVE-2023-25615	6.8 MEDIUM	SQL Injection vulnerability in SAP ABAP Platform
CVE-2023-26461	6.8 MEDIUM	XML External Entity (XXE) vulnerability in SAP NetWeaver (SAP Enterprise Portal)
CVE-2023-27896	6.5 MEDIUM	Server Side Request Forgery (SSRF) in the SAP BusinessObjects Business Intelligence platfo
CVE-2023-27271	6.5 MEDIUM	Server Side Request Forgery (SSRF) in the SAP BusinessObjects Business Intelligence platfo
CVE-2023-27270	6.5 MEDIUM	Denial of Service (DoS) in SAP NetWeaver AS for ABAP and ABAP Platform
CVE-2023-25618	6.5 MEDIUM	Denial of Service (DoS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
CVE-2023-26457	6.1 MEDIUM	Cross-Site Scripting (XSS) vulnerability in SAP Content Server
CVE-2023-27895	6.1 MEDIUM	Information Disclosure vulnerability in SAP Authenticator for Android
CVE-2023-27268	5.3 MEDIUM	Improper Access Control in SAP NetWeaver AS Java (Object Analyzing Service)
CVE-2023-26460	5.3 MEDIUM	Improper Access Control in SAP NetWeaver AS Java (Cache Management Service)
CVE-2023-24526	5.3 MEDIUM	Improper Access Control in SAP NetWeaver AS Java (Classload Service)
CVE-2023-27894	5.0 MEDIUM	Sensitive Information Disclosure in the SAP BusinessObjects Business Intelligence platform

IV. Related Vulnerabilities

Same product: NetWeaver AS for ABAP and ABAP Platform

Same vendor: SAP

Same weakness: CWE-918

V. Comments for CVE-2023-26459

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2023-26459— Server Side Request Forgery (SSRF) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform

I. Basic Information for CVE-2023-26459

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2023-26459

III. Intelligence Information for CVE-2023-26459

Same Patch Batch · SAP · 2023-03-14 · 21 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2023-26459

Leave a comment