CVE-2017-9844

Published: Jul 12, 2017Modified: May 2, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

SAP NetWeaver 7400.12.21.30308 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object in a request to metadatauploader, aka SAP Security Note 2399804. NOTE: The vendor states that the devserver package of Visual Composer deserializes a malicious object that may cause legitimate users accessing a service, either by crashing or flooding the service.

Affected (1)

Products: Sap: Netweaver

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Sap Netweaver	Version 7400.12.21.30308

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (5)

http://www.securityfocus.com/bid/96865

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://erpscan.io/advisories/erpscan-17-014-sap-netweaver-java-deserialization-untrusted-user-value-metadatauploader/

Source: cve@mitre.org

Broken Link

https://me.sap.com/notes/2399804

Source: cve@mitre.org

Permissions Required

http://www.securityfocus.com/bid/96865

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://erpscan.io/advisories/erpscan-17-014-sap-netweaver-java-deserialization-untrusted-user-value-metadatauploader/

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

Timeline

No history available yet.