CVE-2025-42965

Published: Jul 8, 2025Modified: Jul 8, 2025

4.1

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

Exploitability: 2.3 / Impact: 1.4

Source: CNA (Secondary)

Description

SAP CMC Promotion Management allows an authenticated attacker to enumerate internal network systems by submitting crafted requests during job source configuration. By analysing response times for various IP addresses and ports, the attacker can infer valid network endpoints. Successful exploitation may lead to information disclosure. This vulnerability does not impact the integrity or availability of the application.

Related CWEs

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (2)

https://me.sap.com/notes/3598118

Source: cna@sap.com

https://url.sap/sapsecuritypatchday

Source: cna@sap.com

Timeline

No history available yet.