8.8

CVE-2025-0063

SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules. This could lead to an attacker with basic user privileges to gain control over the data in Informix database, leading to complete compromise of confidentiality, integrity and availability.

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
VendorSAP_SE
Product SAP NetWeaver AS ABAP and ABAP Platform
Default Statusunaffected
Version SAP_BASIS 700
Status affected
Version SAP_BASIS 701
Status affected
Version SAP_BASIS 702
Status affected
Version SAP_BASIS 731
Status affected
Version SAP_BASIS 740
Status affected
Version SAP_BASIS 750
Status affected
Version SAP_BASIS 751
Status affected
Version SAP_BASIS 752
Status affected
Version SAP_BASIS 753
Status affected
Version SAP_BASIS 754
Status affected
Version SAP_BASIS 755
Status affected
Version SAP_BASIS 756
Status affected
Version SAP_BASIS 757
Status affected
Version SAP_BASIS 758
Status affected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.27% 0.499
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
cna@sap.com 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.