SAP Commerce Cloud Unencrypted HTTP Redirection Vulnerability

A vulnerability exists in SAP Commerce Cloud (Public Cloud) that prevents the complete disabling of unencrypted HTTP on port 80. Instead of allowing a full shutdown of HTTP, the application only permits a redirect from port 80 to 443 (HTTPS). While this generally ensures secure communication over HTTPS, it creates a risk for the confidentiality and integrity of data transmitted during the initial request before the redirect. This is particularly concerning if the client is set to use HTTP and sends sensitive information before the switch to HTTPS.

Impact

Exploitation of this vulnerability could lead to the interception or alteration of confidential data sent in the first HTTP request before it is redirected to HTTPS.

Remediation

Users are advised to review and implement the latest SAP Security Notes, available through the SAP for Me platform. SAP Security Patch Day occurs on the second Tuesday of each month, when SAP releases important security updates. For more information on SAP Security Notes and Patch Days, consult the SAP Security Notes FAQ.