Primary

Context

SAP NetWeaver Enterprise Portal JNDI Injection Vulnerability Allowing Information Disclosure

Vulnerability

A vulnerability in SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject JNDI environment properties or pass a URL for JNDI lookups, potentially accessing unintended JNDI providers. This could lead to unauthorized disclosure or modification of server information, although it does not impact server availability.

Impact

Exploitation of this vulnerability could result in unauthorized access to JNDI providers, allowing for the disclosure or modification of sensitive server information.

Remediation

Users are advised to consult the SAP Security Notes for guidance on applying necessary patches. SAP Security Notes can be accessed through the SAP for Me platform, specifically on SAP Security Patch Days, which occur on the second Tuesday of each month.

Added: Nov 11, 2025, 1:33 AM

Updated: Nov 11, 2025, 1:33 AM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

5.0

exploitability

7.4

remediation

8.3

relevance

1.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

5.0

exploitability

7.4

remediation

8.3

relevance

1.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SAP NetWeaver Enterprise Portal JNDI Injection Vulnerability Allowing Information Disclosure

Vulnerability

Impact

Remediation

Affected Products

SAP NetWeaver Enterprise Portal

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating