CVE-2024-33006 - Vulnerability Details - OpenCVE

An unauthenticated attacker can upload a malicious file to the server which when accessed by a victim can allow an attacker to completely compromise system.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00534.

Exploitation None

Automatable No

Technical Impact Total

Vendors	Products
Sap Subscribe	Netweaver Subscribe

No data.

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-30751	An unauthenticated attacker can upload a malicious file to the server which when accessed by a victim can allow an attacker to completely compromise system.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://me.sap.com/notes/3448171
https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html

History

Tue, 16 Dec 2025 22:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Sap netweaver
CPEs		cpe:2.3:a:sap:netweaver:754:::::::* cpe:2.3:a:sap:netweaver:755:::::::* cpe:2.3:a:sap:netweaver:756:::::::* cpe:2.3:a:sap:netweaver:757:::::::* cpe:2.3:a:sap:netweaver:758:::::::*
Vendors & Products		Sap Sap netweaver
Metrics		ssvc `{'options': {'Automatable': 'No', 'Exploitation': 'None', 'Technical Impact': 'Total'}, 'version': '2.0.3'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2024-05-14T04:16:06.647Z

Updated: 2025-12-16T18:13:19.922Z

Reserved: 2024-04-23T04:04:25.521Z

Link: CVE-2024-33006

Vulnrichment

Updated: 2024-08-02T02:27:53.232Z

NVD

Status : Awaiting Analysis

Published: 2024-05-14T16:17:14.250

Modified: 2024-11-21T09:16:13.160

Link: CVE-2024-33006

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-434

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-33006", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2024-04-23T04:04:25.521Z", "datePublished": "2024-05-14T04:16:06.647Z", "dateUpdated": "2025-12-16T18:13:19.922Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP NetWeaver Application Server ABAP and ABAP Platform", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "SAP_BASIS 700"}, {"status": "affected", "version": "SAP_BASIS 701 "}, {"status": "affected", "version": "SAP_BASIS 702 "}, {"status": "affected", "version": "SAP_BASIS 731"}, {"status": "affected", "version": "SAP_BASIS 740"}, {"status": "affected", "version": "SAP_BASIS 750"}, {"status": "affected", "version": "SAP_BASIS 751"}, {"status": "affected", "version": "SAP_BASIS 752"}, {"status": "affected", "version": "SAP_BASIS 753"}, {"status": "affected", "version": "SAP_BASIS 754"}, {"status": "affected", "version": "SAP_BASIS 755"}, {"status": "affected", "version": "SAP_BASIS 756"}, {"status": "affected", "version": "SAP_BASIS 757"}, {"status": "affected", "version": "SAP_BASIS 758 "}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">An unauthenticated attacker can upload a malicious file to the server which when accessed by a victim can allow an attacker to completely compromise system.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n"}], "value": "\nAn unauthenticated attacker can upload a malicious file to the server which when accessed by a victim can allow an attacker to completely compromise system.\u00a0\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2024-05-14T04:16:06.647Z"}, "references": [{"url": "https://me.sap.com/notes/3448171"}, {"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"}], "source": {"discovery": "UNKNOWN"}, "title": "File upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-33006", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-17T04:00:35.814972Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:sap:netweaver:754:*:*:*:*:*:*:*"], "vendor": "sap", "product": "netweaver", "versions": [{"status": "affected", "version": "754"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:sap:netweaver:755:*:*:*:*:*:*:*"], "vendor": "sap", "product": "netweaver", "versions": [{"status": "affected", "version": "755"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:sap:netweaver:756:*:*:*:*:*:*:*"], "vendor": "sap", "product": "netweaver", "versions": [{"status": "affected", "version": "756"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:sap:netweaver:757:*:*:*:*:*:*:*"], "vendor": "sap", "product": "netweaver", "versions": [{"status": "affected", "version": "757"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:sap:netweaver:758:*:*:*:*:*:*:*"], "vendor": "sap", "product": "netweaver", "versions": [{"status": "affected", "version": "758"}], "defaultStatus": "unknown"}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-16T18:13:19.922Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:27:53.232Z"}, "title": "CVE Program Container", "references": [{"url": "https://me.sap.com/notes/3448171", "tags": ["x_transferred"]}, {"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://me.sap.com/notes/3448171", "tags": ["x_transferred"]}, {"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:27:53.232Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-33006", "role": "CISA Coordinator", "options": [{"Exploitation": "None"}, {"Automatable": "No"}, {"Technical Impact": "Total"}], "version": "2.0.3", "timestamp": "2024-05-17T04:00:35.814972Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:sap:netweaver:754:*:*:*:*:*:*:*"], "vendor": "sap", "product": "netweaver", "versions": [{"status": "affected", "version": "754"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:sap:netweaver:755:*:*:*:*:*:*:*"], "vendor": "sap", "product": "netweaver", "versions": [{"status": "affected", "version": "755"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:sap:netweaver:756:*:*:*:*:*:*:*"], "vendor": "sap", "product": "netweaver", "versions": [{"status": "affected", "version": "756"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:sap:netweaver:757:*:*:*:*:*:*:*"], "vendor": "sap", "product": "netweaver", "versions": [{"status": "affected", "version": "757"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:sap:netweaver:758:*:*:*:*:*:*:*"], "vendor": "sap", "product": "netweaver", "versions": [{"status": "affected", "version": "758"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-17T12:16:01.701Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "File upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP NetWeaver Application Server ABAP and ABAP Platform", "versions": [{"status": "affected", "version": "SAP_BASIS 700"}, {"status": "affected", "version": "SAP_BASIS 701 "}, {"status": "affected", "version": "SAP_BASIS 702 "}, {"status": "affected", "version": "SAP_BASIS 731"}, {"status": "affected", "version": "SAP_BASIS 740"}, {"status": "affected", "version": "SAP_BASIS 750"}, {"status": "affected", "version": "SAP_BASIS 751"}, {"status": "affected", "version": "SAP_BASIS 752"}, {"status": "affected", "version": "SAP_BASIS 753"}, {"status": "affected", "version": "SAP_BASIS 754"}, {"status": "affected", "version": "SAP_BASIS 755"}, {"status": "affected", "version": "SAP_BASIS 756"}, {"status": "affected", "version": "SAP_BASIS 757"}, {"status": "affected", "version": "SAP_BASIS 758 "}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3448171"}, {"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "\nAn unauthenticated attacker can upload a malicious file to the server which when accessed by a victim can allow an attacker to completely compromise system.\u00a0\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">An unauthenticated attacker can upload a malicious file to the server which when accessed by a victim can allow an attacker to completely compromise system.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2024-05-14T04:16:06.647Z"}}}, "cveMetadata": {"cveId": "CVE-2024-33006", "state": "PUBLISHED", "dateUpdated": "2025-12-16T16:42:59.024Z", "dateReserved": "2024-04-23T04:04:25.521Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2024-05-14T04:16:06.647Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}