{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-42936","assignerOrgId":"e4686d1a-f260-4930-ac4c-2f5c992778dd","state":"PUBLISHED","assignerShortName":"sap","dateReserved":"2025-04-16T13:25:34.582Z","datePublished":"2025-08-12T02:05:19.690Z","dateUpdated":"2026-02-26T17:49:45.593Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"SAP NetWeaver Application Server for ABAP","vendor":"SAP_SE","versions":[{"status":"affected","version":"SAP_BASIS 700"},{"status":"affected","version":"SAP_BASIS 701"},{"status":"affected","version":"SAP_BASIS 702"},{"status":"affected","version":"SAP_BASIS 731"},{"status":"affected","version":"SAP_BASIS 740"},{"status":"affected","version":"SAP_BASIS 750"},{"status":"affected","version":"SAP_BASIS 751"},{"status":"affected","version":"SAP_BASIS 752"},{"status":"affected","version":"SAP_BASIS 753"},{"status":"affected","version":"SAP_BASIS 754"},{"status":"affected","version":"SAP_BASIS 755"},{"status":"affected","version":"SAP_BASIS 756"},{"status":"affected","version":"SAP_BASIS 757"},{"status":"affected","version":"SAP_BASIS 758"},{"status":"affected","version":"SAP_BASIS 816"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>The SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this issue allows authenticated users to access restricted objects in the barcode interface, leading to privilege escalation. This results in a low impact on the confidentiality and integrity of the application, there is no impact on availability.</p>"}],"value":"The SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this issue allows authenticated users to access restricted objects in the barcode interface, leading to privilege escalation. This results in a low impact on the confidentiality and integrity of the application, there is no impact on availability."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.4,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-266","description":"CWE-266: Incorrect Privilege Assignment","lang":"eng","type":"CWE"}]}],"providerMetadata":{"orgId":"e4686d1a-f260-4930-ac4c-2f5c992778dd","shortName":"sap","dateUpdated":"2025-08-12T02:05:19.690Z"},"references":[{"url":"https://me.sap.com/notes/3602656"},{"url":"https://url.sap/sapsecuritypatchday"}],"source":{"discovery":"UNKNOWN"},"title":"Missing Authorization check in SAP NetWeaver Application Server for ABAP","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2025-42936","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-08-13T15:03:52.143215Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-26T17:49:45.593Z"}}]}}