{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-42976", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2025-04-16T13:25:45.231Z", "datePublished": "2025-08-12T02:10:06.835Z", "dateUpdated": "2025-08-13T20:19:41.155Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP NetWeaver Application Server ABAP (BIC Document)", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "S4COREOP 104"}, {"status": "affected", "version": "105"}, {"status": "affected", "version": "106"}, {"status": "affected", "version": "107"}, {"status": "affected", "version": "108"}, {"status": "affected", "version": "SEM-BW 600"}, {"status": "affected", "version": "602"}, {"status": "affected", "version": "603"}, {"status": "affected", "version": "604"}, {"status": "affected", "version": "605"}, {"status": "affected", "version": "634"}, {"status": "affected", "version": "736"}, {"status": "affected", "version": "746"}, {"status": "affected", "version": "747"}, {"status": "affected", "version": "748"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>SAP NetWeaver Application Server ABAP (BIC Document) allows an authenticated attacker to craft a request that, when submitted to a BIC Document application, could cause a memory corruption error. On successful exploitation, this results in the crash of the target component. Multiple submissions can make the target completely unavailable. A similarly crafted submission can be used to perform an out-of-bounds read operation as well, revealing sensitive information that is loaded in memory at that time. There is no ability to modify any information.</p>"}], "value": "SAP NetWeaver Application Server ABAP (BIC Document) allows an authenticated attacker to craft a request that, when submitted to a BIC Document application, could cause a memory corruption error. On successful exploitation, this results in the crash of the target component. Multiple submissions can make the target completely unavailable. A similarly crafted submission can be used to perform an out-of-bounds read operation as well, revealing sensitive information that is loaded in memory at that time. There is no ability to modify any information."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2025-08-12T02:10:06.835Z"}, "references": [{"url": "https://me.sap.com/notes/3611184"}, {"url": "https://url.sap/sapsecuritypatchday"}], "source": {"discovery": "UNKNOWN"}, "title": "Multiple vulnerabilities in SAP NetWeaver Application Server ABAP (BIC Document)", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-12T13:30:39.463807Z", "id": "CVE-2025-42976", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-13T20:19:41.155Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SAP NetWeaver Application Server ABAP (BIC Document) allows an authenticated attacker to craft a request that, when submitted to a BIC Document application, could cause a memory corruption error. On successful exploitation, this results in the crash of the target component. Multiple submissions can make the target completely unavailable. A similarly crafted submission can be used to perform an out-of-bounds read operation as well, revealing sensitive information that is loaded in memory at that time. There is no ability to modify any information."}, {"lang": "es", "value": "SAP NetWeaver Application Server ABAP (Documento BIC) permite a un atacante autenticado manipular una solicitud que, al enviarse a una aplicaci\u00f3n de Documento BIC, podr\u00eda causar un error de corrupci\u00f3n de memoria. Si se explota con \u00e9xito, esto provoca el bloqueo del componente objetivo. M\u00faltiples env\u00edos pueden dejar el objetivo completamente indisponible. Un env\u00edo similar puede utilizarse para realizar una operaci\u00f3n de lectura fuera de los l\u00edmites, revelando informaci\u00f3n confidencial cargada en memoria en ese momento. No es posible modificar la informaci\u00f3n."}], "id": "CVE-2025-42976", "lastModified": "2025-08-12T14:25:33.177", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "cna@sap.com", "type": "Primary"}]}, "published": "2025-08-12T03:15:28.603", "references": [{"source": "cna@sap.com", "url": "https://me.sap.com/notes/3611184"}, {"source": "cna@sap.com", "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "cna@sap.com", "type": "Primary"}]}

{}