Advisory
A note with CVSS 6.0 for component BC-FES-WGU was released by SAP on 14.01.2025. The correction/advisory 3503138 was described with "[CVE-2025-0059] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)" and affects the system type SAP GUI / Frontend.
A workaround exists, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is information disclosure within SAP GUI / Frontend.
Information disclosure is when an application fails to properly protect sensitive and confidential information from
parties that are not supposed to have access to the subject matter in normal circumstances.
Carefully review every information disclosure vulnerablity in regards to disclosure obligations post-GDPR for
‘Personal data’ under the Data Protection Act 2018.
Risk specification
This note has been re-released with updated Correction Instruction information. In SAP GUI for HTML, an authenticated attacker with administrative privileges on the client PC or access to the victim’s browser data can access the input history database, leading to disclosure of potentially sensitive data.Solution
Until a final fix is available, adjust the service parameters as described in the workaround. Although an alternative solution exists, it is advisable to apply the correction! This is the workaround, which was suggested by the SAP security experts: "In consideration of the user experience, the input history can be completely deactivated or the retention time can be reduced with the following service parameters:- Disable the input history: ~sap-disableinputhistory = 1 (see SAP Note 2156174) - Reduce the retention time of the data entered by the user: ~data_aging_default (see SAP Note 2660665) - Remove the ability to change the retention time for end users: ~data_aging_readonly = 1 (see SAP Note 2660665)".
The advisory is valid for
- KERNEL 7.53 48
- KERNEL 7.54 27
- KERNEL 7.77 46
- KERNEL 7.89 29
- KERNEL 7.93 23
- KERNEL 9.12 5
- KERNEL 9.14 7
- KRNL64UC 7.53 48
- 9.9 [CVE-2025-0066] Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform(Internet Communication Framework)
- 9.9 [CVE-2023-40622] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management)
- 9.8 [CVE-2023-28765] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management )
- 9.1 [CVE-2023-28762] Information Disclosure in SAP BusinessObjects Business Intelligence Platform (Central Management Console)
- 9.0 [CVE-2020-6252] Information Disclosure in SAP Adaptive Server Enterprise (Cockpit)