CVE-2024-47592: 
SAP NetWeaver Application Server Java vulnerability analysis and mitigation

SAP NetWeaver AS Java contains a vulnerability that allows an unauthenticated attacker to brute force the login functionality to identify legitimate user IDs. The vulnerability was disclosed on November 11, 2024, and is tracked as CVE-2024-47592. This security flaw specifically affects the login application component of SAP NetWeaver Application Server Java (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. This indicates that the vulnerability can be exploited over the network (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N), and needs no user interaction (UI:N). The scope is unchanged (S:U), with low impact on confidentiality (C:L) and no impact on integrity (I:N) or availability (A:N). The vulnerability is classified as CWE-307 (Improper Restriction of Excessive Authentication Attempts) (NVD).

The vulnerability impacts the confidentiality of the system by allowing attackers to enumerate valid user IDs through brute force attacks against the login functionality. However, there is no impact on the system's integrity or availability (NVD).

SAP has released security patches to address this vulnerability. Users should refer to SAP Security Note 3393899 for detailed mitigation instructions (SAP Note, SAP Patch Day).