CVE-2024-24743 Overview
CVE-2024-24743 affects SAP NetWeaver Application Server Java (CAF - Guided Procedures) version 7.50. The flaw is an XML External Entity (XXE) vulnerability [CWE-611] in the XML parser used by the Composite Application Framework (CAF) Guided Procedures component. An unauthenticated remote attacker can submit a crafted XML document over the network. When the server parses the document, the attacker can read sensitive files and data from the underlying system. The vulnerability does not allow modification of data, and expansion limits prevent availability impact.
Critical Impact
Unauthenticated remote attackers can disclose sensitive files and internal data from SAP NetWeaver AS Java systems through crafted XML payloads.
Affected Products
- SAP NetWeaver Application Server Java 7.50
- SAP NetWeaver AS Java Composite Application Framework (CAF)
- SAP CAF Guided Procedures component
Discovery Timeline
- 2024-02-13 - CVE-2024-24743 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-24743
Vulnerability Analysis
The vulnerability resides in the XML parsing logic of the CAF Guided Procedures module within SAP NetWeaver AS Java 7.50. The parser processes attacker-supplied XML without disabling external entity resolution. An unauthenticated attacker sends a crafted XML payload over the network to a reachable Guided Procedures endpoint. The parser resolves the embedded external entity references and returns the referenced content to the attacker, exposing local files and internal network resources.
The issue is limited to confidentiality. Integrity is not impacted because the parsed data cannot be used to alter server state. Availability is preserved because the SAP implementation enforces entity expansion limits that block billion-laughs style attacks. Network reachability of the affected endpoint is the only prerequisite for exploitation, and no privileges or user interaction are required.
Root Cause
The root cause is improper restriction of XML external entity references [CWE-611]. The XML parser used by CAF Guided Procedures resolves DOCTYPE declarations and external entities at parse time. Secure defaults that disable DOCTYPE processing, external general entities, and external parameter entities are not enforced before user input reaches the parser.
Attack Vector
An attacker delivers a malicious XML document to a network-exposed Guided Procedures endpoint. The XML contains a DOCTYPE declaration with an external entity referencing a local file path or an internal URL. When the server parses the request, the external entity is dereferenced and its contents are reflected in the application response or in error output. The attacker uses this primitive to enumerate files such as configuration data, credentials, or other server-side resources accessible to the Java process.
No verified public proof-of-concept code is available for this CVE. Refer to the SAP Note #3426111 for vendor technical details.
Detection Methods for CVE-2024-24743
Indicators of Compromise
- HTTP requests to SAP NetWeaver AS Java Guided Procedures endpoints containing <!DOCTYPE or <!ENTITY declarations in the request body.
- XML payloads referencing SYSTEM or PUBLIC identifiers pointing to file://, http://, or internal hostnames.
- Unexpected outbound connections from the SAP Java process to attacker-controlled hosts immediately following inbound XML traffic.
- Application server logs showing XML parser errors tied to entity resolution on CAF Guided Procedures URLs.
Detection Strategies
- Inspect HTTP request bodies destined for SAP NetWeaver AS Java for DOCTYPE and ENTITY tokens and alert on matches.
- Correlate inbound XML POST requests with subsequent outbound network connections from the SAP host to non-business destinations.
- Apply web application firewall signatures for XXE patterns on URIs associated with the Guided Procedures component.
Monitoring Recommendations
- Forward SAP NetWeaver AS Java HTTP access logs and application logs to a centralized analytics pipeline for retention and search.
- Monitor process-level file access on the SAP host for reads of sensitive paths such as /etc/passwd, SAP profile directories, and secure store files.
- Track egress traffic from SAP servers and flag connections that deviate from documented integration endpoints.
How to Mitigate CVE-2024-24743
Immediate Actions Required
- Apply the fix described in SAP Note #3426111 to all SAP NetWeaver AS Java 7.50 systems running the CAF Guided Procedures component.
- Restrict network access to Guided Procedures endpoints so only authorized internal consumers can reach them.
- Review SAP application and HTTP logs for prior XML requests containing external entity declarations.
Patch Information
SAP released a security fix referenced in SAP Note #3426111. Administrators should authenticate to the SAP Support Portal, download the corresponding patch for SAP NetWeaver AS Java 7.50, and apply it through standard SAP transport and deployment processes. Additional guidance is available in the SAP Security Patch Day documentation.
Workarounds
- Place a reverse proxy or web application firewall in front of SAP NetWeaver AS Java and block requests containing <!DOCTYPE or <!ENTITY declarations in XML bodies.
- Disable or restrict access to the CAF Guided Procedures component if it is not in active use.
- Limit outbound network connectivity from SAP NetWeaver AS Java hosts so that external entity resolution cannot reach attacker-controlled destinations.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
