CVE-2025-26654

April 8, 2025, 6:13 p.m.

6.8
Medium

Description

SAP Commerce Cloud (Public Cloud) does not allow to disable unencrypted HTTP (port 80) entirely, but instead allows a redirect from port 80 to 443 (HTTPS). As a result, Commerce normally communicates securely over HTTPS. However, the confidentiality and integrity of data sent on the first request before the redirect may be impacted if the client is configured to use HTTP and sends confidential data on the first request before the redirect.

Product(s) Impacted

Product Versions
commerce_cloud
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-319
Cleartext Transmission of Sensitive Information
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

References

https://me.sap.com/notes/3543274
https://url.sap/sapsecuritypatchday

Tags

CWE-319
cna@sap.com
2025-04-08
CVE-2025-26654

CVSS Score

6.8 / 10

CVSS Data - 3.1

  • Attack Vector: ADJACENT_NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

    View Vector String

Timeline

Published: April 8, 2025, 8:15 a.m.
Last Modified: April 8, 2025, 6:13 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cna@sap.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.