SAP NetWeaver server info information disclosure
Description
The SAP NetWeaver server information page exposes detailed system metadata including the application version number and installed service pack level without requiring authentication. This endpoint is publicly accessible by default and reveals internal configuration details that should be restricted to authorized administrators only.
Remediation
Apply SAP Security Note 1503856 to restrict access to the server information page. This note provides configuration changes to enforce authentication requirements before displaying system metadata. After applying the note, verify that the page is no longer accessible without proper credentials by testing access from an unauthenticated session. Additionally, review and implement access controls for other administrative endpoints to prevent similar information disclosure issues.