SAP NetWeaver server info information disclosure BCB
Description
The SAP NetWeaver Business Configuration Builder (BCB) exposes a system information page that reveals detailed version information, including the application version and service pack level. This endpoint is publicly accessible by default without authentication, allowing unauthorized users to enumerate system configuration details that should remain internal.
Remediation
Apply SAP Security Note 1548548 to restrict access to the Business Configuration Builder system information page. This note provides configuration changes to enforce authentication requirements and limit access to authorized administrators only. Verify the fix by attempting to access the BCB system information endpoint without authentication—access should be denied. Additionally, review and apply any related security notes, such as Note 1623565, which provides updates to the original security note. Regularly monitor SAP security notes and maintain current service pack levels to minimize information disclosure risks.