All the vulnerabilites related to SAP_SE - SAP Application Interface Framework (File Adapter)
cve-2024-21737
Vulnerability from cvelistv5
Published
2024-01-09 01:18
Modified
2024-08-01 22:27
Summary
Code Injection vulnerability in SAP Application Interface Framework (File Adapter)
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T22:27:36.109Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://me.sap.com/notes/3411869"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SAP Application Interface Framework (File Adapter)",
          "vendor": "SAP_SE",
          "versions": [
            {
              "status": "affected",
              "version": "702"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIn SAP Application Interface Framework File Adapter - version 702, a\u00a0high privilege user can use a function module to traverse through various layers and execute OS commands directly. By this,\u00a0such user can control\u00a0the behaviour of the application. This leads to considerable impact on confidentiality, integrity and availability.\u003c/p\u003e"
            }
          ],
          "value": "In SAP Application Interface Framework File Adapter - version 702, a\u00a0high privilege user can use a function module to traverse through various layers and execute OS commands directly. By this,\u00a0such user can control\u00a0the behaviour of the application. This leads to considerable impact on confidentiality, integrity and availability.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "eng",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-09T01:18:19.305Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "url": "https://me.sap.com/notes/3411869"
        },
        {
          "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Code Injection vulnerability in SAP Application Interface Framework (File Adapter)",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2024-21737",
    "datePublished": "2024-01-09T01:18:19.305Z",
    "dateReserved": "2024-01-01T10:54:59.645Z",
    "dateUpdated": "2024-08-01T22:27:36.109Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}