Search criteria
2 vulnerabilities found for SAP Transportation Management (Collaboration Portal) by SAP_SE
CVE-2024-37171 (GCVE-0-2024-37171)
Vulnerability from cvelistv5 – Published: 2024-07-09 04:21 – Updated: 2024-08-02 03:50
VLAI?
Title
[CVE-2024-37171] Server-Side Request Forgery (SSRF) in SAP Transportation Management (Collaboration Portal)
Summary
SAP Transportation Management (Collaboration
Portal) allows an attacker with non-administrative privileges to send a crafted
request from a vulnerable web application. This will trigger the application
handler to send a request to an unintended service, which may reveal
information about that service. The information obtained could be used to
target internal systems behind firewalls that are normally inaccessible to an
attacker from the external network, resulting in a Server-Side Request Forgery
vulnerability. There is no effect on integrity or availability of the
application.
Severity ?
5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Transportation Management (Collaboration Portal) |
Affected:
SAPTMUI 140
Affected: SAPTMUI 150 Affected: SAPTMUI 160 Affected: SAPTMUI 170 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37171",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-23T14:50:45.205875Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T14:50:55.956Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:54.664Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://url.sap/sapsecuritypatchday"
},
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3469958"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Transportation Management (Collaboration Portal)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAPTMUI 140"
},
{
"status": "affected",
"version": "SAPTMUI 150"
},
{
"status": "affected",
"version": "SAPTMUI 160"
},
{
"status": "affected",
"version": "SAPTMUI 170"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SAP Transportation Management (Collaboration\nPortal) allows an attacker with non-administrative privileges to send a crafted\nrequest from a vulnerable web application. This will trigger the application\nhandler to send a request to an unintended service, which may reveal\ninformation about that service. The information obtained could be used to\ntarget internal systems behind firewalls that are normally inaccessible to an\nattacker from the external network, resulting in a Server-Side Request Forgery\nvulnerability. There is no effect on integrity or availability of the\napplication.\n\n\n\n"
}
],
"value": "SAP Transportation Management (Collaboration\nPortal) allows an attacker with non-administrative privileges to send a crafted\nrequest from a vulnerable web application. This will trigger the application\nhandler to send a request to an unintended service, which may reveal\ninformation about that service. The information obtained could be used to\ntarget internal systems behind firewalls that are normally inaccessible to an\nattacker from the external network, resulting in a Server-Side Request Forgery\nvulnerability. There is no effect on integrity or availability of the\napplication."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T04:21:21.292Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://url.sap/sapsecuritypatchday"
},
{
"url": "https://me.sap.com/notes/3469958"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[CVE-2024-37171] Server-Side Request Forgery (SSRF) in SAP Transportation Management (Collaboration Portal)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-37171",
"datePublished": "2024-07-09T04:21:21.292Z",
"dateReserved": "2024-06-04T07:49:42.491Z",
"dateUpdated": "2024-08-02T03:50:54.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37171 (GCVE-0-2024-37171)
Vulnerability from nvd – Published: 2024-07-09 04:21 – Updated: 2024-08-02 03:50
VLAI?
Title
[CVE-2024-37171] Server-Side Request Forgery (SSRF) in SAP Transportation Management (Collaboration Portal)
Summary
SAP Transportation Management (Collaboration
Portal) allows an attacker with non-administrative privileges to send a crafted
request from a vulnerable web application. This will trigger the application
handler to send a request to an unintended service, which may reveal
information about that service. The information obtained could be used to
target internal systems behind firewalls that are normally inaccessible to an
attacker from the external network, resulting in a Server-Side Request Forgery
vulnerability. There is no effect on integrity or availability of the
application.
Severity ?
5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Transportation Management (Collaboration Portal) |
Affected:
SAPTMUI 140
Affected: SAPTMUI 150 Affected: SAPTMUI 160 Affected: SAPTMUI 170 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37171",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-23T14:50:45.205875Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T14:50:55.956Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:54.664Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://url.sap/sapsecuritypatchday"
},
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3469958"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Transportation Management (Collaboration Portal)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAPTMUI 140"
},
{
"status": "affected",
"version": "SAPTMUI 150"
},
{
"status": "affected",
"version": "SAPTMUI 160"
},
{
"status": "affected",
"version": "SAPTMUI 170"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SAP Transportation Management (Collaboration\nPortal) allows an attacker with non-administrative privileges to send a crafted\nrequest from a vulnerable web application. This will trigger the application\nhandler to send a request to an unintended service, which may reveal\ninformation about that service. The information obtained could be used to\ntarget internal systems behind firewalls that are normally inaccessible to an\nattacker from the external network, resulting in a Server-Side Request Forgery\nvulnerability. There is no effect on integrity or availability of the\napplication.\n\n\n\n"
}
],
"value": "SAP Transportation Management (Collaboration\nPortal) allows an attacker with non-administrative privileges to send a crafted\nrequest from a vulnerable web application. This will trigger the application\nhandler to send a request to an unintended service, which may reveal\ninformation about that service. The information obtained could be used to\ntarget internal systems behind firewalls that are normally inaccessible to an\nattacker from the external network, resulting in a Server-Side Request Forgery\nvulnerability. There is no effect on integrity or availability of the\napplication."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T04:21:21.292Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://url.sap/sapsecuritypatchday"
},
{
"url": "https://me.sap.com/notes/3469958"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[CVE-2024-37171] Server-Side Request Forgery (SSRF) in SAP Transportation Management (Collaboration Portal)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-37171",
"datePublished": "2024-07-09T04:21:21.292Z",
"dateReserved": "2024-06-04T07:49:42.491Z",
"dateUpdated": "2024-08-02T03:50:54.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}