Vulnerabilites related to sap - abap_platform_kernel
Vulnerability from fkie_nvd
Published
2023-04-11 03:15
Modified
2024-11-21 07:56
Severity ?
5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
The IP filter in ABAP Platform and SAP Web Dispatcher - versions WEBDISP 7.85, 7.89, KERNEL 7.85, 7.89, 7.91, may be vulnerable by erroneous IP netmask handling. This may enable access to backend applications from unwanted sources.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | abap_platform_kernel | 7.85 | |
| sap | abap_platform_kernel | 7.89 | |
| sap | abap_platform_kernel | 7.91 | |
| sap | web_dispatcher | 7.85 | |
| sap | web_dispatcher | 7.89 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:abap_platform_kernel:7.85:*:*:*:*:*:*:*", matchCriteriaId: "F6B284F5-7F46-4764-8B24-8D4C88E211B8", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform_kernel:7.89:*:*:*:*:*:*:*", matchCriteriaId: "5EA6FA84-0C5C-457C-99F1-60D89E6BD13C", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform_kernel:7.91:*:*:*:*:*:*:*", matchCriteriaId: "3DD0218F-2104-414D-B0C1-2EFD5A01A602", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:web_dispatcher:7.85:*:*:*:*:*:*:*", matchCriteriaId: "F74EE4D5-E968-4851-89E6-4152F64930F2", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:web_dispatcher:7.89:*:*:*:*:*:*:*", matchCriteriaId: "097ED3E8-49B1-497E-BD43-28C397FBEAE8", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The IP filter in ABAP Platform and SAP Web Dispatcher - versions WEBDISP 7.85, 7.89, KERNEL 7.85, 7.89, 7.91, may be vulnerable by erroneous IP netmask handling. This may enable access to backend applications from unwanted sources.\n\n", }, ], id: "CVE-2023-29108", lastModified: "2024-11-21T07:56:33.820", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 1.4, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-04-11T03:15:07.867", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3315312", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/3315312", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-923", }, ], source: "cna@sap.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-11-10 16:15
Modified
2024-11-21 06:24
Severity ?
Summary
SAP ABAP Platform Kernel - versions 7.77, 7.81, 7.85, 7.86, does not perform necessary authorization checks for an authenticated business user, resulting in escalation of privileges. That means this business user is able to read and modify data beyond the vulnerable system. However, the attacker can neither significantly reduce the performance of the system nor stop the system.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3099776 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3099776 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | abap_platform_kernel | 7.77 | |
| sap | abap_platform_kernel | 7.81 | |
| sap | abap_platform_kernel | 7.85 | |
| sap | abap_platform_kernel | 7.86 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:abap_platform_kernel:7.77:*:*:*:*:*:*:*", matchCriteriaId: "36BD4905-9BAE-4AAA-9840-48200191430D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform_kernel:7.81:*:*:*:*:*:*:*", matchCriteriaId: "03CA5653-5E5C-4E9A-B840-65EA3ECEB19E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform_kernel:7.85:*:*:*:*:*:*:*", matchCriteriaId: "F6B284F5-7F46-4764-8B24-8D4C88E211B8", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:abap_platform_kernel:7.86:*:*:*:*:*:*:*", matchCriteriaId: "04ABF1B3-420D-4181-90B6-A147B35E4112", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP ABAP Platform Kernel - versions 7.77, 7.81, 7.85, 7.86, does not perform necessary authorization checks for an authenticated business user, resulting in escalation of privileges. That means this business user is able to read and modify data beyond the vulnerable system. However, the attacker can neither significantly reduce the performance of the system nor stop the system.", }, { lang: "es", value: "SAP ABAP Platform Kernel - versiones 7.77, 7.81, 7.85, 7.86, no lleva a cabo las comprobaciones de autorización necesarias para un usuario empresarial autenticado, resultando en una escalada de privilegios. Esto significa que este usuario empresarial es capaz de leer y modificar datos más allá del sistema vulnerable. Sin embargo, el atacante no puede reducir significativamente el rendimiento del sistema ni detenerlo", }, ], id: "CVE-2021-40501", lastModified: "2024-11-21T06:24:16.423", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 5.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-11-10T16:15:08.517", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3099776", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/3099776", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-862", }, ], source: "cna@sap.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-862", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
CVE-2021-40501 (GCVE-0-2021-40501)
Vulnerability from cvelistv5
Published
2021-11-10 15:22
Modified
2024-08-04 02:44
Severity ?
EPSS score ?
Summary
SAP ABAP Platform Kernel - versions 7.77, 7.81, 7.85, 7.86, does not perform necessary authorization checks for an authenticated business user, resulting in escalation of privileges. That means this business user is able to read and modify data beyond the vulnerable system. However, the attacker can neither significantly reduce the performance of the system nor stop the system.
References
| ▼ | URL | Tags |
|---|---|---|
| https://launchpad.support.sap.com/#/notes/3099776 | x_refsource_MISC | |
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP ABAP Platform Kernel |
Version: < 7.77 Version: < 7.81 Version: < 7.85 Version: < 7.86 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T02:44:10.848Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3099776", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP ABAP Platform Kernel", vendor: "SAP SE", versions: [ { status: "affected", version: "< 7.77", }, { status: "affected", version: "< 7.81", }, { status: "affected", version: "< 7.85", }, { status: "affected", version: "< 7.86", }, ], }, ], descriptions: [ { lang: "en", value: "SAP ABAP Platform Kernel - versions 7.77, 7.81, 7.85, 7.86, does not perform necessary authorization checks for an authenticated business user, resulting in escalation of privileges. That means this business user is able to read and modify data beyond the vulnerable system. However, the attacker can neither significantly reduce the performance of the system nor stop the system.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-862", description: "CWE-862", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-11-10T15:22:15", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/3099776", }, { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2021-40501", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP ABAP Platform Kernel", version: { version_data: [ { version_name: "<", version_value: "7.77", }, { version_name: "<", version_value: "7.81", }, { version_name: "<", version_value: "7.85", }, { version_name: "<", version_value: "7.86", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP ABAP Platform Kernel - versions 7.77, 7.81, 7.85, 7.86, does not perform necessary authorization checks for an authenticated business user, resulting in escalation of privileges. That means this business user is able to read and modify data beyond the vulnerable system. However, the attacker can neither significantly reduce the performance of the system nor stop the system.", }, ], }, impact: { cvss: { baseScore: "null", vectorString: "null", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-862", }, ], }, ], }, references: { reference_data: [ { name: "https://launchpad.support.sap.com/#/notes/3099776", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/3099776", }, { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2021-40501", datePublished: "2021-11-10T15:22:15", dateReserved: "2021-09-03T00:00:00", dateUpdated: "2024-08-04T02:44:10.848Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-29108 (GCVE-0-2023-29108)
Vulnerability from cvelistv5
Published
2023-04-11 02:56
Modified
2025-02-12 19:24
Severity ?
EPSS score ?
Summary
The IP filter in ABAP Platform and SAP Web Dispatcher - versions WEBDISP 7.85, 7.89, KERNEL 7.85, 7.89, 7.91, may be vulnerable by erroneous IP netmask handling. This may enable access to backend applications from unwanted sources.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP | ABAP Platform and SAP Web Dispatcher |
Version: WEBDISP 7.85 Version: WEBDISP 7.89 Version: KERNEL 7.85 Version: KERNEL 7.89 Version: KERNEL 7.91 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T14:00:15.410Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/3315312", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-29108", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-12T19:23:31.987405Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-12T19:24:16.822Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "ABAP Platform and SAP Web Dispatcher", vendor: "SAP", versions: [ { status: "affected", version: "WEBDISP 7.85", }, { status: "affected", version: "WEBDISP 7.89", }, { status: "affected", version: "KERNEL 7.85", }, { status: "affected", version: "KERNEL 7.89", }, { status: "affected", version: "KERNEL 7.91", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>The IP filter in ABAP Platform and SAP Web Dispatcher - versions WEBDISP 7.85, 7.89, KERNEL 7.85, 7.89, 7.91, may be vulnerable by erroneous IP netmask handling. This may enable access to backend applications from unwanted sources.</p>", }, ], value: "The IP filter in ABAP Platform and SAP Web Dispatcher - versions WEBDISP 7.85, 7.89, KERNEL 7.85, 7.89, 7.91, may be vulnerable by erroneous IP netmask handling. This may enable access to backend applications from unwanted sources.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-923", description: "CWE-923: Improper Restriction of Communication Channel to Intended Endpoints", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T02:56:58.666Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://launchpad.support.sap.com/#/notes/3315312", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "IP filter vulnerability in ABAP Platform and SAP Web Dispatcher\t ", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-29108", datePublished: "2023-04-11T02:56:58.666Z", dateReserved: "2023-03-31T10:01:53.359Z", dateUpdated: "2025-02-12T19:24:16.822Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }