Vulnerabilites related to sap - s\/4_hana
Vulnerability from fkie_nvd
Published
2020-12-09 17:15
Modified
2024-11-21 05:20
Severity ?
Summary
SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
sap | netweaver_application_server_abap | 2011_1_620 | |
sap | netweaver_application_server_abap | 2011_1_640 | |
sap | netweaver_application_server_abap | 2011_1_700 | |
sap | netweaver_application_server_abap | 2011_1_710 | |
sap | netweaver_application_server_abap | 2011_1_730 | |
sap | netweaver_application_server_abap | 2011_1_731 | |
sap | netweaver_application_server_abap | 2011_1_752 | |
sap | netweaver_application_server_abap | 2020 | |
sap | s\/4_hana | 101 | |
sap | s\/4_hana | 102 | |
sap | s\/4_hana | 103 | |
sap | s\/4_hana | 104 | |
sap | s\/4_hana | 105 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_620:*:*:*:*:*:*:*", matchCriteriaId: "81582DC5-7D38-4E36-80D1-70F68E72ACA2", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_640:*:*:*:*:*:*:*", matchCriteriaId: "6CBC1FEB-12A4-404D-B48B-31A5E79832C3", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_700:*:*:*:*:*:*:*", matchCriteriaId: "6C062334-A441-489F-A75D-28B42607FE0C", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_710:*:*:*:*:*:*:*", matchCriteriaId: "6EB166D4-5807-4808-B9BA-12A0EE106C3A", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_730:*:*:*:*:*:*:*", matchCriteriaId: "50FAC71E-03BA-4A90-80FB-A78F958C172E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_731:*:*:*:*:*:*:*", matchCriteriaId: "EC8602D8-0EF3-452D-B993-8FC39C54E04E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_752:*:*:*:*:*:*:*", matchCriteriaId: "063830D7-CFDF-426B-868E-B6E4FE629220", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2020:*:*:*:*:*:*:*", matchCriteriaId: "BFE1EFA9-6E58-4508-9A7D-4F25D8F8E57B", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:101:*:*:*:*:*:*:*", matchCriteriaId: "7A800EB9-BD11-46B8-9866-31088F01D433", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:102:*:*:*:*:*:*:*", matchCriteriaId: "7EE80980-12A5-40D7-8992-5C81FC82935E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:103:*:*:*:*:*:*:*", matchCriteriaId: "82AAE66A-7112-4E83-9094-2AA571144F64", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:104:*:*:*:*:*:*:*", matchCriteriaId: "CFF0FD31-F4F3-470A-9CB5-DE339D7334FF", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:105:*:*:*:*:*:*:*", matchCriteriaId: "A52E5AE7-D16E-4122-A39E-20A2CAB9A146", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.", }, { lang: "es", value: "SAP AS ABAP (SAP Landscape Transformation), versiones - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 y SAP S4 HANA (SAP Landscape Transformation), versiones - 101, 102, 103, 104, 105, permite a un usuario muy privilegiado ejecutar un módulo de función RFC al que debe estar restringido el acceso; sin embargo, debido a una falta de autorización, un atacante puede obtener acceso a información interna confidencial del sistema SAP vulnerable o hacer a sistemas SAP vulnerables no disponibles completamente", }, ], id: "CVE-2020-26832", lastModified: "2024-11-21T05:20:21.883", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "COMPLETE", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:C", version: "2.0", }, exploitabilityScore: 8, impactScore: 7.8, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H", version: "3.0", }, exploitabilityScore: 2.3, impactScore: 4.7, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 4.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-12-09T17:15:31.260", references: [ { source: "cna@sap.com", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", }, { source: "cna@sap.com", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2022/May/42", }, { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/2993132", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2022/May/42", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://launchpad.support.sap.com/#/notes/2993132", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-862", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-09-12 02:15
Modified
2024-11-21 08:21
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Summary
The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser.
References
▼ | URL | Tags | |
---|---|---|---|
cna@sap.com | https://me.sap.com/notes/3369680 | Permissions Required | |
cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://me.sap.com/notes/3369680 | Permissions Required | |
af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:s\\/4_hana:100:*:*:*:*:*:*:*", matchCriteriaId: "D978AA69-72A7-4A7E-B3A1-8D342B4B77CE", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:101:*:*:*:*:*:*:*", matchCriteriaId: "7A800EB9-BD11-46B8-9866-31088F01D433", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:102:*:*:*:*:*:*:*", matchCriteriaId: "7EE80980-12A5-40D7-8992-5C81FC82935E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:103:*:*:*:*:*:*:*", matchCriteriaId: "82AAE66A-7112-4E83-9094-2AA571144F64", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:104:*:*:*:*:*:*:*", matchCriteriaId: "CFF0FD31-F4F3-470A-9CB5-DE339D7334FF", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:105:*:*:*:*:*:*:*", matchCriteriaId: "A52E5AE7-D16E-4122-A39E-20A2CAB9A146", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:106:*:*:*:*:*:*:*", matchCriteriaId: "EAEF60F9-E053-4D22-AA65-9C1CA5130374", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:107:*:*:*:*:*:*:*", matchCriteriaId: "8606117E-F864-474F-8839-F6BAB51113E0", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:108:*:*:*:*:*:*:*", matchCriteriaId: "F794CB63-BF34-42D5-9998-CD2F2B2FF25F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser.\n\n", }, { lang: "es", value: "La aplicación Create Single Payment de SAP S/4HANA - versiones 100, 101, 102, 103, 104, 105, 106, 107, 108, permite a un atacante cargar el archivo XML como datos adjuntos. Cuando se hace clic en el archivo XML en la sección de datos adjuntos, el archivo se abre en el navegador para hacer que los bucles de entidad ralenticen el navegador.", }, ], id: "CVE-2023-41369", lastModified: "2024-11-21T08:21:10.440", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 3.5, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", version: "3.1", }, exploitabilityScore: 2.1, impactScore: 1.4, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-09-12T02:15:12.983", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3369680", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3369680", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-611", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-10-08 04:15
Modified
2024-11-14 17:56
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted.
References
▼ | URL | Tags | |
---|---|---|---|
cna@sap.com | https://me.sap.com/notes/3251893 | Permissions Required | |
cna@sap.com | https://url.sap/sapsecuritypatchday | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:s\\/4_hana:102:*:*:*:*:*:*:*", matchCriteriaId: "7EE80980-12A5-40D7-8992-5C81FC82935E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:103:*:*:*:*:*:*:*", matchCriteriaId: "82AAE66A-7112-4E83-9094-2AA571144F64", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:104:*:*:*:*:*:*:*", matchCriteriaId: "CFF0FD31-F4F3-470A-9CB5-DE339D7334FF", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:105:*:*:*:*:*:*:*", matchCriteriaId: "A52E5AE7-D16E-4122-A39E-20A2CAB9A146", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:106:*:*:*:*:*:*:*", matchCriteriaId: "EAEF60F9-E053-4D22-AA65-9C1CA5130374", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:107:*:*:*:*:*:*:*", matchCriteriaId: "8606117E-F864-474F-8839-F6BAB51113E0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted.", }, { lang: "es", value: "Los campos que están en estado de \"solo lectura\" en Bank Statement Draft in Manage Bank Statements application. La propiedad de una entidad OData que representa un método supuestamente inmutable no está protegida contra modificaciones externas que provoquen violaciones de integridad. La confidencialidad y la disponibilidad no se ven afectadas.", }, ], id: "CVE-2024-45282", lastModified: "2024-11-14T17:56:17.007", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-10-08T04:15:08.633", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3251893", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://url.sap/sapsecuritypatchday", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-650", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-09-12 02:15
Modified
2024-11-21 08:21
Severity ?
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.
References
▼ | URL | Tags | |
---|---|---|---|
cna@sap.com | https://me.sap.com/notes/3355675 | Permissions Required | |
cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://me.sap.com/notes/3355675 | Permissions Required | |
af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:s\\/4_hana:102:*:*:*:*:*:*:*", matchCriteriaId: "7EE80980-12A5-40D7-8992-5C81FC82935E", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:103:*:*:*:*:*:*:*", matchCriteriaId: "82AAE66A-7112-4E83-9094-2AA571144F64", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:104:*:*:*:*:*:*:*", matchCriteriaId: "CFF0FD31-F4F3-470A-9CB5-DE339D7334FF", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:105:*:*:*:*:*:*:*", matchCriteriaId: "A52E5AE7-D16E-4122-A39E-20A2CAB9A146", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:106:*:*:*:*:*:*:*", matchCriteriaId: "EAEF60F9-E053-4D22-AA65-9C1CA5130374", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:107:*:*:*:*:*:*:*", matchCriteriaId: "8606117E-F864-474F-8839-F6BAB51113E0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.\n\n", }, { lang: "es", value: "El servicio OData de S4 HANA (Manage checkbook apps), versiones 102, 103, 104, 105, 106, 107, permite a un atacante cambiar el nombre del checkbook simulando una llamada OData de actualización.", }, ], id: "CVE-2023-41368", lastModified: "2024-11-21T08:21:10.293", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 2.7, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 1.2, impactScore: 1.4, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-09-12T02:15:12.847", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3355675", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3355675", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-639", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-06-11 03:15
Modified
2024-11-21 09:19
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
Manage Incoming Payment Files (F1680) of SAP
S/4HANA does not perform necessary authorization checks for an authenticated
user, resulting in escalation of privileges. As a result, it has high impact on
integrity and no impact on the confidentiality and availability of the system.
References
▼ | URL | Tags | |
---|---|---|---|
cna@sap.com | https://me.sap.com/notes/3466175 | Permissions Required | |
cna@sap.com | https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html | Patch, Vendor Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://me.sap.com/notes/3466175 | Permissions Required | |
af854a3a-2127-422b-91ae-364da2661108 | https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html | Patch, Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:s\\/4_hana:103:*:*:*:*:*:*:*", matchCriteriaId: "82AAE66A-7112-4E83-9094-2AA571144F64", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:104:*:*:*:*:*:*:*", matchCriteriaId: "CFF0FD31-F4F3-470A-9CB5-DE339D7334FF", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:105:*:*:*:*:*:*:*", matchCriteriaId: "A52E5AE7-D16E-4122-A39E-20A2CAB9A146", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:106:*:*:*:*:*:*:*", matchCriteriaId: "EAEF60F9-E053-4D22-AA65-9C1CA5130374", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:107:*:*:*:*:*:*:*", matchCriteriaId: "8606117E-F864-474F-8839-F6BAB51113E0", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:108:*:*:*:*:*:*:*", matchCriteriaId: "F794CB63-BF34-42D5-9998-CD2F2B2FF25F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:s4core_102:*:*:*:*:*:*:*", matchCriteriaId: "5EE327B2-5E3C-4C52-9DC6-0D0A5A7B29C1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Manage Incoming Payment Files (F1680) of SAP\nS/4HANA does not perform necessary authorization checks for an authenticated\nuser, resulting in escalation of privileges. As a result, it has high impact on\nintegrity and no impact on the confidentiality and availability of the system.", }, { lang: "es", value: "Administrar archivos de pagos entrantes (F1680) de SAP S/4HANA no realiza las verificaciones de autorización necesarias para un usuario autenticado, lo que resulta en una escalada de privilegios. Como resultado, tiene un alto impacto en la integridad y ningún impacto en la confidencialidad y disponibilidad del sistema.", }, ], id: "CVE-2024-34691", lastModified: "2024-11-21T09:19:12.357", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-06-11T03:15:11.780", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3466175", }, { source: "cna@sap.com", tags: [ "Patch", "Vendor Advisory", ], url: "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3466175", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-862", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-02-12 20:15
Modified
2024-11-21 05:35
Severity ?
Summary
VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check.
References
▼ | URL | Tags | |
---|---|---|---|
cna@sap.com | https://launchpad.support.sap.com/#/notes/2857511 | Permissions Required, Vendor Advisory | |
cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812 | Vendor Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2857511 | Permissions Required, Vendor Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812 | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:erp:6.0:*:*:*:*:*:*:*", matchCriteriaId: "567E715A-39D9-4524-A60B-0A919A460D7D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:1511:*:*:*:*:*:*:*", matchCriteriaId: "02BC74F5-5560-4459-B712-5834DEB85B45", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:1610:*:*:*:*:*:*:*", matchCriteriaId: "7CDC5426-D2C1-430A-96AF-F25CE04A01A7", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:1709:*:*:*:*:*:*:*", matchCriteriaId: "D2F4BB0A-56DD-4A82-AB66-46C67A261287", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:1809:*:*:*:*:*:*:*", matchCriteriaId: "EB6E0D66-B1DF-4E65-9155-07C687C08046", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:s\\/4_hana:1909:*:*:*:*:*:*:*", matchCriteriaId: "055B76F2-6B9F-475F-8244-E427DCB6B0F2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check.", }, { lang: "es", value: "Los reportes de VAT Pro-Rata en SAP ERP (SAP_APPL versiones 600, 602, 603, 604, 605, 606, 616 y SAP_FIN versiones 617, 618, 700, 720, 730) y SAP S/4 HANA (versiones 100, 101, 102 , 103, 104), no realizan las comprobaciones de autorización necesarias para un usuario autenticado, conllevando a una Falta de Comprobación de Autorización.", }, ], id: "CVE-2020-6188", lastModified: "2024-11-21T05:35:15.857", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N", version: "3.0", }, exploitabilityScore: 2.1, impactScore: 4.2, source: "cna@sap.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-02-12T20:15:14.400", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/2857511", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "https://launchpad.support.sap.com/#/notes/2857511", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-862", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
cve-2020-26832
Vulnerability from cvelistv5
Published
2020-12-09 16:31
Modified
2024-08-04 16:03
Severity ?
EPSS score ?
Summary
SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.
References
▼ | URL | Tags |
---|---|---|
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079 | x_refsource_MISC | |
https://launchpad.support.sap.com/#/notes/2993132 | x_refsource_MISC | |
http://seclists.org/fulldisclosure/2022/May/42 | mailing-list, x_refsource_FULLDISC | |
http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html | x_refsource_MISC |
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | SAP SE | SAP NetWeaver AS ABAP (SAP Landscape Transformation) |
Version: < 2011_1_620 Version: < 2011_1_640 Version: < 2011_1_700 Version: < 2011_1_710 Version: < 2011_1_730 Version: < 2011_1_731 Version: < 2011_1_752 Version: < 2020 |
||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T16:03:22.474Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/2993132", }, { name: "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)", tags: [ "mailing-list", "x_refsource_FULLDISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2022/May/42", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP NetWeaver AS ABAP (SAP Landscape Transformation)", vendor: "SAP SE", versions: [ { status: "affected", version: "< 2011_1_620", }, { status: "affected", version: "< 2011_1_640", }, { status: "affected", version: "< 2011_1_700", }, { status: "affected", version: "< 2011_1_710", }, { status: "affected", version: "< 2011_1_730", }, { status: "affected", version: "< 2011_1_731", }, { status: "affected", version: "< 2011_1_752", }, { status: "affected", version: "< 2020", }, ], }, { product: "SAP S4 HANA (SAP Landscape Transformation)", vendor: "SAP SE", versions: [ { status: "affected", version: "< 101", }, { status: "affected", version: "< 102", }, { status: "affected", version: "< 103", }, { status: "affected", version: "< 104", }, { status: "affected", version: "< 105", }, ], }, ], descriptions: [ { lang: "en", value: "SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Missing Authorization", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-05-19T17:06:20", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/2993132", }, { name: "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)", tags: [ "mailing-list", "x_refsource_FULLDISC", ], url: "http://seclists.org/fulldisclosure/2022/May/42", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2020-26832", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP NetWeaver AS ABAP (SAP Landscape Transformation)", version: { version_data: [ { version_name: "<", version_value: "2011_1_620", }, { version_name: "<", version_value: "2011_1_640", }, { version_name: "<", version_value: "2011_1_700", }, { version_name: "<", version_value: "2011_1_710", }, { version_name: "<", version_value: "2011_1_730", }, { version_name: "<", version_value: "2011_1_731", }, { version_name: "<", version_value: "2011_1_752", }, { version_name: "<", version_value: "2020", }, ], }, }, { product_name: "SAP S4 HANA (SAP Landscape Transformation)", version: { version_data: [ { version_name: "<", version_value: "101", }, { version_name: "<", version_value: "102", }, { version_name: "<", version_value: "103", }, { version_name: "<", version_value: "104", }, { version_name: "<", version_value: "105", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.", }, ], }, impact: { cvss: { baseScore: "7.6", vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Missing Authorization", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079", }, { name: "https://launchpad.support.sap.com/#/notes/2993132", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/2993132", }, { name: "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)", refsource: "FULLDISC", url: "http://seclists.org/fulldisclosure/2022/May/42", }, { name: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2020-26832", datePublished: "2020-12-09T16:31:03", dateReserved: "2020-10-07T00:00:00", dateUpdated: "2024-08-04T16:03:22.474Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-41368
Vulnerability from cvelistv5
Published
2023-09-12 01:59
Modified
2024-09-26 16:04
Severity ?
EPSS score ?
Summary
The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | SAP_SE | S4 HANA ABAP (Manage checkbook apps) |
Version: 102 Version: 103 Version: 104 Version: 105 Version: 106 Version: 107 |
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T19:01:35.327Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3355675", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-41368", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-26T16:02:46.199952Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-26T16:04:32.037Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "S4 HANA ABAP (Manage checkbook apps)", vendor: "SAP_SE", versions: [ { status: "affected", version: "102", }, { status: "affected", version: "103", }, { status: "affected", version: "104", }, { status: "affected", version: "105", }, { status: "affected", version: "106", }, { status: "affected", version: "107", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.</p>", }, ], value: "The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 2.7, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-639", description: "CWE-639: Authorization Bypass Through User-Controlled Key", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-09-12T01:59:39.205Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3355675", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "Insecure Direct Object Reference (IDOR) vulnerability in S4 HANA (Manage checkbook apps)", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-41368", datePublished: "2023-09-12T01:59:39.205Z", dateReserved: "2023-08-29T05:27:56.301Z", dateUpdated: "2024-09-26T16:04:32.037Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-41369
Vulnerability from cvelistv5
Published
2023-09-12 01:59
Modified
2024-09-25 15:33
Severity ?
EPSS score ?
Summary
The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | SAP_SE | SAP S/4HANA (Create Single Payment application) |
Version: 100 Version: 101 Version: 102 Version: 103 Version: 104 Version: 105 Version: 106 Version: 107 Version: 108 |
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T19:01:34.245Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3369680", }, { tags: [ "x_transferred", ], url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-41369", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-25T15:11:16.316030Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-25T15:33:02.395Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP S/4HANA (Create Single Payment application)", vendor: "SAP_SE", versions: [ { status: "affected", version: "100", }, { status: "affected", version: "101", }, { status: "affected", version: "102", }, { status: "affected", version: "103", }, { status: "affected", version: "104", }, { status: "affected", version: "105", }, { status: "affected", version: "106", }, { status: "affected", version: "107", }, { status: "affected", version: "108", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser.</p>", }, ], value: "The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 3.5, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-611", description: "CWE-611: Improper Restriction of XML External Entity Reference", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-09-12T01:59:03.570Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3369680", }, { url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", }, ], source: { discovery: "UNKNOWN", }, title: "External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application)", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2023-41369", datePublished: "2023-09-12T01:59:03.570Z", dateReserved: "2023-08-29T05:27:56.301Z", dateUpdated: "2024-09-25T15:33:02.395Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-34691
Vulnerability from cvelistv5
Published
2024-06-11 02:22
Modified
2024-08-02 02:59
Severity ?
EPSS score ?
Summary
Manage Incoming Payment Files (F1680) of SAP
S/4HANA does not perform necessary authorization checks for an authenticated
user, resulting in escalation of privileges. As a result, it has high impact on
integrity and no impact on the confidentiality and availability of the system.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | SAP_SE | SAP S/4HANA (Manage Incoming Payment Files) |
Version: S4CORE 102 Version: 103 Version: 104 Version: 105 Version: 106 Version: 107 Version: 108 |
|
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:sap:s4hana:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "s4hana", vendor: "sap", versions: [ { status: "affected", version: "102", }, { status: "affected", version: "103", }, { status: "affected", version: "104", }, { status: "affected", version: "105", }, { status: "affected", version: "106", }, { status: "affected", version: "107", }, { status: "affected", version: "108", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-34691", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-06-11T14:10:07.910208Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-31T19:55:18.143Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T02:59:22.219Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3466175", }, { tags: [ "x_transferred", ], url: "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP S/4HANA (Manage Incoming Payment Files)", vendor: "SAP_SE", versions: [ { status: "affected", version: "S4CORE 102", }, { status: "affected", version: "103", }, { status: "affected", version: "104", }, { status: "affected", version: "105", }, { status: "affected", version: "106", }, { status: "affected", version: "107", }, { status: "affected", version: "108", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Manage Incoming Payment Files (F1680) of SAP\nS/4HANA does not perform necessary authorization checks for an authenticated\nuser, resulting in escalation of privileges. As a result, it has high impact on\nintegrity and no impact on the confidentiality and availability of the system.\n\n\n\n", }, ], value: "Manage Incoming Payment Files (F1680) of SAP\nS/4HANA does not perform necessary authorization checks for an authenticated\nuser, resulting in escalation of privileges. As a result, it has high impact on\nintegrity and no impact on the confidentiality and availability of the system.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-862", description: "CWE-862: Missing Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-06-11T02:22:24.435Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3466175", }, { url: "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", }, ], source: { discovery: "UNKNOWN", }, title: "Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files)", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-34691", datePublished: "2024-06-11T02:22:24.435Z", dateReserved: "2024-05-07T05:46:11.658Z", dateUpdated: "2024-08-02T02:59:22.219Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-6188
Vulnerability from cvelistv5
Published
2020-02-12 19:46
Modified
2024-08-04 08:55
Severity ?
EPSS score ?
Summary
VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check.
References
▼ | URL | Tags |
---|---|---|
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812 | x_refsource_MISC | |
https://launchpad.support.sap.com/#/notes/2857511 | x_refsource_MISC |
Impacted products
Vendor | Product | Version | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
▼ | SAP SE | SAP ERP (SAP_APPL) |
Version: = 6.0 Version: = 6.02 Version: = 6.03 Version: = 6.04 Version: = 6.05 Version: = 6.06 Version: = 6.16 |
||||||||
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T08:55:22.007Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://launchpad.support.sap.com/#/notes/2857511", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "SAP ERP (SAP_APPL)", vendor: "SAP SE", versions: [ { status: "affected", version: "= 6.0", }, { status: "affected", version: "= 6.02", }, { status: "affected", version: "= 6.03", }, { status: "affected", version: "= 6.04", }, { status: "affected", version: "= 6.05", }, { status: "affected", version: "= 6.06", }, { status: "affected", version: "= 6.16", }, ], }, { product: "SAP ERP (SAP_FIN)", vendor: "SAP SE", versions: [ { status: "affected", version: "= 6.17", }, { status: "affected", version: "= 6.18", }, { status: "affected", version: "= 7.0", }, { status: "affected", version: "= 7.20", }, { status: "affected", version: "= 7.30", }, ], }, { product: "SAP S/4 HANA (S4CORE)", vendor: "SAP SE", versions: [ { status: "affected", version: "= 1.0", }, { status: "affected", version: "= 1.01", }, { status: "affected", version: "= 1.02", }, { status: "affected", version: "= 1.03", }, { status: "affected", version: "= 1.04", }, ], }, ], descriptions: [ { lang: "en", value: "VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Missing Authorization Check", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-02-12T19:46:09", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812", }, { tags: [ "x_refsource_MISC", ], url: "https://launchpad.support.sap.com/#/notes/2857511", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@sap.com", ID: "CVE-2020-6188", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "SAP ERP (SAP_APPL)", version: { version_data: [ { version_name: "=", version_value: "6.0", }, { version_name: "=", version_value: "6.02", }, { version_name: "=", version_value: "6.03", }, { version_name: "=", version_value: "6.04", }, { version_name: "=", version_value: "6.05", }, { version_name: "=", version_value: "6.06", }, { version_name: "=", version_value: "6.16", }, ], }, }, { product_name: "SAP ERP (SAP_FIN)", version: { version_data: [ { version_name: "=", version_value: "6.17", }, { version_name: "=", version_value: "6.18", }, { version_name: "=", version_value: "7.0", }, { version_name: "=", version_value: "7.20", }, { version_name: "=", version_value: "7.30", }, ], }, }, { product_name: "SAP S/4 HANA (S4CORE)", version: { version_data: [ { version_name: "=", version_value: "1.0", }, { version_name: "=", version_value: "1.01", }, { version_name: "=", version_value: "1.02", }, { version_name: "=", version_value: "1.03", }, { version_name: "=", version_value: "1.04", }, ], }, }, ], }, vendor_name: "SAP SE", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check.", }, ], }, impact: { cvss: { baseScore: "6.3", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Missing Authorization Check", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812", refsource: "MISC", url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812", }, { name: "https://launchpad.support.sap.com/#/notes/2857511", refsource: "MISC", url: "https://launchpad.support.sap.com/#/notes/2857511", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2020-6188", datePublished: "2020-02-12T19:46:09", dateReserved: "2020-01-08T00:00:00", dateUpdated: "2024-08-04T08:55:22.007Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-45282
Vulnerability from cvelistv5
Published
2024-10-08 03:21
Modified
2024-10-09 14:54
Severity ?
EPSS score ?
Summary
Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | SAP_SE | SAP S/4 HANA (Manage Bank Statements) |
Version: S4CORE Version: 102 Version: 103 Version: 104 Version: 105 Version: 106 Version: 107 |
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-45282", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-09T14:54:01.568870Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-09T14:54:13.725Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP S/4 HANA (Manage Bank Statements)", vendor: "SAP_SE", versions: [ { status: "affected", version: "S4CORE", }, { status: "affected", version: "102", }, { status: "affected", version: "103", }, { status: "affected", version: "104", }, { status: "affected", version: "105", }, { status: "affected", version: "106", }, { status: "affected", version: "107", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted.</p>", }, ], value: "Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-650", description: "CWE-650: Trusting HTTP Permission Methods on the Server Side", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-10-08T03:21:33.330Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3251893", }, { url: "https://url.sap/sapsecuritypatchday", }, ], source: { discovery: "UNKNOWN", }, title: "HTTP Verb Tampering in SAP S/4 HANA(Manage Bank Statements)", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-45282", datePublished: "2024-10-08T03:21:33.330Z", dateReserved: "2024-08-26T10:39:20.932Z", dateUpdated: "2024-10-09T14:54:13.725Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }