Vulnerabilites related to sap - s\/4_hana
Vulnerability from fkie_nvd
Published
2020-12-09 17:15
Modified
2024-11-21 05:20
Summary
SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_620:*:*:*:*:*:*:*",
                     matchCriteriaId: "81582DC5-7D38-4E36-80D1-70F68E72ACA2",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_640:*:*:*:*:*:*:*",
                     matchCriteriaId: "6CBC1FEB-12A4-404D-B48B-31A5E79832C3",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_700:*:*:*:*:*:*:*",
                     matchCriteriaId: "6C062334-A441-489F-A75D-28B42607FE0C",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_710:*:*:*:*:*:*:*",
                     matchCriteriaId: "6EB166D4-5807-4808-B9BA-12A0EE106C3A",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_730:*:*:*:*:*:*:*",
                     matchCriteriaId: "50FAC71E-03BA-4A90-80FB-A78F958C172E",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_731:*:*:*:*:*:*:*",
                     matchCriteriaId: "EC8602D8-0EF3-452D-B993-8FC39C54E04E",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_752:*:*:*:*:*:*:*",
                     matchCriteriaId: "063830D7-CFDF-426B-868E-B6E4FE629220",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:netweaver_application_server_abap:2020:*:*:*:*:*:*:*",
                     matchCriteriaId: "BFE1EFA9-6E58-4508-9A7D-4F25D8F8E57B",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:101:*:*:*:*:*:*:*",
                     matchCriteriaId: "7A800EB9-BD11-46B8-9866-31088F01D433",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:102:*:*:*:*:*:*:*",
                     matchCriteriaId: "7EE80980-12A5-40D7-8992-5C81FC82935E",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:103:*:*:*:*:*:*:*",
                     matchCriteriaId: "82AAE66A-7112-4E83-9094-2AA571144F64",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:104:*:*:*:*:*:*:*",
                     matchCriteriaId: "CFF0FD31-F4F3-470A-9CB5-DE339D7334FF",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:105:*:*:*:*:*:*:*",
                     matchCriteriaId: "A52E5AE7-D16E-4122-A39E-20A2CAB9A146",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.",
      },
      {
         lang: "es",
         value: "SAP AS ABAP (SAP Landscape Transformation), versiones - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 y SAP S4 HANA (SAP Landscape Transformation), versiones - 101, 102, 103, 104, 105, permite a un usuario muy privilegiado ejecutar un módulo de función RFC al que debe estar restringido el acceso; sin embargo, debido a una falta de autorización, un atacante puede obtener acceso a información interna confidencial del sistema SAP vulnerable o hacer a sistemas SAP vulnerables no disponibles completamente",
      },
   ],
   id: "CVE-2020-26832",
   lastModified: "2024-11-21T05:20:21.883",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "HIGH",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "SINGLE",
               availabilityImpact: "COMPLETE",
               baseScore: 7.5,
               confidentialityImpact: "PARTIAL",
               integrityImpact: "NONE",
               vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:C",
               version: "2.0",
            },
            exploitabilityScore: 8,
            impactScore: 7.8,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV30: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 7.6,
               baseSeverity: "HIGH",
               confidentialityImpact: "LOW",
               integrityImpact: "NONE",
               privilegesRequired: "HIGH",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H",
               version: "3.0",
            },
            exploitabilityScore: 2.3,
            impactScore: 4.7,
            source: "cna@sap.com",
            type: "Secondary",
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 7.6,
               baseSeverity: "HIGH",
               confidentialityImpact: "LOW",
               integrityImpact: "NONE",
               privilegesRequired: "HIGH",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H",
               version: "3.1",
            },
            exploitabilityScore: 2.3,
            impactScore: 4.7,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2020-12-09T17:15:31.260",
   references: [
      {
         source: "cna@sap.com",
         tags: [
            "Exploit",
            "Third Party Advisory",
            "VDB Entry",
         ],
         url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html",
      },
      {
         source: "cna@sap.com",
         tags: [
            "Exploit",
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://seclists.org/fulldisclosure/2022/May/42",
      },
      {
         source: "cna@sap.com",
         tags: [
            "Permissions Required",
         ],
         url: "https://launchpad.support.sap.com/#/notes/2993132",
      },
      {
         source: "cna@sap.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Third Party Advisory",
            "VDB Entry",
         ],
         url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://seclists.org/fulldisclosure/2022/May/42",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Permissions Required",
         ],
         url: "https://launchpad.support.sap.com/#/notes/2993132",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079",
      },
   ],
   sourceIdentifier: "cna@sap.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-862",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2023-09-12 02:15
Modified
2024-11-21 08:21
Summary
The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser.
Impacted products
Vendor Product Version
sap s\/4_hana 100
sap s\/4_hana 101
sap s\/4_hana 102
sap s\/4_hana 103
sap s\/4_hana 104
sap s\/4_hana 105
sap s\/4_hana 106
sap s\/4_hana 107
sap s\/4_hana 108



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:100:*:*:*:*:*:*:*",
                     matchCriteriaId: "D978AA69-72A7-4A7E-B3A1-8D342B4B77CE",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:101:*:*:*:*:*:*:*",
                     matchCriteriaId: "7A800EB9-BD11-46B8-9866-31088F01D433",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:102:*:*:*:*:*:*:*",
                     matchCriteriaId: "7EE80980-12A5-40D7-8992-5C81FC82935E",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:103:*:*:*:*:*:*:*",
                     matchCriteriaId: "82AAE66A-7112-4E83-9094-2AA571144F64",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:104:*:*:*:*:*:*:*",
                     matchCriteriaId: "CFF0FD31-F4F3-470A-9CB5-DE339D7334FF",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:105:*:*:*:*:*:*:*",
                     matchCriteriaId: "A52E5AE7-D16E-4122-A39E-20A2CAB9A146",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:106:*:*:*:*:*:*:*",
                     matchCriteriaId: "EAEF60F9-E053-4D22-AA65-9C1CA5130374",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:107:*:*:*:*:*:*:*",
                     matchCriteriaId: "8606117E-F864-474F-8839-F6BAB51113E0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:108:*:*:*:*:*:*:*",
                     matchCriteriaId: "F794CB63-BF34-42D5-9998-CD2F2B2FF25F",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser.\n\n",
      },
      {
         lang: "es",
         value: "La aplicación Create Single Payment de SAP S/4HANA - versiones 100, 101, 102, 103, 104, 105, 106, 107, 108, permite a un atacante cargar el archivo XML como datos adjuntos. Cuando se hace clic en el archivo XML en la sección de datos adjuntos, el archivo se abre en el navegador para hacer que los bucles de entidad ralenticen el navegador.",
      },
   ],
   id: "CVE-2023-41369",
   lastModified: "2024-11-21T08:21:10.440",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "LOW",
               baseScore: 3.5,
               baseSeverity: "LOW",
               confidentialityImpact: "NONE",
               integrityImpact: "NONE",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
               version: "3.1",
            },
            exploitabilityScore: 2.1,
            impactScore: 1.4,
            source: "cna@sap.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "LOW",
               baseScore: 4.3,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "NONE",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 1.4,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2023-09-12T02:15:12.983",
   references: [
      {
         source: "cna@sap.com",
         tags: [
            "Permissions Required",
         ],
         url: "https://me.sap.com/notes/3369680",
      },
      {
         source: "cna@sap.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Permissions Required",
         ],
         url: "https://me.sap.com/notes/3369680",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
      },
   ],
   sourceIdentifier: "cna@sap.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-611",
            },
         ],
         source: "cna@sap.com",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2024-10-08 04:15
Modified
2024-11-14 17:56
Summary
Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted.
References
Impacted products
Vendor Product Version
sap s\/4_hana 102
sap s\/4_hana 103
sap s\/4_hana 104
sap s\/4_hana 105
sap s\/4_hana 106
sap s\/4_hana 107



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:102:*:*:*:*:*:*:*",
                     matchCriteriaId: "7EE80980-12A5-40D7-8992-5C81FC82935E",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:103:*:*:*:*:*:*:*",
                     matchCriteriaId: "82AAE66A-7112-4E83-9094-2AA571144F64",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:104:*:*:*:*:*:*:*",
                     matchCriteriaId: "CFF0FD31-F4F3-470A-9CB5-DE339D7334FF",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:105:*:*:*:*:*:*:*",
                     matchCriteriaId: "A52E5AE7-D16E-4122-A39E-20A2CAB9A146",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:106:*:*:*:*:*:*:*",
                     matchCriteriaId: "EAEF60F9-E053-4D22-AA65-9C1CA5130374",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:107:*:*:*:*:*:*:*",
                     matchCriteriaId: "8606117E-F864-474F-8839-F6BAB51113E0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted.",
      },
      {
         lang: "es",
         value: "Los campos que están en estado de \"solo lectura\" en Bank Statement Draft in Manage Bank Statements application. La propiedad de una entidad OData que representa un método supuestamente inmutable no está protegida contra modificaciones externas que provoquen violaciones de integridad. La confidencialidad y la disponibilidad no se ven afectadas.",
      },
   ],
   id: "CVE-2024-45282",
   lastModified: "2024-11-14T17:56:17.007",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 4.3,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "LOW",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 1.4,
            source: "cna@sap.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 5.3,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "LOW",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 1.4,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2024-10-08T04:15:08.633",
   references: [
      {
         source: "cna@sap.com",
         tags: [
            "Permissions Required",
         ],
         url: "https://me.sap.com/notes/3251893",
      },
      {
         source: "cna@sap.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://url.sap/sapsecuritypatchday",
      },
   ],
   sourceIdentifier: "cna@sap.com",
   vulnStatus: "Analyzed",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-650",
            },
         ],
         source: "cna@sap.com",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2023-09-12 02:15
Modified
2024-11-21 08:21
Summary
The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.
Impacted products
Vendor Product Version
sap s\/4_hana 102
sap s\/4_hana 103
sap s\/4_hana 104
sap s\/4_hana 105
sap s\/4_hana 106
sap s\/4_hana 107



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:102:*:*:*:*:*:*:*",
                     matchCriteriaId: "7EE80980-12A5-40D7-8992-5C81FC82935E",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:103:*:*:*:*:*:*:*",
                     matchCriteriaId: "82AAE66A-7112-4E83-9094-2AA571144F64",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:104:*:*:*:*:*:*:*",
                     matchCriteriaId: "CFF0FD31-F4F3-470A-9CB5-DE339D7334FF",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:105:*:*:*:*:*:*:*",
                     matchCriteriaId: "A52E5AE7-D16E-4122-A39E-20A2CAB9A146",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:106:*:*:*:*:*:*:*",
                     matchCriteriaId: "EAEF60F9-E053-4D22-AA65-9C1CA5130374",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:107:*:*:*:*:*:*:*",
                     matchCriteriaId: "8606117E-F864-474F-8839-F6BAB51113E0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.\n\n",
      },
      {
         lang: "es",
         value: "El servicio OData de S4 HANA (Manage checkbook apps), versiones 102, 103, 104, 105, 106, 107, permite a un atacante cambiar el nombre del checkbook  simulando una llamada OData de actualización.",
      },
   ],
   id: "CVE-2023-41368",
   lastModified: "2024-11-21T08:21:10.293",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 2.7,
               baseSeverity: "LOW",
               confidentialityImpact: "NONE",
               integrityImpact: "LOW",
               privilegesRequired: "HIGH",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 1.2,
            impactScore: 1.4,
            source: "cna@sap.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 5.3,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "LOW",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 1.4,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2023-09-12T02:15:12.847",
   references: [
      {
         source: "cna@sap.com",
         tags: [
            "Permissions Required",
         ],
         url: "https://me.sap.com/notes/3355675",
      },
      {
         source: "cna@sap.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Permissions Required",
         ],
         url: "https://me.sap.com/notes/3355675",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
      },
   ],
   sourceIdentifier: "cna@sap.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-639",
            },
         ],
         source: "cna@sap.com",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2024-06-11 03:15
Modified
2024-11-21 09:19
Summary
Manage Incoming Payment Files (F1680) of SAP S/4HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. As a result, it has high impact on integrity and no impact on the confidentiality and availability of the system.
Impacted products
Vendor Product Version
sap s\/4_hana 103
sap s\/4_hana 104
sap s\/4_hana 105
sap s\/4_hana 106
sap s\/4_hana 107
sap s\/4_hana 108
sap s\/4_hana s4core_102



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:103:*:*:*:*:*:*:*",
                     matchCriteriaId: "82AAE66A-7112-4E83-9094-2AA571144F64",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:104:*:*:*:*:*:*:*",
                     matchCriteriaId: "CFF0FD31-F4F3-470A-9CB5-DE339D7334FF",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:105:*:*:*:*:*:*:*",
                     matchCriteriaId: "A52E5AE7-D16E-4122-A39E-20A2CAB9A146",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:106:*:*:*:*:*:*:*",
                     matchCriteriaId: "EAEF60F9-E053-4D22-AA65-9C1CA5130374",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:107:*:*:*:*:*:*:*",
                     matchCriteriaId: "8606117E-F864-474F-8839-F6BAB51113E0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:108:*:*:*:*:*:*:*",
                     matchCriteriaId: "F794CB63-BF34-42D5-9998-CD2F2B2FF25F",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:s4core_102:*:*:*:*:*:*:*",
                     matchCriteriaId: "5EE327B2-5E3C-4C52-9DC6-0D0A5A7B29C1",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Manage Incoming Payment Files (F1680) of SAP\nS/4HANA does not perform necessary authorization checks for an authenticated\nuser, resulting in escalation of privileges. As a result, it has high impact on\nintegrity and no impact on the confidentiality and availability of the system.",
      },
      {
         lang: "es",
         value: "Administrar archivos de pagos entrantes (F1680) de SAP S/4HANA no realiza las verificaciones de autorización necesarias para un usuario autenticado, lo que resulta en una escalada de privilegios. Como resultado, tiene un alto impacto en la integridad y ningún impacto en la confidencialidad y disponibilidad del sistema.",
      },
   ],
   id: "CVE-2024-34691",
   lastModified: "2024-11-21T09:19:12.357",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.5,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 3.6,
            source: "cna@sap.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.5,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2024-06-11T03:15:11.780",
   references: [
      {
         source: "cna@sap.com",
         tags: [
            "Permissions Required",
         ],
         url: "https://me.sap.com/notes/3466175",
      },
      {
         source: "cna@sap.com",
         tags: [
            "Patch",
            "Vendor Advisory",
         ],
         url: "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Permissions Required",
         ],
         url: "https://me.sap.com/notes/3466175",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Vendor Advisory",
         ],
         url: "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
      },
   ],
   sourceIdentifier: "cna@sap.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-862",
            },
         ],
         source: "cna@sap.com",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2020-02-12 20:15
Modified
2024-11-21 05:35
Summary
VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check.
Impacted products
Vendor Product Version
sap erp 6.0
sap s\/4_hana 1511
sap s\/4_hana 1610
sap s\/4_hana 1709
sap s\/4_hana 1809
sap s\/4_hana 1909



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:sap:erp:6.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "567E715A-39D9-4524-A60B-0A919A460D7D",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:1511:*:*:*:*:*:*:*",
                     matchCriteriaId: "02BC74F5-5560-4459-B712-5834DEB85B45",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:1610:*:*:*:*:*:*:*",
                     matchCriteriaId: "7CDC5426-D2C1-430A-96AF-F25CE04A01A7",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:1709:*:*:*:*:*:*:*",
                     matchCriteriaId: "D2F4BB0A-56DD-4A82-AB66-46C67A261287",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:1809:*:*:*:*:*:*:*",
                     matchCriteriaId: "EB6E0D66-B1DF-4E65-9155-07C687C08046",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sap:s\\/4_hana:1909:*:*:*:*:*:*:*",
                     matchCriteriaId: "055B76F2-6B9F-475F-8244-E427DCB6B0F2",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check.",
      },
      {
         lang: "es",
         value: "Los reportes de VAT Pro-Rata en SAP ERP (SAP_APPL versiones 600, 602, 603, 604, 605, 606, 616 y SAP_FIN versiones 617, 618, 700, 720, 730) y SAP S/4 HANA (versiones 100, 101, 102 , 103, 104), no realizan las comprobaciones de autorización necesarias para un usuario autenticado, conllevando a una Falta de Comprobación de Autorización.",
      },
   ],
   id: "CVE-2020-6188",
   lastModified: "2024-11-21T05:35:15.857",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "SINGLE",
               availabilityImpact: "PARTIAL",
               baseScore: 6.5,
               confidentialityImpact: "PARTIAL",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P",
               version: "2.0",
            },
            exploitabilityScore: 8,
            impactScore: 6.4,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV30: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.3,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
               version: "3.0",
            },
            exploitabilityScore: 2.1,
            impactScore: 4.2,
            source: "cna@sap.com",
            type: "Secondary",
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 8.8,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 5.9,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2020-02-12T20:15:14.400",
   references: [
      {
         source: "cna@sap.com",
         tags: [
            "Permissions Required",
            "Vendor Advisory",
         ],
         url: "https://launchpad.support.sap.com/#/notes/2857511",
      },
      {
         source: "cna@sap.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Permissions Required",
            "Vendor Advisory",
         ],
         url: "https://launchpad.support.sap.com/#/notes/2857511",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812",
      },
   ],
   sourceIdentifier: "cna@sap.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-862",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

cve-2020-26832
Vulnerability from cvelistv5
Published
2020-12-09 16:31
Modified
2024-08-04 16:03
Summary
SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.
Impacted products
Vendor Product Version
SAP SE SAP NetWeaver AS ABAP (SAP Landscape Transformation) Version: < 2011_1_620
Version: < 2011_1_640
Version: < 2011_1_700
Version: < 2011_1_710
Version: < 2011_1_730
Version: < 2011_1_731
Version: < 2011_1_752
Version: < 2020
SAP SE SAP S4 HANA (SAP Landscape Transformation) Version: < 101
Version: < 102
Version: < 103
Version: < 104
Version: < 105
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T16:03:22.474Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://launchpad.support.sap.com/#/notes/2993132",
               },
               {
                  name: "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
                  tags: [
                     "mailing-list",
                     "x_refsource_FULLDISC",
                     "x_transferred",
                  ],
                  url: "http://seclists.org/fulldisclosure/2022/May/42",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "SAP NetWeaver AS ABAP (SAP Landscape Transformation)",
               vendor: "SAP SE",
               versions: [
                  {
                     status: "affected",
                     version: "< 2011_1_620",
                  },
                  {
                     status: "affected",
                     version: "< 2011_1_640",
                  },
                  {
                     status: "affected",
                     version: "< 2011_1_700",
                  },
                  {
                     status: "affected",
                     version: "< 2011_1_710",
                  },
                  {
                     status: "affected",
                     version: "< 2011_1_730",
                  },
                  {
                     status: "affected",
                     version: "< 2011_1_731",
                  },
                  {
                     status: "affected",
                     version: "< 2011_1_752",
                  },
                  {
                     status: "affected",
                     version: "< 2020",
                  },
               ],
            },
            {
               product: "SAP S4 HANA (SAP Landscape Transformation)",
               vendor: "SAP SE",
               versions: [
                  {
                     status: "affected",
                     version: "< 101",
                  },
                  {
                     status: "affected",
                     version: "< 102",
                  },
                  {
                     status: "affected",
                     version: "< 103",
                  },
                  {
                     status: "affected",
                     version: "< 104",
                  },
                  {
                     status: "affected",
                     version: "< 105",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.",
            },
         ],
         metrics: [
            {
               cvssV3_0: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.6,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "HIGH",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H",
                  version: "3.0",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "Missing Authorization",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-05-19T17:06:20",
            orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            shortName: "sap",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://launchpad.support.sap.com/#/notes/2993132",
            },
            {
               name: "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
               tags: [
                  "mailing-list",
                  "x_refsource_FULLDISC",
               ],
               url: "http://seclists.org/fulldisclosure/2022/May/42",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cna@sap.com",
               ID: "CVE-2020-26832",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "SAP NetWeaver AS ABAP (SAP Landscape Transformation)",
                                 version: {
                                    version_data: [
                                       {
                                          version_name: "<",
                                          version_value: "2011_1_620",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "2011_1_640",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "2011_1_700",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "2011_1_710",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "2011_1_730",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "2011_1_731",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "2011_1_752",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "2020",
                                       },
                                    ],
                                 },
                              },
                              {
                                 product_name: "SAP S4 HANA (SAP Landscape Transformation)",
                                 version: {
                                    version_data: [
                                       {
                                          version_name: "<",
                                          version_value: "101",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "102",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "103",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "104",
                                       },
                                       {
                                          version_name: "<",
                                          version_value: "105",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "SAP SE",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.",
                  },
               ],
            },
            impact: {
               cvss: {
                  baseScore: "7.6",
                  vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H",
                  version: "3.0",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "Missing Authorization",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079",
                     refsource: "MISC",
                     url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079",
                  },
                  {
                     name: "https://launchpad.support.sap.com/#/notes/2993132",
                     refsource: "MISC",
                     url: "https://launchpad.support.sap.com/#/notes/2993132",
                  },
                  {
                     name: "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
                     refsource: "FULLDISC",
                     url: "http://seclists.org/fulldisclosure/2022/May/42",
                  },
                  {
                     name: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html",
                     refsource: "MISC",
                     url: "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd",
      assignerShortName: "sap",
      cveId: "CVE-2020-26832",
      datePublished: "2020-12-09T16:31:03",
      dateReserved: "2020-10-07T00:00:00",
      dateUpdated: "2024-08-04T16:03:22.474Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2023-41368
Vulnerability from cvelistv5
Published
2023-09-12 01:59
Modified
2024-09-26 16:04
Summary
The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.
Impacted products
Vendor Product Version
SAP_SE S4 HANA ABAP (Manage checkbook apps) Version: 102
Version: 103
Version: 104
Version: 105
Version: 106
Version: 107
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T19:01:35.327Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://me.sap.com/notes/3355675",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2023-41368",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-09-26T16:02:46.199952Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-09-26T16:04:32.037Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "S4 HANA ABAP (Manage checkbook apps)",
               vendor: "SAP_SE",
               versions: [
                  {
                     status: "affected",
                     version: "102",
                  },
                  {
                     status: "affected",
                     version: "103",
                  },
                  {
                     status: "affected",
                     version: "104",
                  },
                  {
                     status: "affected",
                     version: "105",
                  },
                  {
                     status: "affected",
                     version: "106",
                  },
                  {
                     status: "affected",
                     version: "107",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<p>The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.</p>",
                  },
               ],
               value: "The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.\n\n",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 2.7,
                  baseSeverity: "LOW",
                  confidentialityImpact: "NONE",
                  integrityImpact: "LOW",
                  privilegesRequired: "HIGH",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-639",
                     description: "CWE-639: Authorization Bypass Through User-Controlled Key",
                     lang: "eng",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2023-09-12T01:59:39.205Z",
            orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            shortName: "sap",
         },
         references: [
            {
               url: "https://me.sap.com/notes/3355675",
            },
            {
               url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
            },
         ],
         source: {
            discovery: "UNKNOWN",
         },
         title: "Insecure Direct Object Reference (IDOR) vulnerability in S4 HANA (Manage checkbook apps)",
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd",
      assignerShortName: "sap",
      cveId: "CVE-2023-41368",
      datePublished: "2023-09-12T01:59:39.205Z",
      dateReserved: "2023-08-29T05:27:56.301Z",
      dateUpdated: "2024-09-26T16:04:32.037Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2023-41369
Vulnerability from cvelistv5
Published
2023-09-12 01:59
Modified
2024-09-25 15:33
Summary
The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser.
Impacted products
Vendor Product Version
SAP_SE SAP S/4HANA (Create Single Payment application) Version: 100
Version: 101
Version: 102
Version: 103
Version: 104
Version: 105
Version: 106
Version: 107
Version: 108
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T19:01:34.245Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://me.sap.com/notes/3369680",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2023-41369",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-09-25T15:11:16.316030Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-09-25T15:33:02.395Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "SAP S/4HANA (Create Single Payment application)",
               vendor: "SAP_SE",
               versions: [
                  {
                     status: "affected",
                     version: "100",
                  },
                  {
                     status: "affected",
                     version: "101",
                  },
                  {
                     status: "affected",
                     version: "102",
                  },
                  {
                     status: "affected",
                     version: "103",
                  },
                  {
                     status: "affected",
                     version: "104",
                  },
                  {
                     status: "affected",
                     version: "105",
                  },
                  {
                     status: "affected",
                     version: "106",
                  },
                  {
                     status: "affected",
                     version: "107",
                  },
                  {
                     status: "affected",
                     version: "108",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<p>The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser.</p>",
                  },
               ],
               value: "The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser.\n\n",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  baseScore: 3.5,
                  baseSeverity: "LOW",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-611",
                     description: "CWE-611: Improper Restriction of XML External Entity Reference",
                     lang: "eng",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2023-09-12T01:59:03.570Z",
            orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            shortName: "sap",
         },
         references: [
            {
               url: "https://me.sap.com/notes/3369680",
            },
            {
               url: "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
            },
         ],
         source: {
            discovery: "UNKNOWN",
         },
         title: "External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application)",
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd",
      assignerShortName: "sap",
      cveId: "CVE-2023-41369",
      datePublished: "2023-09-12T01:59:03.570Z",
      dateReserved: "2023-08-29T05:27:56.301Z",
      dateUpdated: "2024-09-25T15:33:02.395Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2024-34691
Vulnerability from cvelistv5
Published
2024-06-11 02:22
Modified
2024-08-02 02:59
Summary
Manage Incoming Payment Files (F1680) of SAP S/4HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. As a result, it has high impact on integrity and no impact on the confidentiality and availability of the system.
Impacted products
Vendor Product Version
SAP_SE SAP S/4HANA (Manage Incoming Payment Files) Version: S4CORE 102
Version: 103
Version: 104
Version: 105
Version: 106
Version: 107
Version: 108
Show details on NVD website


{
   containers: {
      adp: [
         {
            affected: [
               {
                  cpes: [
                     "cpe:2.3:a:sap:s4hana:*:*:*:*:*:*:*:*",
                  ],
                  defaultStatus: "unknown",
                  product: "s4hana",
                  vendor: "sap",
                  versions: [
                     {
                        status: "affected",
                        version: "102",
                     },
                     {
                        status: "affected",
                        version: "103",
                     },
                     {
                        status: "affected",
                        version: "104",
                     },
                     {
                        status: "affected",
                        version: "105",
                     },
                     {
                        status: "affected",
                        version: "106",
                     },
                     {
                        status: "affected",
                        version: "107",
                     },
                     {
                        status: "affected",
                        version: "108",
                     },
                  ],
               },
            ],
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-34691",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-06-11T14:10:07.910208Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-07-31T19:55:18.143Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T02:59:22.219Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://me.sap.com/notes/3466175",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "SAP S/4HANA (Manage Incoming Payment Files)",
               vendor: "SAP_SE",
               versions: [
                  {
                     status: "affected",
                     version: "S4CORE 102",
                  },
                  {
                     status: "affected",
                     version: "103",
                  },
                  {
                     status: "affected",
                     version: "104",
                  },
                  {
                     status: "affected",
                     version: "105",
                  },
                  {
                     status: "affected",
                     version: "106",
                  },
                  {
                     status: "affected",
                     version: "107",
                  },
                  {
                     status: "affected",
                     version: "108",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "Manage Incoming Payment Files (F1680) of SAP\nS/4HANA does not perform necessary authorization checks for an authenticated\nuser, resulting in escalation of privileges. As a result, it has high impact on\nintegrity and no impact on the confidentiality and availability of the system.\n\n\n\n",
                  },
               ],
               value: "Manage Incoming Payment Files (F1680) of SAP\nS/4HANA does not perform necessary authorization checks for an authenticated\nuser, resulting in escalation of privileges. As a result, it has high impact on\nintegrity and no impact on the confidentiality and availability of the system.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 6.5,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-862",
                     description: "CWE-862: Missing Authorization",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-06-11T02:22:24.435Z",
            orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            shortName: "sap",
         },
         references: [
            {
               url: "https://me.sap.com/notes/3466175",
            },
            {
               url: "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
            },
         ],
         source: {
            discovery: "UNKNOWN",
         },
         title: "Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files)",
         x_generator: {
            engine: "Vulnogram 0.2.0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd",
      assignerShortName: "sap",
      cveId: "CVE-2024-34691",
      datePublished: "2024-06-11T02:22:24.435Z",
      dateReserved: "2024-05-07T05:46:11.658Z",
      dateUpdated: "2024-08-02T02:59:22.219Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2020-6188
Vulnerability from cvelistv5
Published
2020-02-12 19:46
Modified
2024-08-04 08:55
Summary
VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check.
Impacted products
Vendor Product Version
SAP SE SAP ERP (SAP_APPL) Version: = 6.0
Version: = 6.02
Version: = 6.03
Version: = 6.04
Version: = 6.05
Version: = 6.06
Version: = 6.16
SAP SE SAP ERP (SAP_FIN) Version: = 6.17
Version: = 6.18
Version: = 7.0
Version: = 7.20
Version: = 7.30
SAP SE SAP S/4 HANA (S4CORE) Version: = 1.0
Version: = 1.01
Version: = 1.02
Version: = 1.03
Version: = 1.04
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T08:55:22.007Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://launchpad.support.sap.com/#/notes/2857511",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "SAP ERP (SAP_APPL)",
               vendor: "SAP SE",
               versions: [
                  {
                     status: "affected",
                     version: "= 6.0",
                  },
                  {
                     status: "affected",
                     version: "= 6.02",
                  },
                  {
                     status: "affected",
                     version: "= 6.03",
                  },
                  {
                     status: "affected",
                     version: "= 6.04",
                  },
                  {
                     status: "affected",
                     version: "= 6.05",
                  },
                  {
                     status: "affected",
                     version: "= 6.06",
                  },
                  {
                     status: "affected",
                     version: "= 6.16",
                  },
               ],
            },
            {
               product: "SAP ERP (SAP_FIN)",
               vendor: "SAP SE",
               versions: [
                  {
                     status: "affected",
                     version: "= 6.17",
                  },
                  {
                     status: "affected",
                     version: "= 6.18",
                  },
                  {
                     status: "affected",
                     version: "= 7.0",
                  },
                  {
                     status: "affected",
                     version: "= 7.20",
                  },
                  {
                     status: "affected",
                     version: "= 7.30",
                  },
               ],
            },
            {
               product: "SAP S/4 HANA (S4CORE)",
               vendor: "SAP SE",
               versions: [
                  {
                     status: "affected",
                     version: "= 1.0",
                  },
                  {
                     status: "affected",
                     version: "= 1.01",
                  },
                  {
                     status: "affected",
                     version: "= 1.02",
                  },
                  {
                     status: "affected",
                     version: "= 1.03",
                  },
                  {
                     status: "affected",
                     version: "= 1.04",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check.",
            },
         ],
         metrics: [
            {
               cvssV3_0: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 6.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
                  version: "3.0",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "Missing Authorization Check",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2020-02-12T19:46:09",
            orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            shortName: "sap",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://launchpad.support.sap.com/#/notes/2857511",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cna@sap.com",
               ID: "CVE-2020-6188",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "SAP ERP (SAP_APPL)",
                                 version: {
                                    version_data: [
                                       {
                                          version_name: "=",
                                          version_value: "6.0",
                                       },
                                       {
                                          version_name: "=",
                                          version_value: "6.02",
                                       },
                                       {
                                          version_name: "=",
                                          version_value: "6.03",
                                       },
                                       {
                                          version_name: "=",
                                          version_value: "6.04",
                                       },
                                       {
                                          version_name: "=",
                                          version_value: "6.05",
                                       },
                                       {
                                          version_name: "=",
                                          version_value: "6.06",
                                       },
                                       {
                                          version_name: "=",
                                          version_value: "6.16",
                                       },
                                    ],
                                 },
                              },
                              {
                                 product_name: "SAP ERP (SAP_FIN)",
                                 version: {
                                    version_data: [
                                       {
                                          version_name: "=",
                                          version_value: "6.17",
                                       },
                                       {
                                          version_name: "=",
                                          version_value: "6.18",
                                       },
                                       {
                                          version_name: "=",
                                          version_value: "7.0",
                                       },
                                       {
                                          version_name: "=",
                                          version_value: "7.20",
                                       },
                                       {
                                          version_name: "=",
                                          version_value: "7.30",
                                       },
                                    ],
                                 },
                              },
                              {
                                 product_name: "SAP S/4 HANA (S4CORE)",
                                 version: {
                                    version_data: [
                                       {
                                          version_name: "=",
                                          version_value: "1.0",
                                       },
                                       {
                                          version_name: "=",
                                          version_value: "1.01",
                                       },
                                       {
                                          version_name: "=",
                                          version_value: "1.02",
                                       },
                                       {
                                          version_name: "=",
                                          version_value: "1.03",
                                       },
                                       {
                                          version_name: "=",
                                          version_value: "1.04",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "SAP SE",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check.",
                  },
               ],
            },
            impact: {
               cvss: {
                  baseScore: "6.3",
                  vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
                  version: "3.0",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "Missing Authorization Check",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812",
                     refsource: "MISC",
                     url: "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812",
                  },
                  {
                     name: "https://launchpad.support.sap.com/#/notes/2857511",
                     refsource: "MISC",
                     url: "https://launchpad.support.sap.com/#/notes/2857511",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd",
      assignerShortName: "sap",
      cveId: "CVE-2020-6188",
      datePublished: "2020-02-12T19:46:09",
      dateReserved: "2020-01-08T00:00:00",
      dateUpdated: "2024-08-04T08:55:22.007Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2024-45282
Vulnerability from cvelistv5
Published
2024-10-08 03:21
Modified
2024-10-09 14:54
Summary
Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted.
Impacted products
Vendor Product Version
SAP_SE SAP S/4 HANA (Manage Bank Statements) Version: S4CORE
Version: 102
Version: 103
Version: 104
Version: 105
Version: 106
Version: 107
Show details on NVD website


{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-45282",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-10-09T14:54:01.568870Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-10-09T14:54:13.725Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "SAP S/4 HANA (Manage Bank Statements)",
               vendor: "SAP_SE",
               versions: [
                  {
                     status: "affected",
                     version: "S4CORE",
                  },
                  {
                     status: "affected",
                     version: "102",
                  },
                  {
                     status: "affected",
                     version: "103",
                  },
                  {
                     status: "affected",
                     version: "104",
                  },
                  {
                     status: "affected",
                     version: "105",
                  },
                  {
                     status: "affected",
                     version: "106",
                  },
                  {
                     status: "affected",
                     version: "107",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<p>Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted.</p>",
                  },
               ],
               value: "Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 4.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "LOW",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-650",
                     description: "CWE-650: Trusting HTTP Permission Methods on the Server Side",
                     lang: "eng",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-10-08T03:21:33.330Z",
            orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            shortName: "sap",
         },
         references: [
            {
               url: "https://me.sap.com/notes/3251893",
            },
            {
               url: "https://url.sap/sapsecuritypatchday",
            },
         ],
         source: {
            discovery: "UNKNOWN",
         },
         title: "HTTP Verb Tampering in SAP S/4 HANA(Manage Bank Statements)",
         x_generator: {
            engine: "Vulnogram 0.2.0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd",
      assignerShortName: "sap",
      cveId: "CVE-2024-45282",
      datePublished: "2024-10-08T03:21:33.330Z",
      dateReserved: "2024-08-26T10:39:20.932Z",
      dateUpdated: "2024-10-09T14:54:13.725Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}