Vulnerabilites related to sap - sap_basis
CVE-2024-34689 (GCVE-0-2024-34689)
Vulnerability from cvelistv5
Published
2024-07-09 04:18
Modified
2024-08-02 02:59
Severity ?
EPSS score ?
Summary
WebFlow Services of SAP Business Workflow allows
an authenticated attacker to enumerate accessible HTTP endpoints in the
internal network by specially crafting HTTP requests. On successful
exploitation this can result in information disclosure. It has no impact on
integrity and availability of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Business Workflow (WebFlow Services) |
Version: SAP_BASIS 700 Version: SAP_BASIS 701 Version: SAP_BASIS 702 Version: SAP_BASIS 731 Version: SAP_BASIS 740 Version: SAP_BASIS 750 Version: SAP_BASIS 751 Version: SAP_BASIS 752 Version: SAP_BASIS 753 Version: SAP_BASIS 754 Version: SAP_BASIS 755 Version: SAP_BASIS 756 Version: SAP_BASIS 757 Version: SAP_BASIS 758 |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:sap_se:sap_business_workflow_\\(webflow_services\\):*:*:*:*:*:*:*:*", ], defaultStatus: "unaffected", product: "sap_business_workflow_\\(webflow_services\\)", vendor: "sap_se", versions: [ { status: "affected", version: "SAP_BASIS 700", }, { status: "affected", version: "SAP_BASIS 701", }, { status: "affected", version: "SAP_BASIS 702", }, { status: "affected", version: "SAP_BASIS 731", }, { status: "affected", version: "SAP_BASIS 740", }, { status: "affected", version: "SAP_BASIS 750", }, { status: "affected", version: "SAP_BASIS 751", }, { status: "affected", version: "SAP_BASIS 752", }, { status: "affected", version: "SAP_BASIS 753", }, { status: "affected", version: "SAP_BASIS 754", }, { status: "affected", version: "SAP_BASIS 755", }, { status: "affected", version: "SAP_BASIS 756", }, { status: "affected", version: "SAP_BASIS 757", }, { status: "affected", version: "SAP_BASIS 758", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-34689", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-07-25T14:21:05.637426Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-25T14:38:25.505Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T02:59:22.630Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://url.sap/sapsecuritypatchday", }, { tags: [ "x_transferred", ], url: "https://me.sap.com/notes/3458789", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP Business Workflow (WebFlow Services)", vendor: "SAP_SE", versions: [ { status: "affected", version: "SAP_BASIS 700", }, { status: "affected", version: "SAP_BASIS 701", }, { status: "affected", version: "SAP_BASIS 702", }, { status: "affected", version: "SAP_BASIS 731", }, { status: "affected", version: "SAP_BASIS 740", }, { status: "affected", version: "SAP_BASIS 750", }, { status: "affected", version: "SAP_BASIS 751", }, { status: "affected", version: "SAP_BASIS 752", }, { status: "affected", version: "SAP_BASIS 753", }, { status: "affected", version: "SAP_BASIS 754", }, { status: "affected", version: "SAP_BASIS 755", }, { status: "affected", version: "SAP_BASIS 756", }, { status: "affected", version: "SAP_BASIS 757", }, { status: "affected", version: "SAP_BASIS 758", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "WebFlow Services of SAP Business Workflow allows\nan authenticated attacker to enumerate accessible HTTP endpoints in the\ninternal network by specially crafting HTTP requests. On successful\nexploitation this can result in information disclosure. It has no impact on\nintegrity and availability of the application.\n\n\n\n", }, ], value: "WebFlow Services of SAP Business Workflow allows\nan authenticated attacker to enumerate accessible HTTP endpoints in the\ninternal network by specially crafting HTTP requests. On successful\nexploitation this can result in information disclosure. It has no impact on\nintegrity and availability of the application.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-918", description: "CWE-918: Server-Side Request Forgery", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-09T04:18:21.258Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://url.sap/sapsecuritypatchday", }, { url: "https://me.sap.com/notes/3458789", }, ], source: { discovery: "UNKNOWN", }, title: "[CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services)", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-34689", datePublished: "2024-07-09T04:18:21.258Z", dateReserved: "2024-05-07T05:46:11.658Z", dateUpdated: "2024-08-02T02:59:22.630Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2016-4551 (GCVE-0-2016-4551)
Vulnerability from cvelistv5
Published
2016-10-05 16:00
Modified
2024-08-06 00:32
Severity ?
EPSS score ?
Summary
The (1) SAP_BASIS and (2) SAP_ABA components 7.00 SP Level 0031 in SAP NetWeaver 2004s might allow remote attackers to spoof IP addresses written to the Security Audit Log via vectors related to the network landscape, aka SAP Security Note 2190621.
References
| ▼ | URL | Tags |
|---|---|---|
| http://seclists.org/fulldisclosure/2016/Oct/3 | mailing-list, x_refsource_FULLDISC | |
| https://www.onapsis.com/research/security-advisories/sap-security-audit-log-invalid-address-logging | x_refsource_MISC | |
| http://www.securityfocus.com/bid/93288 | vdb-entry, x_refsource_BID |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T00:32:25.832Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "20161003 Onapsis Security Advisory ONAPSIS-2016-036: SAP Security Audit Log invalid address logging", tags: [ "mailing-list", "x_refsource_FULLDISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2016/Oct/3", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.onapsis.com/research/security-advisories/sap-security-audit-log-invalid-address-logging", }, { name: "93288", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/93288", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2016-09-22T00:00:00", descriptions: [ { lang: "en", value: "The (1) SAP_BASIS and (2) SAP_ABA components 7.00 SP Level 0031 in SAP NetWeaver 2004s might allow remote attackers to spoof IP addresses written to the Security Audit Log via vectors related to the network landscape, aka SAP Security Note 2190621.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2016-11-25T19:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "20161003 Onapsis Security Advisory ONAPSIS-2016-036: SAP Security Audit Log invalid address logging", tags: [ "mailing-list", "x_refsource_FULLDISC", ], url: "http://seclists.org/fulldisclosure/2016/Oct/3", }, { tags: [ "x_refsource_MISC", ], url: "https://www.onapsis.com/research/security-advisories/sap-security-audit-log-invalid-address-logging", }, { name: "93288", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/93288", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2016-4551", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The (1) SAP_BASIS and (2) SAP_ABA components 7.00 SP Level 0031 in SAP NetWeaver 2004s might allow remote attackers to spoof IP addresses written to the Security Audit Log via vectors related to the network landscape, aka SAP Security Note 2190621.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "20161003 Onapsis Security Advisory ONAPSIS-2016-036: SAP Security Audit Log invalid address logging", refsource: "FULLDISC", url: "http://seclists.org/fulldisclosure/2016/Oct/3", }, { name: "https://www.onapsis.com/research/security-advisories/sap-security-audit-log-invalid-address-logging", refsource: "MISC", url: "https://www.onapsis.com/research/security-advisories/sap-security-audit-log-invalid-address-logging", }, { name: "93288", refsource: "BID", url: "http://www.securityfocus.com/bid/93288", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2016-4551", datePublished: "2016-10-05T16:00:00", dateReserved: "2016-05-06T00:00:00", dateUpdated: "2024-08-06T00:32:25.832Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Vulnerability from fkie_nvd
Published
2016-10-05 16:59
Modified
2025-04-12 10:46
Severity ?
Summary
The (1) SAP_BASIS and (2) SAP_ABA components 7.00 SP Level 0031 in SAP NetWeaver 2004s might allow remote attackers to spoof IP addresses written to the Security Audit Log via vectors related to the network landscape, aka SAP Security Note 2190621.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://seclists.org/fulldisclosure/2016/Oct/3 | Mailing List, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/93288 | ||
| cve@mitre.org | https://www.onapsis.com/research/security-advisories/sap-security-audit-log-invalid-address-logging | Permissions Required, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2016/Oct/3 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/93288 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://www.onapsis.com/research/security-advisories/sap-security-audit-log-invalid-address-logging | Permissions Required, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:netweaver:2004s:*:*:*:*:*:*:*", matchCriteriaId: "EB3FC705-6497-44AE-A520-809D320C1380", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:sap_aba:7.00:sp_level_0031:*:*:*:*:*:*", matchCriteriaId: "0E4A33ED-CD2B-46B7-BD20-EEAF88B012D3", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:sap_basis:7.00:sp_level_0031:*:*:*:*:*:*", matchCriteriaId: "C0CC87F8-734E-4EE4-9966-6204374CF704", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The (1) SAP_BASIS and (2) SAP_ABA components 7.00 SP Level 0031 in SAP NetWeaver 2004s might allow remote attackers to spoof IP addresses written to the Security Audit Log via vectors related to the network landscape, aka SAP Security Note 2190621.", }, { lang: "es", value: "Los componentes (1) SAP_BASIS y (2) SAP_ABA 7.00 SP Level 0031 en SAP NetWeaver 2004s podría permitir a atacantes remotos suplantar direcciones IP escritas en el Security Audit Log a través de vectores relacionados con el entorno de red, vulnerabilidad también conocida como SAP Security Note 2190621.", }, ], id: "CVE-2016-4551", lastModified: "2025-04-12T10:46:40.837", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2016-10-05T16:59:02.757", references: [ { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2016/Oct/3", }, { source: "cve@mitre.org", url: "http://www.securityfocus.com/bid/93288", }, { source: "cve@mitre.org", tags: [ "Permissions Required", "Third Party Advisory", ], url: "https://www.onapsis.com/research/security-advisories/sap-security-audit-log-invalid-address-logging", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2016/Oct/3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/93288", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Third Party Advisory", ], url: "https://www.onapsis.com/research/security-advisories/sap-security-audit-log-invalid-address-logging", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Deferred", weaknesses: [ { description: [ { lang: "en", value: "CWE-284", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-07-09 05:15
Modified
2024-11-21 09:19
Severity ?
5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Summary
WebFlow Services of SAP Business Workflow allows
an authenticated attacker to enumerate accessible HTTP endpoints in the
internal network by specially crafting HTTP requests. On successful
exploitation this can result in information disclosure. It has no impact on
integrity and availability of the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3458789 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://me.sap.com/notes/3458789 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://url.sap/sapsecuritypatchday | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:business_workflow:*:*:*:*:*:*:*:*", matchCriteriaId: "1FF29F57-F1C8-4905-B61F-9E72BF689C39", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:sap_basis:700:*:*:*:*:*:*:*", matchCriteriaId: "85616273-040E-49CB-8EB6-D2D4D7B603E5", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:sap_basis:701:*:*:*:*:*:*:*", matchCriteriaId: "C5F2C3A9-DCC0-4FF1-8E68-9EA150E209F6", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:sap_basis:702:*:*:*:*:*:*:*", matchCriteriaId: "6F774A45-2A9F-4873-A5DC-766D030C8CCD", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:sap_basis:731:*:*:*:*:*:*:*", matchCriteriaId: "D3A0A2D6-9259-4A35-A236-F4BEE986C1FD", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:sap_basis:740:*:*:*:*:*:*:*", matchCriteriaId: "49C3A8E5-FA6A-4EF3-BF50-FD4E1576024F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:sap_basis:750:*:*:*:*:*:*:*", matchCriteriaId: "ABA8AB4E-3FE6-46A8-847E-660C5DF6CE71", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:sap_basis:751:*:*:*:*:*:*:*", matchCriteriaId: "6DA4A6F0-C0F1-42CB-8BBD-7198064733EA", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:sap_basis:752:*:*:*:*:*:*:*", matchCriteriaId: "8C121CC9-26F6-4103-8EB0-BAFF6B5B5FE8", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:sap_basis:753:*:*:*:*:*:*:*", matchCriteriaId: "86086D00-10BF-4C55-8D87-82CCBE468153", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:sap_basis:754:*:*:*:*:*:*:*", matchCriteriaId: "2F25246A-D9E5-4F0D-B91A-478D4E5570DB", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:sap_basis:755:*:*:*:*:*:*:*", matchCriteriaId: "0218695F-C4AD-46BF-B176-F10C644A9C2D", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:sap_basis:756:*:*:*:*:*:*:*", matchCriteriaId: "FC9E7C3E-1005-450A-9198-E014C1BAADBC", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:sap_basis:757:*:*:*:*:*:*:*", matchCriteriaId: "3A177AB1-CC85-46EF-91DF-462096608C9F", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:sap_basis:758:*:*:*:*:*:*:*", matchCriteriaId: "F7591F81-708C-4285-9BB2-F2B4BDB9759B", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "WebFlow Services of SAP Business Workflow allows\nan authenticated attacker to enumerate accessible HTTP endpoints in the\ninternal network by specially crafting HTTP requests. On successful\nexploitation this can result in information disclosure. It has no impact on\nintegrity and availability of the application.", }, { lang: "es", value: "WebFlow Services de SAP Business Workflow permite a un atacante autenticado enumerar endpoints HTTP accesibles en la red interna mediante la elaboración especial de solicitudes HTTP. Si se explota con éxito, esto puede dar lugar a la divulgación de información. No tiene ningún impacto en la integridad y disponibilidad de la aplicación.", }, ], id: "CVE-2024-34689", lastModified: "2024-11-21T09:19:12.067", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 1.4, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-07-09T05:15:10.873", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3458789", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://url.sap/sapsecuritypatchday", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3458789", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://url.sap/sapsecuritypatchday", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-918", }, ], source: "cna@sap.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-918", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }