cvelistv5 - cve-2024-24739

CVE-2024-24739 (GCVE-0-2024-24739)

Vulnerability from cvelistv5 – Published: 2024-02-13 02:34 – Updated: 2025-05-09 18:29

Summary

SAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and availability of the application.

Severity ?

6.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-862 - Missing Authorization

Assigner

sap

References

URL

Tags

	https://me.sap.com/notes/2637727
	https://www.sap.com/documents/2022/02/fa865ea4-16…

Impacted products

	Vendor	Product	Version
	SAP_SE	SAP BAM (Bank Account Management)	Affected: SAP_FIN 618 Affected: SAP_FIN 730 Affected: S4CORE 100 Affected: 101

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T23:28:12.038Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://me.sap.com/notes/2637727"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-24739",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-21T20:13:48.521066Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-09T18:29:09.737Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SAP BAM (Bank Account Management)",
          "vendor": "SAP_SE",
          "versions": [
            {
              "status": "affected",
              "version": "SAP_FIN 618"
            },
            {
              "status": "affected",
              "version": "SAP_FIN 730"
            },
            {
              "status": "affected",
              "version": "S4CORE 100"
            },
            {
              "status": "affected",
              "version": "101"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and availability of the application.\u003c/p\u003e"
            }
          ],
          "value": "SAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and availability of the application.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "eng",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-13T02:34:17.247Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "url": "https://me.sap.com/notes/2637727"
        },
        {
          "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Missing authorization check in SAP BAM (Bank Account Management)",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2024-24739",
    "datePublished": "2024-02-13T02:34:17.247Z",
    "dateReserved": "2024-01-29T05:13:46.617Z",
    "dateUpdated": "2025-05-09T18:29:09.737Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:bank_account_management:s4core_100:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FA1ACAD6-9068-4468-83B2-8CB61F325BEA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:bank_account_management:s4core_101:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"76352086-0768-4A0F-91AB-BEE3CDA58AF9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:bank_account_management:sap_fin_618:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5842D64D-C725-439A-82EA-A10FB0718DB5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:bank_account_management:sap_fin_730:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D69CC7F0-A2F5-4C3F-80F6-F2397859A6C0\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"SAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and availability of the application.\\n\\n\"}, {\"lang\": \"es\", \"value\": \"SAP Bank Account Management (BAM) permite que un usuario autenticado con acceso restringido utilice funciones que pueden resultar en una escalada de privilegios con bajo impacto en la confidencialidad, integridad y disponibilidad de la aplicaci\\u00f3n.\"}]",
      "id": "CVE-2024-24739",
      "lastModified": "2024-11-21T08:59:35.887",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"cna@sap.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\", \"baseScore\": 6.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\", \"baseScore\": 6.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.4}]}",
      "published": "2024-02-13T03:15:08.780",
      "references": "[{\"url\": \"https://me.sap.com/notes/2637727\", \"source\": \"cna@sap.com\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\", \"source\": \"cna@sap.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://me.sap.com/notes/2637727\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cna@sap.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"cna@sap.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-862\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-24739\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2024-02-13T03:15:08.780\",\"lastModified\":\"2024-11-21T08:59:35.887\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and availability of the application.\\n\\n\"},{\"lang\":\"es\",\"value\":\"SAP Bank Account Management (BAM) permite que un usuario autenticado con acceso restringido utilice funciones que pueden resultar en una escalada de privilegios con bajo impacto en la confidencialidad, integridad y disponibilidad de la aplicaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cna@sap.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":3.4}]},\"weaknesses\":[{\"source\":\"cna@sap.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:bank_account_management:s4core_100:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA1ACAD6-9068-4468-83B2-8CB61F325BEA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:bank_account_management:s4core_101:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"76352086-0768-4A0F-91AB-BEE3CDA58AF9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:bank_account_management:sap_fin_618:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5842D64D-C725-439A-82EA-A10FB0718DB5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:bank_account_management:sap_fin_730:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D69CC7F0-A2F5-4C3F-80F6-F2397859A6C0\"}]}]}],\"references\":[{\"url\":\"https://me.sap.com/notes/2637727\",\"source\":\"cna@sap.com\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\",\"source\":\"cna@sap.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://me.sap.com/notes/2637727\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://me.sap.com/notes/2637727\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T23:28:12.038Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-24739\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-02-21T20:13:48.521066Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-09T18:29:06.757Z\"}}], \"cna\": {\"title\": \"Missing authorization check in SAP BAM (Bank Account Management)\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SAP_SE\", \"product\": \"SAP BAM (Bank Account Management)\", \"versions\": [{\"status\": \"affected\", \"version\": \"SAP_FIN 618\"}, {\"status\": \"affected\", \"version\": \"SAP_FIN 730\"}, {\"status\": \"affected\", \"version\": \"S4CORE 100\"}, {\"status\": \"affected\", \"version\": \"101\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://me.sap.com/notes/2637727\"}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"SAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and availability of the application.\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eSAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and availability of the application.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"eng\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"shortName\": \"sap\", \"dateUpdated\": \"2024-02-13T02:34:17.247Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-24739\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-09T18:29:09.737Z\", \"dateReserved\": \"2024-01-29T05:13:46.617Z\", \"assignerOrgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"datePublished\": \"2024-02-13T02:34:17.247Z\", \"assignerShortName\": \"sap\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2024-AVI-0125

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans SAP. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et une élévation de privilèges.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	N/A	SAP Master Data Governance versions MDG_FND 731, MDG_FND 732, MDG_FND 746, MDG_FND 747, MDG_FND 748, MDG_FND 749, MDG_FND 752, MDG_FND 800, MDG_FND 802, MDG_FND 803, MDG_FND 804, MDG_FND 805, MDG_FND 806, MDG_FND 807, MDG_FND 808 et SAP_BS_FND 702
SAP	N/A	SAP NWBC for HTML versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702 et SAP_BASIS 731
SAP	N/A	SAP CRM (WebClient UI) versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800 et WEBCUIF 801
SAP	SAP NetWeaver AS Java	SAP NetWeaver AS Java (Guided Procedures) version 7.50
SAP	N/A	SAP Master Data Governance Material versions 618, 619, 620, 621, 622, 800, 801, 802, 803 et 804
SAP	N/A	SAP NetWeaver Application Server ABAP (SAP Kernel) versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94 et KRNL64UC 7.53
SAP	N/A	SAP Business Client versions 6.5, 7.0 et 7.70
SAP	SAP NetWeaver AS Java	SAP NetWeaver AS Java (User Admin Application) version 7.50
SAP	N/A	SAP Cloud Connector version 2.0
SAP	N/A	SAP Fiori app ("My Overtime Requests") versions 605
SAP	N/A	IDES Systems toutes versions
SAP	N/A	SAP ABA (Application Basis) versions 700, 701, 702, 731, 740, 750, 751, 752, 75C et 75I
SAP	N/A	SAP GUI pour Windows et SAP GUI pour Java versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758
SAP	N/A	BAM (Bank Account Management) versions SAP_FIN 618, SAP_FIN 730, S4CORE 100 et 101
SAP	N/A	SAP Companion versions antérieures à 3.1.38
SAP	SAP CRM WebClient UI	SAP CRM WebClient UI versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800 et WEBCUIF 801

References

Title

Publication Time

Tags

Bulletin de sécurité SAP february-2024 du 13 février 2024

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SAP Master Data Governance versions MDG_FND 731, MDG_FND 732, MDG_FND 746, MDG_FND 747, MDG_FND 748, MDG_FND 749, MDG_FND 752, MDG_FND 800, MDG_FND 802, MDG_FND 803, MDG_FND 804, MDG_FND 805, MDG_FND 806, MDG_FND 807, MDG_FND 808 et SAP_BS_FND 702",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NWBC for HTML versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702 et SAP_BASIS 731",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP CRM (WebClient UI) versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800 et WEBCUIF 801",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS Java (Guided Procedures) version 7.50",
      "product": {
        "name": "SAP NetWeaver AS Java",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Master Data Governance Material versions 618, 619, 620, 621, 622, 800, 801, 802, 803 et 804",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver Application Server ABAP (SAP Kernel) versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94 et KRNL64UC 7.53",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Business Client versions 6.5, 7.0 et 7.70",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS Java (User Admin Application) version 7.50",
      "product": {
        "name": "SAP NetWeaver AS Java",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Cloud Connector version 2.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Fiori app (\"My Overtime Requests\") versions 605",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "IDES Systems toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP ABA (Application Basis) versions 700, 701, 702, 731, 740, 750, 751, 752, 75C et 75I",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP GUI pour Windows et SAP GUI pour Java versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "BAM (Bank Account Management) versions SAP_FIN 618, SAP_FIN 730, S4CORE 100 et 101",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Companion versions ant\u00e9rieures \u00e0 3.1.38",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP CRM WebClient UI versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800 et WEBCUIF 801",
      "product": {
        "name": "SAP CRM WebClient UI",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2024-24741",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24741"
    },
    {
      "name": "CVE-2024-22132",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22132"
    },
    {
      "name": "CVE-2024-24739",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24739"
    },
    {
      "name": "CVE-2023-49580",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-49580"
    },
    {
      "name": "CVE-2024-25643",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25643"
    },
    {
      "name": "CVE-2024-24742",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24742"
    },
    {
      "name": "CVE-2024-25642",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25642"
    },
    {
      "name": "CVE-2024-24740",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24740"
    },
    {
      "name": "CVE-2024-22129",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22129"
    },
    {
      "name": "CVE-2024-22126",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22126"
    },
    {
      "name": "CVE-2024-22128",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22128"
    },
    {
      "name": "CVE-2024-22131",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22131"
    },
    {
      "name": "CVE-2024-22130",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22130"
    },
    {
      "name": "CVE-2023-49058",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-49058"
    },
    {
      "name": "CVE-2024-24743",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24743"
    }
  ],
  "links": [],
  "reference": "CERTFR-2024-AVI-0125",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-02-14T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans SAP. Certaines\nd\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des\ndonn\u00e9es et une \u00e9l\u00e9vation de privil\u00e8ges.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans SAP",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SAP february-2024 du 13 f\u00e9vrier 2024",
      "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2024.html"
    }
  ]
}

CERTFR-2024-AVI-0125

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	N/A	SAP Master Data Governance versions MDG_FND 731, MDG_FND 732, MDG_FND 746, MDG_FND 747, MDG_FND 748, MDG_FND 749, MDG_FND 752, MDG_FND 800, MDG_FND 802, MDG_FND 803, MDG_FND 804, MDG_FND 805, MDG_FND 806, MDG_FND 807, MDG_FND 808 et SAP_BS_FND 702
SAP	N/A	SAP NWBC for HTML versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702 et SAP_BASIS 731
SAP	N/A	SAP CRM (WebClient UI) versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800 et WEBCUIF 801
SAP	SAP NetWeaver AS Java	SAP NetWeaver AS Java (Guided Procedures) version 7.50
SAP	N/A	SAP Master Data Governance Material versions 618, 619, 620, 621, 622, 800, 801, 802, 803 et 804
SAP	N/A	SAP NetWeaver Application Server ABAP (SAP Kernel) versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94 et KRNL64UC 7.53
SAP	N/A	SAP Business Client versions 6.5, 7.0 et 7.70
SAP	SAP NetWeaver AS Java	SAP NetWeaver AS Java (User Admin Application) version 7.50
SAP	N/A	SAP Cloud Connector version 2.0
SAP	N/A	SAP Fiori app ("My Overtime Requests") versions 605
SAP	N/A	IDES Systems toutes versions
SAP	N/A	SAP ABA (Application Basis) versions 700, 701, 702, 731, 740, 750, 751, 752, 75C et 75I
SAP	N/A	SAP GUI pour Windows et SAP GUI pour Java versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758
SAP	N/A	BAM (Bank Account Management) versions SAP_FIN 618, SAP_FIN 730, S4CORE 100 et 101
SAP	N/A	SAP Companion versions antérieures à 3.1.38
SAP	SAP CRM WebClient UI	SAP CRM WebClient UI versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800 et WEBCUIF 801

References

Title

Publication Time

Tags

Bulletin de sécurité SAP february-2024 du 13 février 2024

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SAP Master Data Governance versions MDG_FND 731, MDG_FND 732, MDG_FND 746, MDG_FND 747, MDG_FND 748, MDG_FND 749, MDG_FND 752, MDG_FND 800, MDG_FND 802, MDG_FND 803, MDG_FND 804, MDG_FND 805, MDG_FND 806, MDG_FND 807, MDG_FND 808 et SAP_BS_FND 702",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NWBC for HTML versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702 et SAP_BASIS 731",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP CRM (WebClient UI) versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800 et WEBCUIF 801",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS Java (Guided Procedures) version 7.50",
      "product": {
        "name": "SAP NetWeaver AS Java",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Master Data Governance Material versions 618, 619, 620, 621, 622, 800, 801, 802, 803 et 804",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver Application Server ABAP (SAP Kernel) versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94 et KRNL64UC 7.53",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Business Client versions 6.5, 7.0 et 7.70",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS Java (User Admin Application) version 7.50",
      "product": {
        "name": "SAP NetWeaver AS Java",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Cloud Connector version 2.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Fiori app (\"My Overtime Requests\") versions 605",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "IDES Systems toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP ABA (Application Basis) versions 700, 701, 702, 731, 740, 750, 751, 752, 75C et 75I",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP GUI pour Windows et SAP GUI pour Java versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "BAM (Bank Account Management) versions SAP_FIN 618, SAP_FIN 730, S4CORE 100 et 101",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Companion versions ant\u00e9rieures \u00e0 3.1.38",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP CRM WebClient UI versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800 et WEBCUIF 801",
      "product": {
        "name": "SAP CRM WebClient UI",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2024-24741",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24741"
    },
    {
      "name": "CVE-2024-22132",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22132"
    },
    {
      "name": "CVE-2024-24739",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24739"
    },
    {
      "name": "CVE-2023-49580",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-49580"
    },
    {
      "name": "CVE-2024-25643",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25643"
    },
    {
      "name": "CVE-2024-24742",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24742"
    },
    {
      "name": "CVE-2024-25642",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25642"
    },
    {
      "name": "CVE-2024-24740",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24740"
    },
    {
      "name": "CVE-2024-22129",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22129"
    },
    {
      "name": "CVE-2024-22126",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22126"
    },
    {
      "name": "CVE-2024-22128",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22128"
    },
    {
      "name": "CVE-2024-22131",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22131"
    },
    {
      "name": "CVE-2024-22130",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22130"
    },
    {
      "name": "CVE-2023-49058",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-49058"
    },
    {
      "name": "CVE-2024-24743",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24743"
    }
  ],
  "links": [],
  "reference": "CERTFR-2024-AVI-0125",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-02-14T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans SAP. Certaines\nd\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des\ndonn\u00e9es et une \u00e9l\u00e9vation de privil\u00e8ges.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans SAP",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SAP february-2024 du 13 f\u00e9vrier 2024",
      "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2024.html"
    }
  ]
}

FKIE_CVE-2024-24739

Vulnerability from fkie_nvd - Published: 2024-02-13 03:15 - Updated: 2024-11-21 08:59

Severity ?

6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Summary

References

URL	Tags
cna@sap.com	https://me.sap.com/notes/2637727	Permissions Required
cna@sap.com	https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://me.sap.com/notes/2637727	Permissions Required
af854a3a-2127-422b-91ae-364da2661108	https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory

Impacted products

Vendor	Product	Version
sap	bank_account_management	s4core_100
sap	bank_account_management	s4core_101
sap	bank_account_management	sap_fin_618
sap	bank_account_management	sap_fin_730

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:bank_account_management:s4core_100:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA1ACAD6-9068-4468-83B2-8CB61F325BEA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:bank_account_management:s4core_101:*:*:*:*:*:*:*",
              "matchCriteriaId": "76352086-0768-4A0F-91AB-BEE3CDA58AF9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:bank_account_management:sap_fin_618:*:*:*:*:*:*:*",
              "matchCriteriaId": "5842D64D-C725-439A-82EA-A10FB0718DB5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:bank_account_management:sap_fin_730:*:*:*:*:*:*:*",
              "matchCriteriaId": "D69CC7F0-A2F5-4C3F-80F6-F2397859A6C0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and availability of the application.\n\n"
    },
    {
      "lang": "es",
      "value": "SAP Bank Account Management (BAM) permite que un usuario autenticado con acceso restringido utilice funciones que pueden resultar en una escalada de privilegios con bajo impacto en la confidencialidad, integridad y disponibilidad de la aplicaci\u00f3n."
    }
  ],
  "id": "CVE-2024-24739",
  "lastModified": "2024-11-21T08:59:35.887",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.4,
        "source": "cna@sap.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-02-13T03:15:08.780",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://me.sap.com/notes/2637727"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://me.sap.com/notes/2637727"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "cna@sap.com",
      "type": "Primary"
    }
  ]
}

WID-SEC-W-2024-0355

Vulnerability from csaf_certbund - Published: 2024-02-12 23:00 - Updated: 2024-02-12 23:00

Summary

SAP Software: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

SAP stellt unternehmensweite Lösungen für Geschäftsprozesse wie Buchführung, Vertrieb, Einkauf und Lagerhaltung zur Verfügung.

Angriff

Ein entfernter Angreifer kann mehrere Schwachstellen in der SAP-Software ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site Scripting (XSS)-Angriffe durchzuführen.

Betroffene Betriebssysteme

- UNIX - Linux - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "SAP stellt unternehmensweite L\u00f6sungen f\u00fcr Gesch\u00e4ftsprozesse wie Buchf\u00fchrung, Vertrieb, Einkauf und Lagerhaltung zur Verf\u00fcgung.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter Angreifer kann mehrere Schwachstellen in der SAP-Software ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site Scripting (XSS)-Angriffe durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-0355 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0355.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-0355 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0355"
      },
      {
        "category": "external",
        "summary": "SAP Security Patch Day \u2013 February 2024 vom 2024-02-12",
        "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2024.html"
      }
    ],
    "source_lang": "en-US",
    "title": "SAP Software: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2024-02-12T23:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:05:07.923+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2024-0355",
      "initial_release_date": "2024-02-12T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-02-12T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SAP Software",
            "product": {
              "name": "SAP Software",
              "product_id": "T032707",
              "product_identification_helper": {
                "cpe": "cpe:/a:sap:sap:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SAP"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-25643",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-25643"
    },
    {
      "cve": "CVE-2024-25642",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-25642"
    },
    {
      "cve": "CVE-2024-24743",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-24743"
    },
    {
      "cve": "CVE-2024-24742",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-24742"
    },
    {
      "cve": "CVE-2024-24741",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-24741"
    },
    {
      "cve": "CVE-2024-24740",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-24740"
    },
    {
      "cve": "CVE-2024-24739",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-24739"
    },
    {
      "cve": "CVE-2024-22132",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-22132"
    },
    {
      "cve": "CVE-2024-22131",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-22131"
    },
    {
      "cve": "CVE-2024-22130",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-22130"
    },
    {
      "cve": "CVE-2024-22129",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-22129"
    },
    {
      "cve": "CVE-2024-22128",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-22128"
    },
    {
      "cve": "CVE-2024-22126",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-22126"
    },
    {
      "cve": "CVE-2023-49580",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2023-49580"
    },
    {
      "cve": "CVE-2023-49058",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2023-49058"
    }
  ]
}

GSD-2024-24739

Vulnerability from gsd - Updated: 2024-01-30 06:03

Details

Aliases

CVE-2024-24739

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-24739"
      ],
      "details": "SAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and availability of the application.\n\n",
      "id": "GSD-2024-24739",
      "modified": "2024-01-30T06:03:12.509452Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cna@sap.com",
        "ID": "CVE-2024-24739",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "SAP BAM (Bank Account Management)",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "SAP_FIN 618"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "SAP_FIN 730"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "S4CORE 100"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "101"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "SAP_SE"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "SAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and availability of the application.\n\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-862",
                "lang": "eng",
                "value": "CWE-862: Missing Authorization"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://me.sap.com/notes/2637727",
            "refsource": "MISC",
            "url": "https://me.sap.com/notes/2637727"
          },
          {
            "name": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
            "refsource": "MISC",
            "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "SAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and availability of the application.\n\n"
          },
          {
            "lang": "es",
            "value": "SAP Bank Account Management (BAM) permite que un usuario autenticado con acceso restringido utilice funciones que pueden resultar en una escalada de privilegios con bajo impacto en la confidencialidad, integridad y disponibilidad de la aplicaci\u00f3n."
          }
        ],
        "id": "CVE-2024-24739",
        "lastModified": "2024-02-13T14:01:40.577",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 3.4,
              "source": "cna@sap.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-02-13T03:15:08.780",
        "references": [
          {
            "source": "cna@sap.com",
            "url": "https://me.sap.com/notes/2637727"
          },
          {
            "source": "cna@sap.com",
            "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
          }
        ],
        "sourceIdentifier": "cna@sap.com",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-862"
              }
            ],
            "source": "cna@sap.com",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

GHSA-R4H7-P578-P9GV

Vulnerability from github – Published: 2024-02-13 03:30 – Updated: 2024-02-13 03:30

Details

Severity ?

6.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-24739"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-13T03:15:08Z",
    "severity": "MODERATE"
  },
  "details": "SAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and availability of the application.\n\n",
  "id": "GHSA-r4h7-p578-p9gv",
  "modified": "2024-02-13T03:30:21Z",
  "published": "2024-02-13T03:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24739"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/2637727"
    },
    {
      "type": "WEB",
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-24739 (GCVE-0-2024-24739)

CERTFR-2024-AVI-0125

Solution

CERTFR-2024-AVI-0125

Solution

FKIE_CVE-2024-24739

WID-SEC-W-2024-0355

GSD-2024-24739

GHSA-R4H7-P578-P9GV

Tags

Sightings

Nomenclature