cvelistv5 - cve-2024-24741

CVE-2024-24741 (GCVE-0-2024-24741)

Vulnerability from cvelistv5 – Published: 2024-02-13 03:43 – Updated: 2024-08-01 23:28

Summary

SAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read some sensitive information but no impact to integrity and availability.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-862 - Missing Authorization

Assigner

sap

References

URL

Tags

	https://me.sap.com/notes/2897391
	https://www.sap.com/documents/2022/02/fa865ea4-16…

Impacted products

	Vendor	Product	Version
	SAP_SE	SAP Master Data Governance Material	Affected: 618 Affected: 619 Affected: 620 Affected: 621 Affected: 622 Affected: 800 Affected: 801 Affected: 802 Affected: 803 Affected: 804

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-24741",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-13T20:21:03.015929Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:43:06.598Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T23:28:12.084Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://me.sap.com/notes/2897391"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SAP Master Data Governance Material",
          "vendor": "SAP_SE",
          "versions": [
            {
              "status": "affected",
              "version": "618"
            },
            {
              "status": "affected",
              "version": "619"
            },
            {
              "status": "affected",
              "version": "620"
            },
            {
              "status": "affected",
              "version": "621"
            },
            {
              "status": "affected",
              "version": "622"
            },
            {
              "status": "affected",
              "version": "800"
            },
            {
              "status": "affected",
              "version": "801"
            },
            {
              "status": "affected",
              "version": "802"
            },
            {
              "status": "affected",
              "version": "803"
            },
            {
              "status": "affected",
              "version": "804"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read some sensitive information but no impact to integrity and availability.\u003c/p\u003e"
            }
          ],
          "value": "SAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read some sensitive information but no impact to integrity and availability.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "eng",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-13T03:43:14.238Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "url": "https://me.sap.com/notes/2897391"
        },
        {
          "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Missing Authorization check in SAP Master Data Governance Material",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2024-24741",
    "datePublished": "2024-02-13T03:43:14.238Z",
    "dateReserved": "2024-01-29T05:13:46.617Z",
    "dateUpdated": "2024-08-01T23:28:12.084Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:master_data_governance_for_material_data:618:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"11DBE392-E087-47C1-A929-C2106BBD765F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:master_data_governance_for_material_data:619:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A54FC8EC-AFCE-47F4-83D6-A670CCED00F4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:master_data_governance_for_material_data:620:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DC15EBBD-B074-4BAA-A725-DCD66138DAD8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:master_data_governance_for_material_data:621:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"23B8D5F8-219C-47F4-98B7-E5B124563107\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:master_data_governance_for_material_data:622:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BA569B7D-9360-4B22-8F04-076CA8FC0EC3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:master_data_governance_for_material_data:800:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"20E3C861-0668-42FD-BD02-539861F1CBDC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:master_data_governance_for_material_data:801:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C66BC0C1-702E-44BB-AA5C-02011760B0A2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:master_data_governance_for_material_data:802:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"40EAAF80-6111-4ED7-9460-DC48576F52D0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:master_data_governance_for_material_data:803:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A8F9E8C5-3C69-4E7A-8946-8A9B92698B7B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:master_data_governance_for_material_data:804:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1F74B545-1CD8-4405-8640-C27BE6715DC5\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"SAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read some sensitive information but no impact to integrity and availability.\\n\\n\"}, {\"lang\": \"es\", \"value\": \"SAP Master Data Governance for Material Data: versiones 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, no realiza la verificaci\\u00f3n de autorizaci\\u00f3n necesaria para un usuario autenticado, lo que resulta en una escalada de privilegios. Esto podr\\u00eda permitir a un atacante leer informaci\\u00f3n confidencial, pero no afectar\\u00eda la integridad ni la disponibilidad.\"}]",
      "id": "CVE-2024-24741",
      "lastModified": "2024-11-21T08:59:36.183",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"cna@sap.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}]}",
      "published": "2024-02-13T04:15:08.340",
      "references": "[{\"url\": \"https://me.sap.com/notes/2897391\", \"source\": \"cna@sap.com\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\", \"source\": \"cna@sap.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://me.sap.com/notes/2897391\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cna@sap.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"cna@sap.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-862\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-24741\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2024-02-13T04:15:08.340\",\"lastModified\":\"2024-11-21T08:59:36.183\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read some sensitive information but no impact to integrity and availability.\\n\\n\"},{\"lang\":\"es\",\"value\":\"SAP Master Data Governance for Material Data: versiones 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, no realiza la verificaci\u00f3n de autorizaci\u00f3n necesaria para un usuario autenticado, lo que resulta en una escalada de privilegios. Esto podr\u00eda permitir a un atacante leer informaci\u00f3n confidencial, pero no afectar\u00eda la integridad ni la disponibilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cna@sap.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"cna@sap.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:master_data_governance_for_material_data:618:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"11DBE392-E087-47C1-A929-C2106BBD765F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:master_data_governance_for_material_data:619:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A54FC8EC-AFCE-47F4-83D6-A670CCED00F4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:master_data_governance_for_material_data:620:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DC15EBBD-B074-4BAA-A725-DCD66138DAD8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:master_data_governance_for_material_data:621:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"23B8D5F8-219C-47F4-98B7-E5B124563107\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:master_data_governance_for_material_data:622:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BA569B7D-9360-4B22-8F04-076CA8FC0EC3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:master_data_governance_for_material_data:800:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"20E3C861-0668-42FD-BD02-539861F1CBDC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:master_data_governance_for_material_data:801:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C66BC0C1-702E-44BB-AA5C-02011760B0A2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:master_data_governance_for_material_data:802:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"40EAAF80-6111-4ED7-9460-DC48576F52D0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:master_data_governance_for_material_data:803:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A8F9E8C5-3C69-4E7A-8946-8A9B92698B7B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:master_data_governance_for_material_data:804:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1F74B545-1CD8-4405-8640-C27BE6715DC5\"}]}]}],\"references\":[{\"url\":\"https://me.sap.com/notes/2897391\",\"source\":\"cna@sap.com\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\",\"source\":\"cna@sap.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://me.sap.com/notes/2897391\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://me.sap.com/notes/2897391\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T23:28:12.084Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-24741\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-02-13T20:21:03.015929Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:11.279Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"Missing Authorization check in SAP Master Data Governance Material\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SAP_SE\", \"product\": \"SAP Master Data Governance Material\", \"versions\": [{\"status\": \"affected\", \"version\": \"618\"}, {\"status\": \"affected\", \"version\": \"619\"}, {\"status\": \"affected\", \"version\": \"620\"}, {\"status\": \"affected\", \"version\": \"621\"}, {\"status\": \"affected\", \"version\": \"622\"}, {\"status\": \"affected\", \"version\": \"800\"}, {\"status\": \"affected\", \"version\": \"801\"}, {\"status\": \"affected\", \"version\": \"802\"}, {\"status\": \"affected\", \"version\": \"803\"}, {\"status\": \"affected\", \"version\": \"804\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://me.sap.com/notes/2897391\"}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"SAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read some sensitive information but no impact to integrity and availability.\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eSAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read some sensitive information but no impact to integrity and availability.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"eng\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"shortName\": \"sap\", \"dateUpdated\": \"2024-02-13T03:43:14.238Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-24741\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T23:28:12.084Z\", \"dateReserved\": \"2024-01-29T05:13:46.617Z\", \"assignerOrgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"datePublished\": \"2024-02-13T03:43:14.238Z\", \"assignerShortName\": \"sap\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2024-AVI-0125

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans SAP. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et une élévation de privilèges.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	N/A	SAP Master Data Governance versions MDG_FND 731, MDG_FND 732, MDG_FND 746, MDG_FND 747, MDG_FND 748, MDG_FND 749, MDG_FND 752, MDG_FND 800, MDG_FND 802, MDG_FND 803, MDG_FND 804, MDG_FND 805, MDG_FND 806, MDG_FND 807, MDG_FND 808 et SAP_BS_FND 702
SAP	N/A	SAP NWBC for HTML versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702 et SAP_BASIS 731
SAP	N/A	SAP CRM (WebClient UI) versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800 et WEBCUIF 801
SAP	SAP NetWeaver AS Java	SAP NetWeaver AS Java (Guided Procedures) version 7.50
SAP	N/A	SAP Master Data Governance Material versions 618, 619, 620, 621, 622, 800, 801, 802, 803 et 804
SAP	N/A	SAP NetWeaver Application Server ABAP (SAP Kernel) versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94 et KRNL64UC 7.53
SAP	N/A	SAP Business Client versions 6.5, 7.0 et 7.70
SAP	SAP NetWeaver AS Java	SAP NetWeaver AS Java (User Admin Application) version 7.50
SAP	N/A	SAP Cloud Connector version 2.0
SAP	N/A	SAP Fiori app ("My Overtime Requests") versions 605
SAP	N/A	IDES Systems toutes versions
SAP	N/A	SAP ABA (Application Basis) versions 700, 701, 702, 731, 740, 750, 751, 752, 75C et 75I
SAP	N/A	SAP GUI pour Windows et SAP GUI pour Java versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758
SAP	N/A	BAM (Bank Account Management) versions SAP_FIN 618, SAP_FIN 730, S4CORE 100 et 101
SAP	N/A	SAP Companion versions antérieures à 3.1.38
SAP	SAP CRM WebClient UI	SAP CRM WebClient UI versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800 et WEBCUIF 801

References

Title

Publication Time

Tags

Bulletin de sécurité SAP february-2024 du 13 février 2024

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SAP Master Data Governance versions MDG_FND 731, MDG_FND 732, MDG_FND 746, MDG_FND 747, MDG_FND 748, MDG_FND 749, MDG_FND 752, MDG_FND 800, MDG_FND 802, MDG_FND 803, MDG_FND 804, MDG_FND 805, MDG_FND 806, MDG_FND 807, MDG_FND 808 et SAP_BS_FND 702",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NWBC for HTML versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702 et SAP_BASIS 731",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP CRM (WebClient UI) versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800 et WEBCUIF 801",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS Java (Guided Procedures) version 7.50",
      "product": {
        "name": "SAP NetWeaver AS Java",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Master Data Governance Material versions 618, 619, 620, 621, 622, 800, 801, 802, 803 et 804",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver Application Server ABAP (SAP Kernel) versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94 et KRNL64UC 7.53",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Business Client versions 6.5, 7.0 et 7.70",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS Java (User Admin Application) version 7.50",
      "product": {
        "name": "SAP NetWeaver AS Java",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Cloud Connector version 2.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Fiori app (\"My Overtime Requests\") versions 605",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "IDES Systems toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP ABA (Application Basis) versions 700, 701, 702, 731, 740, 750, 751, 752, 75C et 75I",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP GUI pour Windows et SAP GUI pour Java versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "BAM (Bank Account Management) versions SAP_FIN 618, SAP_FIN 730, S4CORE 100 et 101",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Companion versions ant\u00e9rieures \u00e0 3.1.38",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP CRM WebClient UI versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800 et WEBCUIF 801",
      "product": {
        "name": "SAP CRM WebClient UI",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2024-24741",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24741"
    },
    {
      "name": "CVE-2024-22132",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22132"
    },
    {
      "name": "CVE-2024-24739",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24739"
    },
    {
      "name": "CVE-2023-49580",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-49580"
    },
    {
      "name": "CVE-2024-25643",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25643"
    },
    {
      "name": "CVE-2024-24742",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24742"
    },
    {
      "name": "CVE-2024-25642",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25642"
    },
    {
      "name": "CVE-2024-24740",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24740"
    },
    {
      "name": "CVE-2024-22129",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22129"
    },
    {
      "name": "CVE-2024-22126",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22126"
    },
    {
      "name": "CVE-2024-22128",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22128"
    },
    {
      "name": "CVE-2024-22131",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22131"
    },
    {
      "name": "CVE-2024-22130",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22130"
    },
    {
      "name": "CVE-2023-49058",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-49058"
    },
    {
      "name": "CVE-2024-24743",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24743"
    }
  ],
  "links": [],
  "reference": "CERTFR-2024-AVI-0125",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-02-14T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans SAP. Certaines\nd\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des\ndonn\u00e9es et une \u00e9l\u00e9vation de privil\u00e8ges.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans SAP",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SAP february-2024 du 13 f\u00e9vrier 2024",
      "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2024.html"
    }
  ]
}

CERTFR-2024-AVI-0125

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	N/A	SAP Master Data Governance versions MDG_FND 731, MDG_FND 732, MDG_FND 746, MDG_FND 747, MDG_FND 748, MDG_FND 749, MDG_FND 752, MDG_FND 800, MDG_FND 802, MDG_FND 803, MDG_FND 804, MDG_FND 805, MDG_FND 806, MDG_FND 807, MDG_FND 808 et SAP_BS_FND 702
SAP	N/A	SAP NWBC for HTML versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702 et SAP_BASIS 731
SAP	N/A	SAP CRM (WebClient UI) versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800 et WEBCUIF 801
SAP	SAP NetWeaver AS Java	SAP NetWeaver AS Java (Guided Procedures) version 7.50
SAP	N/A	SAP Master Data Governance Material versions 618, 619, 620, 621, 622, 800, 801, 802, 803 et 804
SAP	N/A	SAP NetWeaver Application Server ABAP (SAP Kernel) versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94 et KRNL64UC 7.53
SAP	N/A	SAP Business Client versions 6.5, 7.0 et 7.70
SAP	SAP NetWeaver AS Java	SAP NetWeaver AS Java (User Admin Application) version 7.50
SAP	N/A	SAP Cloud Connector version 2.0
SAP	N/A	SAP Fiori app ("My Overtime Requests") versions 605
SAP	N/A	IDES Systems toutes versions
SAP	N/A	SAP ABA (Application Basis) versions 700, 701, 702, 731, 740, 750, 751, 752, 75C et 75I
SAP	N/A	SAP GUI pour Windows et SAP GUI pour Java versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758
SAP	N/A	BAM (Bank Account Management) versions SAP_FIN 618, SAP_FIN 730, S4CORE 100 et 101
SAP	N/A	SAP Companion versions antérieures à 3.1.38
SAP	SAP CRM WebClient UI	SAP CRM WebClient UI versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800 et WEBCUIF 801

References

Title

Publication Time

Tags

Bulletin de sécurité SAP february-2024 du 13 février 2024

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SAP Master Data Governance versions MDG_FND 731, MDG_FND 732, MDG_FND 746, MDG_FND 747, MDG_FND 748, MDG_FND 749, MDG_FND 752, MDG_FND 800, MDG_FND 802, MDG_FND 803, MDG_FND 804, MDG_FND 805, MDG_FND 806, MDG_FND 807, MDG_FND 808 et SAP_BS_FND 702",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NWBC for HTML versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702 et SAP_BASIS 731",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP CRM (WebClient UI) versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800 et WEBCUIF 801",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS Java (Guided Procedures) version 7.50",
      "product": {
        "name": "SAP NetWeaver AS Java",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Master Data Governance Material versions 618, 619, 620, 621, 622, 800, 801, 802, 803 et 804",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver Application Server ABAP (SAP Kernel) versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94 et KRNL64UC 7.53",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Business Client versions 6.5, 7.0 et 7.70",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS Java (User Admin Application) version 7.50",
      "product": {
        "name": "SAP NetWeaver AS Java",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Cloud Connector version 2.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Fiori app (\"My Overtime Requests\") versions 605",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "IDES Systems toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP ABA (Application Basis) versions 700, 701, 702, 731, 740, 750, 751, 752, 75C et 75I",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP GUI pour Windows et SAP GUI pour Java versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "BAM (Bank Account Management) versions SAP_FIN 618, SAP_FIN 730, S4CORE 100 et 101",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Companion versions ant\u00e9rieures \u00e0 3.1.38",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP CRM WebClient UI versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800 et WEBCUIF 801",
      "product": {
        "name": "SAP CRM WebClient UI",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2024-24741",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24741"
    },
    {
      "name": "CVE-2024-22132",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22132"
    },
    {
      "name": "CVE-2024-24739",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24739"
    },
    {
      "name": "CVE-2023-49580",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-49580"
    },
    {
      "name": "CVE-2024-25643",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25643"
    },
    {
      "name": "CVE-2024-24742",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24742"
    },
    {
      "name": "CVE-2024-25642",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25642"
    },
    {
      "name": "CVE-2024-24740",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24740"
    },
    {
      "name": "CVE-2024-22129",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22129"
    },
    {
      "name": "CVE-2024-22126",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22126"
    },
    {
      "name": "CVE-2024-22128",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22128"
    },
    {
      "name": "CVE-2024-22131",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22131"
    },
    {
      "name": "CVE-2024-22130",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22130"
    },
    {
      "name": "CVE-2023-49058",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-49058"
    },
    {
      "name": "CVE-2024-24743",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24743"
    }
  ],
  "links": [],
  "reference": "CERTFR-2024-AVI-0125",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-02-14T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans SAP. Certaines\nd\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des\ndonn\u00e9es et une \u00e9l\u00e9vation de privil\u00e8ges.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans SAP",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SAP february-2024 du 13 f\u00e9vrier 2024",
      "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2024.html"
    }
  ]
}

CNVD-2024-23324

Vulnerability from cnvd - Published: 2024-05-16

Title

SAP Master Data Governance授权问题漏洞

Description

SAP Master Data Governance是德国思爱普（SAP）公司的一套用于维护、验证和分发主数据的数据管理工具。 SAP Master Data Governance for Material Data存在授权问题漏洞，该漏洞源于不会对经过身份验证的用户执行必要的授权检查，攻击者可利用该漏洞导致权限升级。

Severity

中

Patch Name

SAP Master Data Governance授权问题漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://me.sap.com/notes/2897391

Reference

https://nvd.nist.gov/vuln/detail/CVE-2024-24741

Impacted products

Name
['SAP SAP Master Data Governance 800', 'SAP SAP Master Data Governance 801', 'SAP SAP Master Data Governance 802', 'SAP SAP Master Data Governance 803', 'SAP SAP Master Data Governance 804', 'SAP SAP Master Data Governance 618', 'SAP SAP Master Data Governance 619', 'SAP SAP Master Data Governance 620', 'SAP SAP Master Data Governance 621', 'SAP SAP Master Data Governance 622']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-24741",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-24741"
    }
  },
  "description": "SAP Master Data Governance\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8e\u7ef4\u62a4\u3001\u9a8c\u8bc1\u548c\u5206\u53d1\u4e3b\u6570\u636e\u7684\u6570\u636e\u7ba1\u7406\u5de5\u5177\u3002\n\nSAP Master Data Governance for Material Data\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4e0d\u4f1a\u5bf9\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u6267\u884c\u5fc5\u8981\u7684\u6388\u6743\u68c0\u67e5\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u6743\u9650\u5347\u7ea7\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://me.sap.com/notes/2897391",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-23324",
  "openTime": "2024-05-16",
  "patchDescription": "SAP Master Data Governance\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8e\u7ef4\u62a4\u3001\u9a8c\u8bc1\u548c\u5206\u53d1\u4e3b\u6570\u636e\u7684\u6570\u636e\u7ba1\u7406\u5de5\u5177\u3002\r\n\r\nSAP Master Data Governance for Material Data\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4e0d\u4f1a\u5bf9\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u6267\u884c\u5fc5\u8981\u7684\u6388\u6743\u68c0\u67e5\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u6743\u9650\u5347\u7ea7\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP Master Data Governance\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "SAP SAP Master Data Governance 800",
      "SAP SAP Master Data Governance 801",
      "SAP SAP Master Data Governance 802",
      "SAP SAP Master Data Governance 803",
      "SAP SAP Master Data Governance 804",
      "SAP SAP Master Data Governance 618",
      "SAP SAP Master Data Governance 619",
      "SAP SAP Master Data Governance 620",
      "SAP SAP Master Data Governance 621",
      "SAP SAP Master Data Governance 622"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2024-24741",
  "serverity": "\u4e2d",
  "submitTime": "2024-03-21",
  "title": "SAP Master Data Governance\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

GHSA-WQ59-M22J-V4P5

Vulnerability from github – Published: 2024-02-13 06:30 – Updated: 2024-02-13 06:30

Details

Severity ?

4.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-24741"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-13T04:15:08Z",
    "severity": "MODERATE"
  },
  "details": "SAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read some sensitive information but no impact to integrity and availability.\n\n",
  "id": "GHSA-wq59-m22j-v4p5",
  "modified": "2024-02-13T06:30:28Z",
  "published": "2024-02-13T06:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24741"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/2897391"
    },
    {
      "type": "WEB",
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

WID-SEC-W-2024-0355

Vulnerability from csaf_certbund - Published: 2024-02-12 23:00 - Updated: 2024-02-12 23:00

Summary

SAP Software: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

SAP stellt unternehmensweite Lösungen für Geschäftsprozesse wie Buchführung, Vertrieb, Einkauf und Lagerhaltung zur Verfügung.

Angriff

Ein entfernter Angreifer kann mehrere Schwachstellen in der SAP-Software ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site Scripting (XSS)-Angriffe durchzuführen.

Betroffene Betriebssysteme

- UNIX - Linux - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "SAP stellt unternehmensweite L\u00f6sungen f\u00fcr Gesch\u00e4ftsprozesse wie Buchf\u00fchrung, Vertrieb, Einkauf und Lagerhaltung zur Verf\u00fcgung.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter Angreifer kann mehrere Schwachstellen in der SAP-Software ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site Scripting (XSS)-Angriffe durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-0355 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0355.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-0355 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0355"
      },
      {
        "category": "external",
        "summary": "SAP Security Patch Day \u2013 February 2024 vom 2024-02-12",
        "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2024.html"
      }
    ],
    "source_lang": "en-US",
    "title": "SAP Software: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2024-02-12T23:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:05:07.923+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2024-0355",
      "initial_release_date": "2024-02-12T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-02-12T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SAP Software",
            "product": {
              "name": "SAP Software",
              "product_id": "T032707",
              "product_identification_helper": {
                "cpe": "cpe:/a:sap:sap:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SAP"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-25643",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-25643"
    },
    {
      "cve": "CVE-2024-25642",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-25642"
    },
    {
      "cve": "CVE-2024-24743",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-24743"
    },
    {
      "cve": "CVE-2024-24742",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-24742"
    },
    {
      "cve": "CVE-2024-24741",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-24741"
    },
    {
      "cve": "CVE-2024-24740",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-24740"
    },
    {
      "cve": "CVE-2024-24739",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-24739"
    },
    {
      "cve": "CVE-2024-22132",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-22132"
    },
    {
      "cve": "CVE-2024-22131",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-22131"
    },
    {
      "cve": "CVE-2024-22130",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-22130"
    },
    {
      "cve": "CVE-2024-22129",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-22129"
    },
    {
      "cve": "CVE-2024-22128",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-22128"
    },
    {
      "cve": "CVE-2024-22126",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2024-22126"
    },
    {
      "cve": "CVE-2023-49580",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2023-49580"
    },
    {
      "cve": "CVE-2023-49058",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Fehler bestehen in mehreren Subsystemen, Komponenten und Modulen wie WebClient UI, Bank Account Management, Cloud Connector oder NetWeaver aufgrund mehrerer sicherheitsrelevanter Probleme wie einer nicht ordnungsgem\u00e4\u00dfen Zertifikatsvalidierung, einer fehlenden Berechtigungspr\u00fcfung oder Problemen beim Directory Traversal. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Dateien zu manipulieren oder Cross-Site-Scripting (XSS)-Angriffe durchzuf\u00fchren. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T032707"
        ]
      },
      "release_date": "2024-02-12T23:00:00.000+00:00",
      "title": "CVE-2023-49058"
    }
  ]
}

GSD-2024-24741

Vulnerability from gsd - Updated: 2024-01-30 06:03

Details

Aliases

CVE-2024-24741

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-24741"
      ],
      "details": "SAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read some sensitive information but no impact to integrity and availability.\n\n",
      "id": "GSD-2024-24741",
      "modified": "2024-01-30T06:03:12.497598Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cna@sap.com",
        "ID": "CVE-2024-24741",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "SAP Master Data Governance Material",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "618"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "619"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "620"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "621"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "622"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "800"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "801"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "802"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "803"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "804"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "SAP_SE"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "SAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read some sensitive information but no impact to integrity and availability.\n\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-862",
                "lang": "eng",
                "value": "CWE-862: Missing Authorization"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://me.sap.com/notes/2897391",
            "refsource": "MISC",
            "url": "https://me.sap.com/notes/2897391"
          },
          {
            "name": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
            "refsource": "MISC",
            "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "SAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read some sensitive information but no impact to integrity and availability.\n\n"
          },
          {
            "lang": "es",
            "value": "SAP Master Data Governance for Material Data: versiones 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, no realiza la verificaci\u00f3n de autorizaci\u00f3n necesaria para un usuario autenticado, lo que resulta en una escalada de privilegios. Esto podr\u00eda permitir a un atacante leer informaci\u00f3n confidencial, pero no afectar\u00eda la integridad ni la disponibilidad."
          }
        ],
        "id": "CVE-2024-24741",
        "lastModified": "2024-02-13T14:01:40.577",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 1.4,
              "source": "cna@sap.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-02-13T04:15:08.340",
        "references": [
          {
            "source": "cna@sap.com",
            "url": "https://me.sap.com/notes/2897391"
          },
          {
            "source": "cna@sap.com",
            "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
          }
        ],
        "sourceIdentifier": "cna@sap.com",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-862"
              }
            ],
            "source": "cna@sap.com",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

FKIE_CVE-2024-24741

Vulnerability from fkie_nvd - Published: 2024-02-13 04:15 - Updated: 2024-11-21 08:59

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Summary

References

URL	Tags
cna@sap.com	https://me.sap.com/notes/2897391	Permissions Required
cna@sap.com	https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://me.sap.com/notes/2897391	Permissions Required
af854a3a-2127-422b-91ae-364da2661108	https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory

Impacted products

Vendor	Product	Version
sap	master_data_governance_for_material_data	618
sap	master_data_governance_for_material_data	619
sap	master_data_governance_for_material_data	620
sap	master_data_governance_for_material_data	621
sap	master_data_governance_for_material_data	622
sap	master_data_governance_for_material_data	800
sap	master_data_governance_for_material_data	801
sap	master_data_governance_for_material_data	802
sap	master_data_governance_for_material_data	803
sap	master_data_governance_for_material_data	804

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:master_data_governance_for_material_data:618:*:*:*:*:*:*:*",
              "matchCriteriaId": "11DBE392-E087-47C1-A929-C2106BBD765F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:master_data_governance_for_material_data:619:*:*:*:*:*:*:*",
              "matchCriteriaId": "A54FC8EC-AFCE-47F4-83D6-A670CCED00F4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:master_data_governance_for_material_data:620:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC15EBBD-B074-4BAA-A725-DCD66138DAD8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:master_data_governance_for_material_data:621:*:*:*:*:*:*:*",
              "matchCriteriaId": "23B8D5F8-219C-47F4-98B7-E5B124563107",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:master_data_governance_for_material_data:622:*:*:*:*:*:*:*",
              "matchCriteriaId": "BA569B7D-9360-4B22-8F04-076CA8FC0EC3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:master_data_governance_for_material_data:800:*:*:*:*:*:*:*",
              "matchCriteriaId": "20E3C861-0668-42FD-BD02-539861F1CBDC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:master_data_governance_for_material_data:801:*:*:*:*:*:*:*",
              "matchCriteriaId": "C66BC0C1-702E-44BB-AA5C-02011760B0A2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:master_data_governance_for_material_data:802:*:*:*:*:*:*:*",
              "matchCriteriaId": "40EAAF80-6111-4ED7-9460-DC48576F52D0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:master_data_governance_for_material_data:803:*:*:*:*:*:*:*",
              "matchCriteriaId": "A8F9E8C5-3C69-4E7A-8946-8A9B92698B7B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:master_data_governance_for_material_data:804:*:*:*:*:*:*:*",
              "matchCriteriaId": "1F74B545-1CD8-4405-8640-C27BE6715DC5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read some sensitive information but no impact to integrity and availability.\n\n"
    },
    {
      "lang": "es",
      "value": "SAP Master Data Governance for Material Data: versiones 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, no realiza la verificaci\u00f3n de autorizaci\u00f3n necesaria para un usuario autenticado, lo que resulta en una escalada de privilegios. Esto podr\u00eda permitir a un atacante leer informaci\u00f3n confidencial, pero no afectar\u00eda la integridad ni la disponibilidad."
    }
  ],
  "id": "CVE-2024-24741",
  "lastModified": "2024-11-21T08:59:36.183",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "cna@sap.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-02-13T04:15:08.340",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://me.sap.com/notes/2897391"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://me.sap.com/notes/2897391"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "cna@sap.com",
      "type": "Primary"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-24741 (GCVE-0-2024-24741)

CERTFR-2024-AVI-0125

Solution

CERTFR-2024-AVI-0125

Solution

CNVD-2024-23324

GHSA-WQ59-M22J-V4P5

WID-SEC-W-2024-0355

GSD-2024-24741

FKIE_CVE-2024-24741

Tags

Sightings

Nomenclature