CVE-2024-34689 (GCVE-0-2024-34689)
Vulnerability from cvelistv5 – Published: 2024-07-09 04:18 – Updated: 2024-08-02 02:59
VLAI?
Summary
WebFlow Services of SAP Business Workflow allows
an authenticated attacker to enumerate accessible HTTP endpoints in the
internal network by specially crafting HTTP requests. On successful
exploitation this can result in information disclosure. It has no impact on
integrity and availability of the application.
Severity ?
5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Business Workflow (WebFlow Services) |
Affected:
SAP_BASIS 700
Affected: SAP_BASIS 701 Affected: SAP_BASIS 702 Affected: SAP_BASIS 731 Affected: SAP_BASIS 740 Affected: SAP_BASIS 750 Affected: SAP_BASIS 751 Affected: SAP_BASIS 752 Affected: SAP_BASIS 753 Affected: SAP_BASIS 754 Affected: SAP_BASIS 755 Affected: SAP_BASIS 756 Affected: SAP_BASIS 757 Affected: SAP_BASIS 758 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sap_se:sap_business_workflow_\\(webflow_services\\):*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "sap_business_workflow_\\(webflow_services\\)",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 700"
},
{
"status": "affected",
"version": "SAP_BASIS 701"
},
{
"status": "affected",
"version": "SAP_BASIS 702"
},
{
"status": "affected",
"version": "SAP_BASIS 731"
},
{
"status": "affected",
"version": "SAP_BASIS 740"
},
{
"status": "affected",
"version": "SAP_BASIS 750"
},
{
"status": "affected",
"version": "SAP_BASIS 751"
},
{
"status": "affected",
"version": "SAP_BASIS 752"
},
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
},
{
"status": "affected",
"version": "SAP_BASIS 755"
},
{
"status": "affected",
"version": "SAP_BASIS 756"
},
{
"status": "affected",
"version": "SAP_BASIS 757"
},
{
"status": "affected",
"version": "SAP_BASIS 758"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34689",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-25T14:21:05.637426Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T14:38:25.505Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:22.630Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://url.sap/sapsecuritypatchday"
},
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3458789"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Business Workflow (WebFlow Services)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 700"
},
{
"status": "affected",
"version": "SAP_BASIS 701"
},
{
"status": "affected",
"version": "SAP_BASIS 702"
},
{
"status": "affected",
"version": "SAP_BASIS 731"
},
{
"status": "affected",
"version": "SAP_BASIS 740"
},
{
"status": "affected",
"version": "SAP_BASIS 750"
},
{
"status": "affected",
"version": "SAP_BASIS 751"
},
{
"status": "affected",
"version": "SAP_BASIS 752"
},
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
},
{
"status": "affected",
"version": "SAP_BASIS 755"
},
{
"status": "affected",
"version": "SAP_BASIS 756"
},
{
"status": "affected",
"version": "SAP_BASIS 757"
},
{
"status": "affected",
"version": "SAP_BASIS 758"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "WebFlow Services of SAP Business Workflow allows\nan authenticated attacker to enumerate accessible HTTP endpoints in the\ninternal network by specially crafting HTTP requests. On successful\nexploitation this can result in information disclosure. It has no impact on\nintegrity and availability of the application.\n\n\n\n"
}
],
"value": "WebFlow Services of SAP Business Workflow allows\nan authenticated attacker to enumerate accessible HTTP endpoints in the\ninternal network by specially crafting HTTP requests. On successful\nexploitation this can result in information disclosure. It has no impact on\nintegrity and availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T04:18:21.258Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://url.sap/sapsecuritypatchday"
},
{
"url": "https://me.sap.com/notes/3458789"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-34689",
"datePublished": "2024-07-09T04:18:21.258Z",
"dateReserved": "2024-05-07T05:46:11.658Z",
"dateUpdated": "2024-08-02T02:59:22.630Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:business_workflow:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1FF29F57-F1C8-4905-B61F-9E72BF689C39\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:700:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"85616273-040E-49CB-8EB6-D2D4D7B603E5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:701:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C5F2C3A9-DCC0-4FF1-8E68-9EA150E209F6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:702:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6F774A45-2A9F-4873-A5DC-766D030C8CCD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:731:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D3A0A2D6-9259-4A35-A236-F4BEE986C1FD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:740:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"49C3A8E5-FA6A-4EF3-BF50-FD4E1576024F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:750:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"ABA8AB4E-3FE6-46A8-847E-660C5DF6CE71\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:751:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6DA4A6F0-C0F1-42CB-8BBD-7198064733EA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:752:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8C121CC9-26F6-4103-8EB0-BAFF6B5B5FE8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:753:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"86086D00-10BF-4C55-8D87-82CCBE468153\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:754:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2F25246A-D9E5-4F0D-B91A-478D4E5570DB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:755:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0218695F-C4AD-46BF-B176-F10C644A9C2D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:756:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FC9E7C3E-1005-450A-9198-E014C1BAADBC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:757:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3A177AB1-CC85-46EF-91DF-462096608C9F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:758:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F7591F81-708C-4285-9BB2-F2B4BDB9759B\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"WebFlow Services of SAP Business Workflow allows\\nan authenticated attacker to enumerate accessible HTTP endpoints in the\\ninternal network by specially crafting HTTP requests. On successful\\nexploitation this can result in information disclosure. It has no impact on\\nintegrity and availability of the application.\"}, {\"lang\": \"es\", \"value\": \"WebFlow Services de SAP Business Workflow permite a un atacante autenticado enumerar endpoints HTTP accesibles en la red interna mediante la elaboraci\\u00f3n especial de solicitudes HTTP. Si se explota con \\u00e9xito, esto puede dar lugar a la divulgaci\\u00f3n de informaci\\u00f3n. No tiene ning\\u00fan impacto en la integridad y disponibilidad de la aplicaci\\u00f3n.\"}]",
"id": "CVE-2024-34689",
"lastModified": "2024-11-21T09:19:12.067",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"cna@sap.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\", \"baseScore\": 5.0, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.1, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\", \"baseScore\": 5.0, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.1, \"impactScore\": 1.4}]}",
"published": "2024-07-09T05:15:10.873",
"references": "[{\"url\": \"https://me.sap.com/notes/3458789\", \"source\": \"cna@sap.com\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://url.sap/sapsecuritypatchday\", \"source\": \"cna@sap.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://me.sap.com/notes/3458789\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://url.sap/sapsecuritypatchday\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"cna@sap.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-918\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-918\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-34689\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2024-07-09T05:15:10.873\",\"lastModified\":\"2024-11-21T09:19:12.067\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WebFlow Services of SAP Business Workflow allows\\nan authenticated attacker to enumerate accessible HTTP endpoints in the\\ninternal network by specially crafting HTTP requests. On successful\\nexploitation this can result in information disclosure. It has no impact on\\nintegrity and availability of the application.\"},{\"lang\":\"es\",\"value\":\"WebFlow Services de SAP Business Workflow permite a un atacante autenticado enumerar endpoints HTTP accesibles en la red interna mediante la elaboraci\u00f3n especial de solicitudes HTTP. Si se explota con \u00e9xito, esto puede dar lugar a la divulgaci\u00f3n de informaci\u00f3n. No tiene ning\u00fan impacto en la integridad y disponibilidad de la aplicaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cna@sap.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":5.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":5.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"cna@sap.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:business_workflow:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1FF29F57-F1C8-4905-B61F-9E72BF689C39\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:700:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"85616273-040E-49CB-8EB6-D2D4D7B603E5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:701:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C5F2C3A9-DCC0-4FF1-8E68-9EA150E209F6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:702:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6F774A45-2A9F-4873-A5DC-766D030C8CCD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:731:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3A0A2D6-9259-4A35-A236-F4BEE986C1FD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:740:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"49C3A8E5-FA6A-4EF3-BF50-FD4E1576024F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:750:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"ABA8AB4E-3FE6-46A8-847E-660C5DF6CE71\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:751:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6DA4A6F0-C0F1-42CB-8BBD-7198064733EA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:752:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8C121CC9-26F6-4103-8EB0-BAFF6B5B5FE8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:753:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"86086D00-10BF-4C55-8D87-82CCBE468153\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:754:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2F25246A-D9E5-4F0D-B91A-478D4E5570DB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:755:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0218695F-C4AD-46BF-B176-F10C644A9C2D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:756:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FC9E7C3E-1005-450A-9198-E014C1BAADBC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:757:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3A177AB1-CC85-46EF-91DF-462096608C9F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:758:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F7591F81-708C-4285-9BB2-F2B4BDB9759B\"}]}]}],\"references\":[{\"url\":\"https://me.sap.com/notes/3458789\",\"source\":\"cna@sap.com\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://url.sap/sapsecuritypatchday\",\"source\":\"cna@sap.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://me.sap.com/notes/3458789\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://url.sap/sapsecuritypatchday\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://url.sap/sapsecuritypatchday\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://me.sap.com/notes/3458789\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T02:59:22.630Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-34689\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-25T14:21:05.637426Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:sap_se:sap_business_workflow_\\\\(webflow_services\\\\):*:*:*:*:*:*:*:*\"], \"vendor\": \"sap_se\", \"product\": \"sap_business_workflow_\\\\(webflow_services\\\\)\", \"versions\": [{\"status\": \"affected\", \"version\": \"SAP_BASIS 700\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 701\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 702\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 731\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 740\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 750\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 751\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 752\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 753\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 754\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 755\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 756\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 757\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 758\"}], \"defaultStatus\": \"unaffected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-25T14:33:34.730Z\"}}], \"cna\": {\"title\": \"[CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services)\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SAP_SE\", \"product\": \"SAP Business Workflow (WebFlow Services)\", \"versions\": [{\"status\": \"affected\", \"version\": \"SAP_BASIS 700\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 701\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 702\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 731\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 740\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 750\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 751\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 752\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 753\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 754\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 755\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 756\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 757\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 758\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://url.sap/sapsecuritypatchday\"}, {\"url\": \"https://me.sap.com/notes/3458789\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"WebFlow Services of SAP Business Workflow allows\\nan authenticated attacker to enumerate accessible HTTP endpoints in the\\ninternal network by specially crafting HTTP requests. On successful\\nexploitation this can result in information disclosure. It has no impact on\\nintegrity and availability of the application.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"WebFlow Services of SAP Business Workflow allows\\nan authenticated attacker to enumerate accessible HTTP endpoints in the\\ninternal network by specially crafting HTTP requests. On successful\\nexploitation this can result in information disclosure. It has no impact on\\nintegrity and availability of the application.\\n\\n\\n\\n\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery\"}]}], \"providerMetadata\": {\"orgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"shortName\": \"sap\", \"dateUpdated\": \"2024-07-09T04:18:21.258Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-34689\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T02:59:22.630Z\", \"dateReserved\": \"2024-05-07T05:46:11.658Z\", \"assignerOrgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"datePublished\": \"2024-07-09T04:18:21.258Z\", \"assignerShortName\": \"sap\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…