cve-2024-34689
Vulnerability from cvelistv5
Published
2024-07-09 04:18
Modified
2024-08-02 02:59
Severity ?
EPSS score ?
Summary
WebFlow Services of SAP Business Workflow allows
an authenticated attacker to enumerate accessible HTTP endpoints in the
internal network by specially crafting HTTP requests. On successful
exploitation this can result in information disclosure. It has no impact on
integrity and availability of the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3458789 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://me.sap.com/notes/3458789 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://url.sap/sapsecuritypatchday | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | SAP_SE | SAP Business Workflow (WebFlow Services) |
Version: SAP_BASIS 700 Version: SAP_BASIS 701 Version: SAP_BASIS 702 Version: SAP_BASIS 731 Version: SAP_BASIS 740 Version: SAP_BASIS 750 Version: SAP_BASIS 751 Version: SAP_BASIS 752 Version: SAP_BASIS 753 Version: SAP_BASIS 754 Version: SAP_BASIS 755 Version: SAP_BASIS 756 Version: SAP_BASIS 757 Version: SAP_BASIS 758 |
|
|
|||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sap_se:sap_business_workflow_\\(webflow_services\\):*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "sap_business_workflow_\\(webflow_services\\)",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 700"
},
{
"status": "affected",
"version": "SAP_BASIS 701"
},
{
"status": "affected",
"version": "SAP_BASIS 702"
},
{
"status": "affected",
"version": "SAP_BASIS 731"
},
{
"status": "affected",
"version": "SAP_BASIS 740"
},
{
"status": "affected",
"version": "SAP_BASIS 750"
},
{
"status": "affected",
"version": "SAP_BASIS 751"
},
{
"status": "affected",
"version": "SAP_BASIS 752"
},
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
},
{
"status": "affected",
"version": "SAP_BASIS 755"
},
{
"status": "affected",
"version": "SAP_BASIS 756"
},
{
"status": "affected",
"version": "SAP_BASIS 757"
},
{
"status": "affected",
"version": "SAP_BASIS 758"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34689",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-25T14:21:05.637426Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T14:38:25.505Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:22.630Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://url.sap/sapsecuritypatchday"
},
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3458789"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Business Workflow (WebFlow Services)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_BASIS 700"
},
{
"status": "affected",
"version": "SAP_BASIS 701"
},
{
"status": "affected",
"version": "SAP_BASIS 702"
},
{
"status": "affected",
"version": "SAP_BASIS 731"
},
{
"status": "affected",
"version": "SAP_BASIS 740"
},
{
"status": "affected",
"version": "SAP_BASIS 750"
},
{
"status": "affected",
"version": "SAP_BASIS 751"
},
{
"status": "affected",
"version": "SAP_BASIS 752"
},
{
"status": "affected",
"version": "SAP_BASIS 753"
},
{
"status": "affected",
"version": "SAP_BASIS 754"
},
{
"status": "affected",
"version": "SAP_BASIS 755"
},
{
"status": "affected",
"version": "SAP_BASIS 756"
},
{
"status": "affected",
"version": "SAP_BASIS 757"
},
{
"status": "affected",
"version": "SAP_BASIS 758"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "WebFlow Services of SAP Business Workflow allows\nan authenticated attacker to enumerate accessible HTTP endpoints in the\ninternal network by specially crafting HTTP requests. On successful\nexploitation this can result in information disclosure. It has no impact on\nintegrity and availability of the application.\n\n\n\n"
}
],
"value": "WebFlow Services of SAP Business Workflow allows\nan authenticated attacker to enumerate accessible HTTP endpoints in the\ninternal network by specially crafting HTTP requests. On successful\nexploitation this can result in information disclosure. It has no impact on\nintegrity and availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T04:18:21.258Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://url.sap/sapsecuritypatchday"
},
{
"url": "https://me.sap.com/notes/3458789"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-34689",
"datePublished": "2024-07-09T04:18:21.258Z",
"dateReserved": "2024-05-07T05:46:11.658Z",
"dateUpdated": "2024-08-02T02:59:22.630Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:business_workflow:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1FF29F57-F1C8-4905-B61F-9E72BF689C39\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:700:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"85616273-040E-49CB-8EB6-D2D4D7B603E5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:701:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C5F2C3A9-DCC0-4FF1-8E68-9EA150E209F6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:702:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6F774A45-2A9F-4873-A5DC-766D030C8CCD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:731:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D3A0A2D6-9259-4A35-A236-F4BEE986C1FD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:740:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"49C3A8E5-FA6A-4EF3-BF50-FD4E1576024F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:750:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"ABA8AB4E-3FE6-46A8-847E-660C5DF6CE71\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:751:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6DA4A6F0-C0F1-42CB-8BBD-7198064733EA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:752:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8C121CC9-26F6-4103-8EB0-BAFF6B5B5FE8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:753:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"86086D00-10BF-4C55-8D87-82CCBE468153\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:754:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2F25246A-D9E5-4F0D-B91A-478D4E5570DB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:755:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0218695F-C4AD-46BF-B176-F10C644A9C2D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:756:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FC9E7C3E-1005-450A-9198-E014C1BAADBC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:757:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3A177AB1-CC85-46EF-91DF-462096608C9F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis:758:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F7591F81-708C-4285-9BB2-F2B4BDB9759B\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"WebFlow Services of SAP Business Workflow allows\\nan authenticated attacker to enumerate accessible HTTP endpoints in the\\ninternal network by specially crafting HTTP requests. On successful\\nexploitation this can result in information disclosure. It has no impact on\\nintegrity and availability of the application.\"}, {\"lang\": \"es\", \"value\": \"WebFlow Services de SAP Business Workflow permite a un atacante autenticado enumerar endpoints HTTP accesibles en la red interna mediante la elaboraci\\u00f3n especial de solicitudes HTTP. Si se explota con \\u00e9xito, esto puede dar lugar a la divulgaci\\u00f3n de informaci\\u00f3n. No tiene ning\\u00fan impacto en la integridad y disponibilidad de la aplicaci\\u00f3n.\"}]",
"id": "CVE-2024-34689",
"lastModified": "2024-11-21T09:19:12.067",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"cna@sap.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\", \"baseScore\": 5.0, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.1, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\", \"baseScore\": 5.0, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.1, \"impactScore\": 1.4}]}",
"published": "2024-07-09T05:15:10.873",
"references": "[{\"url\": \"https://me.sap.com/notes/3458789\", \"source\": \"cna@sap.com\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://url.sap/sapsecuritypatchday\", \"source\": \"cna@sap.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://me.sap.com/notes/3458789\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://url.sap/sapsecuritypatchday\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"cna@sap.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-918\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-918\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-34689\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2024-07-09T05:15:10.873\",\"lastModified\":\"2024-11-21T09:19:12.067\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WebFlow Services of SAP Business Workflow allows\\nan authenticated attacker to enumerate accessible HTTP endpoints in the\\ninternal network by specially crafting HTTP requests. On successful\\nexploitation this can result in information disclosure. It has no impact on\\nintegrity and availability of the application.\"},{\"lang\":\"es\",\"value\":\"WebFlow Services de SAP Business Workflow permite a un atacante autenticado enumerar endpoints HTTP accesibles en la red interna mediante la elaboraci\u00f3n especial de solicitudes HTTP. Si se explota con \u00e9xito, esto puede dar lugar a la divulgaci\u00f3n de informaci\u00f3n. No tiene ning\u00fan impacto en la integridad y disponibilidad de la aplicaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cna@sap.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":5.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":5.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"cna@sap.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:business_workflow:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1FF29F57-F1C8-4905-B61F-9E72BF689C39\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:700:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"85616273-040E-49CB-8EB6-D2D4D7B603E5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:701:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C5F2C3A9-DCC0-4FF1-8E68-9EA150E209F6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:702:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6F774A45-2A9F-4873-A5DC-766D030C8CCD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:731:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3A0A2D6-9259-4A35-A236-F4BEE986C1FD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:740:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"49C3A8E5-FA6A-4EF3-BF50-FD4E1576024F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:750:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"ABA8AB4E-3FE6-46A8-847E-660C5DF6CE71\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:751:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6DA4A6F0-C0F1-42CB-8BBD-7198064733EA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:752:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8C121CC9-26F6-4103-8EB0-BAFF6B5B5FE8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:753:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"86086D00-10BF-4C55-8D87-82CCBE468153\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:754:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2F25246A-D9E5-4F0D-B91A-478D4E5570DB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:755:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0218695F-C4AD-46BF-B176-F10C644A9C2D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:756:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FC9E7C3E-1005-450A-9198-E014C1BAADBC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:757:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3A177AB1-CC85-46EF-91DF-462096608C9F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis:758:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F7591F81-708C-4285-9BB2-F2B4BDB9759B\"}]}]}],\"references\":[{\"url\":\"https://me.sap.com/notes/3458789\",\"source\":\"cna@sap.com\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://url.sap/sapsecuritypatchday\",\"source\":\"cna@sap.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://me.sap.com/notes/3458789\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://url.sap/sapsecuritypatchday\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://url.sap/sapsecuritypatchday\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://me.sap.com/notes/3458789\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T02:59:22.630Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-34689\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-25T14:21:05.637426Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:sap_se:sap_business_workflow_\\\\(webflow_services\\\\):*:*:*:*:*:*:*:*\"], \"vendor\": \"sap_se\", \"product\": \"sap_business_workflow_\\\\(webflow_services\\\\)\", \"versions\": [{\"status\": \"affected\", \"version\": \"SAP_BASIS 700\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 701\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 702\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 731\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 740\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 750\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 751\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 752\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 753\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 754\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 755\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 756\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 757\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 758\"}], \"defaultStatus\": \"unaffected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-25T14:33:34.730Z\"}}], \"cna\": {\"title\": \"[CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services)\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SAP_SE\", \"product\": \"SAP Business Workflow (WebFlow Services)\", \"versions\": [{\"status\": \"affected\", \"version\": \"SAP_BASIS 700\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 701\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 702\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 731\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 740\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 750\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 751\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 752\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 753\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 754\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 755\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 756\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 757\"}, {\"status\": \"affected\", \"version\": \"SAP_BASIS 758\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://url.sap/sapsecuritypatchday\"}, {\"url\": \"https://me.sap.com/notes/3458789\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"WebFlow Services of SAP Business Workflow allows\\nan authenticated attacker to enumerate accessible HTTP endpoints in the\\ninternal network by specially crafting HTTP requests. On successful\\nexploitation this can result in information disclosure. It has no impact on\\nintegrity and availability of the application.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"WebFlow Services of SAP Business Workflow allows\\nan authenticated attacker to enumerate accessible HTTP endpoints in the\\ninternal network by specially crafting HTTP requests. On successful\\nexploitation this can result in information disclosure. It has no impact on\\nintegrity and availability of the application.\\n\\n\\n\\n\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery\"}]}], \"providerMetadata\": {\"orgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"shortName\": \"sap\", \"dateUpdated\": \"2024-07-09T04:18:21.258Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-34689\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T02:59:22.630Z\", \"dateReserved\": \"2024-05-07T05:46:11.658Z\", \"assignerOrgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"datePublished\": \"2024-07-09T04:18:21.258Z\", \"assignerShortName\": \"sap\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.