Vulnerabilites related to SAP_SE - SAP Application Interface Framework (File Adapter)
CVE-2024-21737 (GCVE-0-2024-21737)
Vulnerability from cvelistv5
Published
2024-01-09 01:18
Modified
2025-06-03 14:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
In SAP Application Interface Framework File Adapter - version 702, a high privilege user can use a function module to traverse through various layers and execute OS commands directly. By this, such user can control the behaviour of the application. This leads to considerable impact on confidentiality, integrity and availability.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
SAP_SE | SAP Application Interface Framework (File Adapter) |
Version: 702 |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-01T22:27:36.109Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://me.sap.com/notes/3411869" }, { "tags": [ "x_transferred" ], "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-21737", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-05-08T18:45:58.872494Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-06-03T14:33:33.116Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "SAP Application Interface Framework (File Adapter)", "vendor": "SAP_SE", "versions": [ { "status": "affected", "version": "702" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eIn SAP Application Interface Framework File Adapter - version 702, a\u00a0high privilege user can use a function module to traverse through various layers and execute OS commands directly. By this,\u00a0such user can control\u00a0the behaviour of the application. This leads to considerable impact on confidentiality, integrity and availability.\u003c/p\u003e" } ], "value": "In SAP Application Interface Framework File Adapter - version 702, a\u00a0high privilege user can use a function module to traverse through various layers and execute OS commands directly. By this,\u00a0such user can control\u00a0the behaviour of the application. This leads to considerable impact on confidentiality, integrity and availability.\n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)", "lang": "eng", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-01-09T01:18:19.305Z", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap" }, "references": [ { "url": "https://me.sap.com/notes/3411869" }, { "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html" } ], "source": { "discovery": "UNKNOWN" }, "title": "Code Injection vulnerability in SAP Application Interface Framework (File Adapter)", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2024-21737", "datePublished": "2024-01-09T01:18:19.305Z", "dateReserved": "2024-01-01T10:54:59.645Z", "dateUpdated": "2025-06-03T14:33:33.116Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }