Vulnerabilites related to SAP_SE - SAP Service Parts Management (SPM)
CVE-2025-43009 (GCVE-0-2025-43009)
Vulnerability from cvelistv5
Published
2025-05-13 00:19
Modified
2025-05-13 14:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
SAP Service Parts Management (SPM) does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on Confidentiality, integrity and availability of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Service Parts Management (SPM) |
Version: SAP_APPL 600 Version: 602 Version: 603 Version: 604 Version: 605 Version: 606 Version: 616 Version: 617 Version: 618 Version: S4CORE 100 Version: 101 Version: 102 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-43009",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T14:09:37.192975Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T14:11:47.930Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Service Parts Management (SPM)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_APPL 600"
},
{
"status": "affected",
"version": "602"
},
{
"status": "affected",
"version": "603"
},
{
"status": "affected",
"version": "604"
},
{
"status": "affected",
"version": "605"
},
{
"status": "affected",
"version": "606"
},
{
"status": "affected",
"version": "616"
},
{
"status": "affected",
"version": "617"
},
{
"status": "affected",
"version": "618"
},
{
"status": "affected",
"version": "S4CORE 100"
},
{
"status": "affected",
"version": "101"
},
{
"status": "affected",
"version": "102"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP Service Parts Management (SPM) does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on Confidentiality, integrity and availability of the application.\u003c/p\u003e"
}
],
"value": "SAP Service Parts Management (SPM) does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on Confidentiality, integrity and availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T00:19:41.795Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/2491817"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization check in SAP Service Parts Management (SPM)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-43009",
"datePublished": "2025-05-13T00:19:41.795Z",
"dateReserved": "2025-04-16T13:25:53.589Z",
"dateUpdated": "2025-05-13T14:11:47.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-43007 (GCVE-0-2025-43007)
Vulnerability from cvelistv5
Published
2025-05-13 00:19
Modified
2025-05-13 13:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
SAP Service Parts Management (SPM) does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on confidentiality, integrity and availability of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Service Parts Management (SPM) |
Version: SAP_APPL 617 Version: 618 Version: S4CORE 100 Version: 101 Version: 102 Version: 103 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-43007",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T13:58:07.991282Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T13:58:16.900Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Service Parts Management (SPM)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_APPL 617"
},
{
"status": "affected",
"version": "618"
},
{
"status": "affected",
"version": "S4CORE 100"
},
{
"status": "affected",
"version": "101"
},
{
"status": "affected",
"version": "102"
},
{
"status": "affected",
"version": "103"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP Service Parts Management (SPM) does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on confidentiality, integrity and availability of the application.\u003c/p\u003e"
}
],
"value": "SAP Service Parts Management (SPM) does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on confidentiality, integrity and availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T00:19:18.709Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/2719724"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization check in SAP Service Parts Management (SPM)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-43007",
"datePublished": "2025-05-13T00:19:18.709Z",
"dateReserved": "2025-04-16T13:25:53.589Z",
"dateUpdated": "2025-05-13T13:58:16.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}