Vulnerabilites related to sap - hana-client
Vulnerability from fkie_nvd
Published
2024-10-08 04:15
Modified
2024-11-14 17:54
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Summary
The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3520100 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Vendor Advisory | |
| cna@sap.com | https://www.npmjs.com/package/@sap/hana-client?activeTab=code | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | hana-client | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:hana-client:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "F5C1E6EC-59D6-4B6B-AEFA-5CA4E39D8AC2",
"versionEndExcluding": "2.21.31",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity."
},
{
"lang": "es",
"value": "Las versiones del paquete de cliente SAP HANA Node.js de la 2.0.0 anterior a la 2.21.31 se ven afectadas por la vulnerabilidad de contaminaci\u00f3n de prototipos, que permite a un atacante agregar propiedades arbitrarias a los prototipos de objetos globales. Esto se debe a una desinfecci\u00f3n inadecuada de la entrada del usuario al utilizar la funci\u00f3n nestTables, lo que tiene un impacto bajo en la disponibilidad de la aplicaci\u00f3n. Esto no tiene impacto en la confidencialidad ni la integridad."
}
],
"id": "CVE-2024-45277",
"lastModified": "2024-11-14T17:54:28.373",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-10-08T04:15:08.133",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3520100"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://url.sap/sapsecuritypatchday"
},
{
"source": "cna@sap.com",
"tags": [
"Product"
],
"url": "https://www.npmjs.com/package/@sap/hana-client?activeTab=code"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1321"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
CVE-2024-45277 (GCVE-0-2024-45277)
Vulnerability from cvelistv5
Published
2024-10-08 03:21
Modified
2024-10-08 14:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes
Summary
The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP HANA Client |
Version: HDB_CLIENT 2.0 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sap_se:sap_hana_client:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sap_hana_client",
"vendor": "sap_se",
"versions": [
{
"status": "affected",
"version": "HDB_CLIENT 2.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45277",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T13:59:56.396341Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T14:01:44.271Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP HANA Client",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "HDB_CLIENT 2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity.\u003c/p\u003e"
}
],
"value": "The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T09:52:33.850Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3520100"
},
{
"url": "https://url.sap/sapsecuritypatchday"
},
{
"url": "https://www.npmjs.com/package/@sap/hana-client?activeTab=code"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Prototype Pollution vulnerability in SAP HANA Client",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-45277",
"datePublished": "2024-10-08T03:21:16.236Z",
"dateReserved": "2024-08-26T10:39:20.931Z",
"dateUpdated": "2024-10-08T14:01:44.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}