fkie_cve-2024-42376
Vulnerability from fkie_nvd
Published
2024-08-13 04:15
Modified
2024-09-12 13:43
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
SAP Shared Service Framework does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. On successful exploitation, an attacker can cause a high impact on confidentiality of the application.
References
cna@sap.comhttps://me.sap.com/notes/3474590Permissions Required
cna@sap.comhttps://url.sap/sapsecuritypatchdayVendor Advisory
Impacted products
Vendor Product Version
sap shared_service_framework sap_bs_fnd_702
sap shared_service_framework sap_bs_fnd_731
sap shared_service_framework sap_bs_fnd_746
sap shared_service_framework sap_bs_fnd_747
sap shared_service_framework sap_bs_fnd_748


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_702:*:*:*:*:*:*:*",
              "matchCriteriaId": "5AC1EAA0-7B20-4B4C-9F7D-8F7832D91BCE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_731:*:*:*:*:*:*:*",
              "matchCriteriaId": "CFE56A04-ADDE-4A27-87CA-C801DFA5CD80",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_746:*:*:*:*:*:*:*",
              "matchCriteriaId": "36822481-BB89-421A-99D5-33854E6080B9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_747:*:*:*:*:*:*:*",
              "matchCriteriaId": "6BA0ED8A-F75D-49DF-BD37-CD3273E2F8E4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:shared_service_framework:sap_bs_fnd_748:*:*:*:*:*:*:*",
              "matchCriteriaId": "6852223A-C675-4F29-92E4-90092DBDF11E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SAP Shared Service Framework does not perform necessary\nauthorization check for an authenticated user, resulting in escalation of\nprivileges. On successful exploitation, an attacker can cause a high impact on\nconfidentiality of the application."
    },
    {
      "lang": "es",
      "value": "SAP Shared Service Framework no realiza la verificaci\u00f3n de autorizaci\u00f3n necesaria para un usuario autenticado, lo que resulta en una escalada de privilegios. Si la explotaci\u00f3n tiene \u00e9xito, un atacante puede causar un gran impacto en la confidencialidad de la aplicaci\u00f3n."
    }
  ],
  "id": "CVE-2024-42376",
  "lastModified": "2024-09-12T13:43:27.507",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "cna@sap.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-08-13T04:15:10.837",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://me.sap.com/notes/3474590"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "cna@sap.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.