fkie_cve-2025-25244
Vulnerability from fkie_nvd
Published
2025-03-11 01:15
Modified
2025-03-11 01:15
Severity ?
5.7 (Medium) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
SAP Business Warehouse (Process Chains) allows an attacker to manipulate the process execution due to missing authorization check. An attacker with display authorization for the process chain object could set one or all processes to be skipped. This means corresponding activities, such as data loading, activation, or deletion, will not be executed as initially modeled. This could lead to unexpected results in business reporting leading to a significant impact on integrity. However, there is no impact on confidentiality or availability.
References
cna@sap.comhttps://me.sap.com/notes/3552144
cna@sap.comhttps://url.sap/sapsecuritypatchday
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SAP Business Warehouse (Process Chains) allows an attacker to manipulate the process execution due to missing authorization check. An attacker with display authorization for the process chain object could set one or all processes to be skipped. This means corresponding activities, such as data loading, activation, or deletion, will not be executed as initially modeled. This could lead to unexpected results in business reporting leading to a significant impact on integrity. However, there is no impact on confidentiality or availability."
    },
    {
      "lang": "es",
      "value": "SAP Business Warehouse (Cadenas de procesos) permite a un atacante manipular la ejecuci\u00f3n del proceso debido a la falta de verificaci\u00f3n de autorizaci\u00f3n. Un atacante con autorizaci\u00f3n de visualizaci\u00f3n para el objeto de cadena de procesos podr\u00eda configurar uno o todos los procesos para que se omitan. Esto significa que las actividades correspondientes, como la carga, activaci\u00f3n o eliminaci\u00f3n de datos, no se ejecutar\u00e1n como se model\u00f3 inicialmente. Esto podr\u00eda generar resultados inesperados en los informes comerciales que generen un impacto significativo en la integridad. Sin embargo, no hay impacto en la confidencialidad o disponibilidad."
    }
  ],
  "id": "CVE-2025-25244",
  "lastModified": "2025-03-11T01:15:34.927",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 3.6,
        "source": "cna@sap.com",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-03-11T01:15:34.927",
  "references": [
    {
      "source": "cna@sap.com",
      "url": "https://me.sap.com/notes/3552144"
    },
    {
      "source": "cna@sap.com",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "cna@sap.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.