CVE-2024-34692

Due to missing verification of file type or content, SAP Enable Now allows an authenticated attacker to upload arbitrary files. These files include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker can cause limited impact on confidentiality and Integrity of the application.

CVSS v3 4.6 MEDIUM

4.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.1 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://me.sap.com/notes/3476340	Permissions Required
https://url.sap/sapsecuritypatchday	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sap:enable_now:*:*:*:*:*:*:*:*

History

09 Sep 2024, 15:33

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~3.3~~	v2 : unknown v3 : 4.6
CPE		cpe:2.3:a:sap:enable_now::::::::
First Time		Sap Sap enable Now
References	~~() https://me.sap.com/notes/3476340 -~~	() https://me.sap.com/notes/3476340 - Permissions Required
References	~~() https://url.sap/sapsecuritypatchday -~~	() https://url.sap/sapsecuritypatchday - Vendor Advisory

09 Jul 2024, 18:19

Type	Values Removed	Values Added
Summary		(es) Debido a la falta de verificación del tipo o contenido del archivo, SAP Enable Now permite que un atacante autenticado cargue archivos arbitrarios. Estos archivos incluyen archivos ejecutables que el usuario puede descargar y ejecutar y que podrían alojar malware. Si un atacante la explota con éxito, puede causar un impacto limitado en la confidencialidad y la integridad de la aplicación.

09 Jul 2024, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-09 05:15

Updated : 2024-09-09 15:33

NVD link : CVE-2024-34692

Mitre link : CVE-2024-34692

CVE.ORG link : CVE-2024-34692

JSON object : View

Products Affected

sap

enable_now

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2024-34692", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.1}, {"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 0.8}]}, "published": "2024-07-09T05:15:11.183", "references": [{"url": "https://me.sap.com/notes/3476340", "tags": ["Permissions Required"], "source": "cna@sap.com"}, {"url": "https://url.sap/sapsecuritypatchday", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "Due to missing verification of file type or\ncontent, SAP Enable Now allows an authenticated attacker to upload arbitrary\nfiles. These files include executables which might be downloaded and executed\nby the user which could host malware. On successful exploitation an attacker\ncan cause limited impact on confidentiality and Integrity of the application."}, {"lang": "es", "value": "Debido a la falta de verificaci\u00f3n del tipo o contenido del archivo, SAP Enable Now permite que un atacante autenticado cargue archivos arbitrarios. Estos archivos incluyen archivos ejecutables que el usuario puede descargar y ejecutar y que podr\u00edan alojar malware. Si un atacante la explota con \u00e9xito, puede causar un impacto limitado en la confidencialidad y la integridad de la aplicaci\u00f3n."}], "lastModified": "2024-09-09T15:33:55.200", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:enable_now:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E1C2C770-82FA-45DE-9EEA-E377501B05A9"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}