CVE-2024-37172

SAP S/4HANA Finance (Advanced Payment Management) does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. As a result, it has a low impact to confidentiality and availability but there is no impact on the integrity.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://me.sap.com/notes/3457354	Permissions Required
https://url.sap/sapsecuritypatchday	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:sap:s4core:107:::::::*
	cpe:2.3:a:sap:s4core:108:::::::*

cpe:2.3:a:sap:s\/4hana:-:*:*:*:*:*:*:*

History

09 Sep 2024, 15:41

Type	Values Removed	Values Added
References	~~() https://me.sap.com/notes/3457354 -~~	() https://me.sap.com/notes/3457354 - Permissions Required
References	~~() https://url.sap/sapsecuritypatchday -~~	() https://url.sap/sapsecuritypatchday - Vendor Advisory
CPE		cpe:2.3:a:sap:s4core:108:::::::* cpe:2.3:a:sap:s\/4hana:-:::::::* cpe:2.3:a:sap:s4core:107:::::::*
First Time		Sap s4core Sap Sap s\/4hana

09 Jul 2024, 18:19

Type	Values Removed	Values Added
Summary		(es) SAP S/4HANA Finance (Advanced Payment Management) no realiza la verificación de autorización necesaria para un usuario autenticado, lo que resulta en una escalada de privilegios. Como resultado, tiene un bajo impacto en la confidencialidad y la disponibilidad, pero no tiene ningún impacto en la integridad.

09 Jul 2024, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-09 05:15

Updated : 2024-09-09 15:41

NVD link : CVE-2024-37172

Mitre link : CVE-2024-37172

CVE.ORG link : CVE-2024-37172

JSON object : View

Products Affected

sap

s4core
s\/4hana

CWE

CWE-862

Missing Authorization

{"id": "CVE-2024-37172", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2024-07-09T05:15:11.607", "references": [{"url": "https://me.sap.com/notes/3457354", "tags": ["Permissions Required"], "source": "cna@sap.com"}, {"url": "https://url.sap/sapsecuritypatchday", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "SAP S/4HANA Finance (Advanced Payment\nManagement) does not perform necessary authorization check for an authenticated\nuser, resulting in escalation of privileges. As a result, it has a low impact\nto confidentiality and availability but there is no impact on the integrity."}, {"lang": "es", "value": "SAP S/4HANA Finance (Advanced Payment Management) no realiza la verificaci\u00f3n de autorizaci\u00f3n necesaria para un usuario autenticado, lo que resulta en una escalada de privilegios. Como resultado, tiene un bajo impacto en la confidencialidad y la disponibilidad, pero no tiene ning\u00fan impacto en la integridad."}], "lastModified": "2024-09-09T15:41:06.010", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:s4core:107:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5DEFABE8-1797-4C7B-941C-3205AE90914B"}, {"criteria": "cpe:2.3:a:sap:s4core:108:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "78832FB6-B1DD-4516-B1DF-D90BB58BF25A"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:s\\/4hana:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "61225714-D573-435F-9423-7AE6A8ED59BC"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cna@sap.com"}