CVE-2024-39598

SAP CRM (WebClient UI Framework) allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://me.sap.com/notes/3467377	Permissions Required
https://url.sap/sapsecuritypatchday	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:customer_relationship_management_s4fnd:102:::::::*
	cpe:2.3:a:sap:customer_relationship_management_s4fnd:103:::::::*
	cpe:2.3:a:sap:customer_relationship_management_s4fnd:104:::::::*
	cpe:2.3:a:sap:customer_relationship_management_s4fnd:105:::::::*
	cpe:2.3:a:sap:customer_relationship_management_s4fnd:106:::::::*
	cpe:2.3:a:sap:customer_relationship_management_s4fnd:107:::::::*
	cpe:2.3:a:sap:customer_relationship_management_s4fnd:108:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:701:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:731:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:746:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:747:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:748:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:800:::::::*
	cpe:2.3:a:sap:customer_relationship_management_webclient_ui:801:::::::*

History

29 Aug 2024, 19:04

Type	Values Removed	Values Added
First Time		Sap Sap customer Relationship Management S4fnd Sap customer Relationship Management Webclient Ui
CVSS	v2 : ~~unknown~~ v3 : ~~5.0~~	v2 : unknown v3 : 7.7
References	~~() https://me.sap.com/notes/3467377 -~~	() https://me.sap.com/notes/3467377 - Permissions Required
References	~~() https://url.sap/sapsecuritypatchday -~~	() https://url.sap/sapsecuritypatchday - Vendor Advisory
CPE		cpe:2.3:a:sap:customer_relationship_management_s4fnd:103:::::::* cpe:2.3:a:sap:customer_relationship_management_s4fnd:108:::::::* cpe:2.3:a:sap:customer_relationship_management_s4fnd:104:::::::* cpe:2.3:a:sap:customer_relationship_management_s4fnd:106:::::::* cpe:2.3:a:sap:customer_relationship_management_webclient_ui:748:::::::* cpe:2.3:a:sap:customer_relationship_management_webclient_ui:731:::::::* cpe:2.3:a:sap:customer_relationship_management_s4fnd:105:::::::* cpe:2.3:a:sap:customer_relationship_management_webclient_ui:701:::::::* cpe:2.3:a:sap:customer_relationship_management_webclient_ui:800:::::::* cpe:2.3:a:sap:customer_relationship_management_webclient_ui:801:::::::* cpe:2.3:a:sap:customer_relationship_management_s4fnd:102:::::::* cpe:2.3:a:sap:customer_relationship_management_webclient_ui:747:::::::* cpe:2.3:a:sap:customer_relationship_management_s4fnd:107:::::::* cpe:2.3:a:sap:customer_relationship_management_webclient_ui:746:::::::*

09 Jul 2024, 18:19

Type	Values Removed	Values Added
Summary		(es) SAP CRM (WebClient UI Framework) permite a un atacante autenticado enumerar endpoints HTTP accesibles en la red interna mediante la elaboración especial de solicitudes HTTP. Si se explota con éxito, esto puede dar lugar a la divulgación de información. No tiene ningún impacto en la integridad y disponibilidad de la aplicación.

09 Jul 2024, 04:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-09 04:15

Updated : 2024-08-29 19:04

NVD link : CVE-2024-39598

Mitre link : CVE-2024-39598

CVE.ORG link : CVE-2024-39598

JSON object : View

Products Affected

sap

customer_relationship_management_webclient_ui
customer_relationship_management_s4fnd

CWE

CWE-918

Server-Side Request Forgery (SSRF)

7.7 /10